CVE-2013-4353 — openssl - programming error

Description

The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.

How to fix CVE-2013-4353

To remediate CVE-2013-4353, upgrade the affected package to a fixed version below.

Debian/openssl—upgrade to 1.0.1f-1 or later
Debian/openssl—upgrade to 1.0.1e-2+deb7u3 or later

Is CVE-2013-4353 being exploited?

Moderate — EPSS is 22.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 1.0.1f-1
from 0, < 1.0.1e-2+deb7u3

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4353