Alerts This Week
Warning Icon 1 1,394
Alerts This Week
Warning Icon 1 1,394

Ubuntu 24.10: USN-7264-1 critical: OpenSSL timing attack fix

ubuntu
Calendar Grey February 11, 2025
Dist Ubuntu Esm H88
Ubuntu Security Notice USN-7264-1 fixes OpenSSL issues, ensuring safety against timing attacks and service denial.
Several security issues were fixed in OpenSSL.

Summary

Several security issues were fixed in OpenSSL.

Software Description:

- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

It was discovered that OpenSSL clients incorrectly handled authenticating

servers using RFC7250 Raw Public Keys. In certain cases, the connection

will not abort as expected, possibly causing the communication to be

intercepted. (CVE-2024-12797)

George Pantelakis and Alicja Kario discovered that OpenSSL had a timing

side-channel when performing ECDSA signature computations. A remote

attacker could possibly use this issue to recover private data.

(CVE-2024-13176)

It was discovered that OpenSSL incorrectly handled certain memory

operations when using low-level GF(2^m) elliptic curve APIs with untrusted

explicit values for the field polynomial. When being used in this uncommon

fashion, a remote attacker could use this issue to cause OpenSSL to crash,

resulting in a denial of service, or possibly execute arbitrary c...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
   libssl3t64                      3.3.1-2ubuntu2.1
   openssl                         3.3.1-2ubuntu2.1

After a standard system update you need to reboot your computer to make all
the necessary changes.

References

https://ubuntu.com/security/notices/USN-7264-1

CVE-2024-12797, CVE-2024-13176, CVE-2024-9143

Severity
critical
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-7264-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here