Ubuntu 1732-1: OpenSSL vulnerabilities

    Date21 Feb 2013
    Posted ByLinuxSecurity Advisories
    Several security issues were fixed in OpenSSL.
    Ubuntu Security Notice USN-1732-1
    February 21, 2013
    openssl vulnerabilities
    A security issue affects these releases of Ubuntu and its derivatives:
    - Ubuntu 12.10
    - Ubuntu 12.04 LTS
    - Ubuntu 11.10
    - Ubuntu 10.04 LTS
    - Ubuntu 8.04 LTS
    Several security issues were fixed in OpenSSL.
    Software Description:
    - openssl: Secure Socket Layer (SSL) cryptographic library and tools
    Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
    handled certain crafted CBC data when used with AES-NI. A remote attacker
    could use this issue to cause OpenSSL to crash, resulting in a denial of
    service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
    Stephen Henson discovered that OpenSSL incorrectly performed signature
    verification for OCSP responses. A remote attacker could use this issue to
    cause OpenSSL to crash, resulting in a denial of service. (CVE-2013-0166)
    Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
    in OpenSSL was vulnerable to a timing side-channel attack known as the
    "Lucky Thirteen" issue. A remote attacker could use this issue to perform
    plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)
    Update instructions:
    The problem can be corrected by updating your system to the following
    package versions:
    Ubuntu 12.10:
      libssl1.0.0                     1.0.1c-3ubuntu2.1
    Ubuntu 12.04 LTS:
      libssl1.0.0                     1.0.1-4ubuntu5.6
    Ubuntu 11.10:
      libssl1.0.0                     1.0.0e-2ubuntu4.7
    Ubuntu 10.04 LTS:
      libssl0.9.8                     0.9.8k-7ubuntu8.14
    Ubuntu 8.04 LTS:
      libssl0.9.8                     0.9.8g-4ubuntu3.20
    After a standard system update you need to reboot your computer to make
    all the necessary changes.
      CVE-2012-2686, CVE-2013-0166, CVE-2013-0169
    Package Information:
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.