Ubuntu 14.04: USN-2232-2 Moderate: OpenSSL Denial Of Service
Jun 12, 2014
•
LinuxSecurity Advisories
1 - 2 min read
Topics Covered
USN-2232-1 introduced a regression in OpenSSL.
=========================================================================Ubuntu Security Notice USN-2232-2 June 12, 2014 openssl regression ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 13.10 - Ubuntu 12.04 LTS Summary: USN-2232-1 introduced a regression in OpenSSL. Software Description: - openssl: Secure Socket Layer (SSL) cryptographic library and tools Details: USN-2232-1 fixed vulnerabilities in OpenSSL. The upstream fix for CVE-2014-0224 caused a regression for certain applications that use tls_session_secret_cb, such as wpa_supplicant. This update fixes the problem. Original advisory details: Jüri Aedla discovered that OpenSSL incorrectly handled invalid DTLS fragments. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS, Ubuntu 13.10, and Ubuntu 14.04 LTS. (CVE-2014-0195) Imre Rad discovered that OpenSSL incorrectly handled DTLS recursions. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2014-0221) KIKUCHI Masashi discovered that OpenSSL incorrectly handled certain handshakes. A remote attacker could use this flaw to perform a man-in-the-middle attack and possibly decrypt and modify traffic. (CVE-2014-0224) Felix Gröbert and Ivan Fratrić discovered that OpenSSL incorrectly handled anonymous ECDH ciphersuites. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 13.10, and Ubuntu 14.04 LTS. (CVE-2014-3470) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.3 Ubuntu 13.10: libssl1.0.0 1.0.1e-3ubuntu1.5 Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.15 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-2232-2 https://ubuntu.com/security/notices/USN-2232-1 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1329297 Package Information: https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.3 https://launchpad.net/ubuntu/+source/openssl/1.0.1e-3ubuntu1.5 https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.15
PREVIOUS
NEXT
Ubuntu 14.04: USN-2232-2 Moderate: OpenSSL Denial Of Service
ubuntu
June 12, 2014
USN-2232-1 introduced a regression in OpenSSL.
Summary
Topics Covered
Update Instructions
The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.3 Ubuntu 13.10: libssl1.0.0 1.0.1e-3ubuntu1.5 Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.15 After a standard system update you need to reboot your computer to make all the necessary changes.
References
https://ubuntu.com/security/notices/USN-2232-2
https://ubuntu.com/security/notices/USN-2232-1
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1329297
June 12, 2014
Topics Covered
Package Information
https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.3 https://launchpad.net/ubuntu/+source/openssl/1.0.1e-3ubuntu1.5 https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.15
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!