CVE-2013-6450 (Potential denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.)

  • Posted January 30, 2014

  • Assessed Risk Level: Medium

The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c. This has been fixed in PE 3.1.2 by updating OpenSSL to 1.0.0.l


  • Affected Versions: Puppet Enterprise 3.x
  • Resolved in Puppet Enterprise 3.1.2