CVE-2013-6449 — openssl - several

Description

The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.

How to fix CVE-2013-6449

To remediate CVE-2013-6449, upgrade the affected package to a fixed version below.

Debian/openssl—upgrade to 1.0.1e-5 or later
Debian/openssl—upgrade to 1.0.1e-2+deb7u1 or later

Is CVE-2013-6449 being exploited?

Moderate — EPSS is 47.0%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 1.0.1e-5
from 0, < 1.0.1e-2+deb7u1

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-6449