CVE-2010-3864

Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.8f through 0.9.8o OpenSSL versions 1.0.0 and 1.0.0a libssl-dev (affected versions not specified) libssl0.9.8-dbg (affected versions not specified) libssl0.9.8 (affected versions not specified) libcrypto0.9.8-udeb (affected versions not specified) openssl (affected versions prior to 1.0.0e)

Description The issue involves multiple vulnerabilities in the OpenSSL package, which can lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. The vulnerabilities are related to multiple race conditions in ssl/t1 lib.c when multi-threading and internal caching are enabled on a TLS server. This might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to the TLS server name extension and elliptic curve cryptography.

Recommendations For OpenSSL versions 0.9.8f through 0.9.8o, update to a version later than 0.9.8o. For OpenSSL versions 1.0.0 and 1.0.0a, update to a version later than 1.0.0a. For libssl-dev, libssl0.9.8-dbg, libssl0.9.8, and libcrypto0.9.8-udeb, there is no information about a newer version that contains a fix for this vulnerability. For openssl (Gentoo Linux), update to a version 1.0.0e or later.