Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 564
Alerts This Week
Warning Icon 1 564

Ubuntu 14.04 LTS USN-2385-1: OpenSSL DoS Issues And Fixes

ubuntu
Calendar Grey October 16, 2014
Scroller Ubuntu
Ubuntu Security Notice USN-2451-1 highlights vulnerabilities in OpenSSL that affect multiple LTS releases, providing essential patches.
Several security issues were fixed in OpenSSL.

Summary

Several security issues were fixed in OpenSSL.

Software Description:

- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

It was discovered that OpenSSL incorrectly handled memory when parsing

DTLS SRTP extension data. A remote attacker could possibly use this issue

to cause OpenSSL to consume resources, resulting in a denial of service.

This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.

(CVE-2014-3513)

It was discovered that OpenSSL incorrectly handled memory when verifying

the integrity of a session ticket. A remote attacker could possibly use

this issue to cause OpenSSL to consume resources, resulting in a denial of

service. (CVE-2014-3567)

In addition, this update introduces support for the TLS Fallback Signaling

Cipher Suite Value (TLS_FALLBACK_SCSV). This new feature prevents protocol

downgrade attacks when certain applications such as web browsers attempt

to reconnect using a lower protocol version for interope...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
  libssl1.0.0                     1.0.1f-1ubuntu2.7

Ubuntu 12.04 LTS:
  libssl1.0.0                     1.0.1-4ubuntu5.20

Ubuntu 10.04 LTS:
  libssl0.9.8                     0.9.8k-7ubuntu8.22

After a standard system update you need to reboot your computer to make all
the necessary changes.

References

https://ubuntu.com/security/notices/USN-2385-1

CVE-2014-3513, CVE-2014-3567

Severity
critical
Lowest
Low
Medium
High
Critical

October 16, 2014

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.