Launchpad CVE tracker

CVE 2014-3616

nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.

Related bugs and status

CVE-2014-3616 (Candidate) is related to these bugs:

Bug #1370478: [CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated contexts"

		In	Importance	Status
1370478	[CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated contexts"	nginx (Ubuntu)	Undecided	Fix Released
1370478	[CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated contexts"	nginx (Debian)	Unknown	Fix Released
1370478	[CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated contexts"	nginx (Ubuntu Lucid)	Undecided	Won't Fix
1370478	[CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated contexts"	nginx (Ubuntu Precise)	Undecided	Fix Released
1370478	[CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated contexts"	nginx (Ubuntu Trusty)	Undecided	Fix Released
1370478	[CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated contexts"	nginx (Ubuntu Utopic)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: http://www.debian.org/...
MISC: http://mailman.nginx.o...

Launchpad.net

CVE 2014-3616

Related bugs and status

Related bugs

References