Launchpad.net

CVE 2010-4180

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

Related bugs and status

CVE-2010-4180 (Candidate) is related to these bugs:

Bug #675566: Merge 1.0.0d-2 from debian/unstable

Summary				In	Importance	Status
	675566	Merge 1.0.0d-2 from debian/unstable		openssl (Ubuntu)	Wishlist	Fix Released
	675566	Merge 1.0.0d-2 from debian/unstable		openssl (Debian)	Unknown	Fix Released

Bug #693902: Merge openssl 0.9.8o-4 (main) from Debian unstable (main)

Summary				In	Importance	Status
	693902	Merge openssl 0.9.8o-4 (main) from Debian unstable (main)		openssl (Ubuntu)	Medium	Fix Released
	693902	Merge openssl 0.9.8o-4 (main) from Debian unstable (main)		openssl (Ubuntu Natty)	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2010-4180

Related bugs and status

Related bugs

References