CVE-2021-3449 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Denial of service
Description	An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1736	openssl	1.1.1.j-1	1.1.1.k-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
25 Mar 2021	ASA-202103-10	AVG-1736	openssl	High	multiple issues

References
https://www.openssl.org/news/secadv/20210325.txt https://git.openssl.org/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148