CVE-2011-1473

Publication date 16 June 2012

Last updated 4 August 2025

Ubuntu priority

Low

Why this priority?

Description

OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment

Read the notes from the security team

Status

Package Ubuntu Release Status
openssl 12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored
11.04 natty Ignored end of life
10.10 maverick Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored
openssl098 12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored
11.04 natty Not in release
10.10 maverick Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release

Notes

jdstrand

Protocol issue. Nothing to be done at this time. Marking low because while renegotiation makes the DoS faster, standard DoS methods still apply for SSL servers that need to setup the SSL connection. per Redhat, should not affect httpd/mod_ssl

mdeslaur

this CVE is specific to openssl, nss is in CVE-2011-5094 we're not going to fix this, since it's disputed

References

Other references