RUSTSEC-2020-0015: openssl-src: Crash causing Denial of Service attack

Description

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the “signature_algorithms_cert” TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.

More Info

https://www.openssl.org/news/secadv/20200421.txt

Patched Versions

Unaffected Versions