[USN-2232-4] OpenSSL regression
marc.deslauriers at canonical.com
Mon Aug 18 18:38:03 UTC 2014
Ubuntu Security Notice USN-2232-4
August 18, 2014
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
USN-2232-1 introduced a regression in OpenSSL.
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
USN-2232-1 fixed vulnerabilities in OpenSSL. One of the patch backports for
Ubuntu 10.04 LTS caused a regression for certain applications. This update
fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Jüri Aedla discovered that OpenSSL incorrectly handled invalid DTLS
fragments. A remote attacker could use this issue to cause OpenSSL to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 12.04 LTS, Ubuntu 13.10, and
Ubuntu 14.04 LTS. (CVE-2014-0195)
Imre Rad discovered that OpenSSL incorrectly handled DTLS recursions. A
remote attacker could use this issue to cause OpenSSL to crash, resulting
in a denial of service. (CVE-2014-0221)
KIKUCHI Masashi discovered that OpenSSL incorrectly handled certain
handshakes. A remote attacker could use this flaw to perform a
man-in-the-middle attack and possibly decrypt and modify traffic.
Felix Gröbert and Ivan Fratrić discovered that OpenSSL incorrectly handled
anonymous ECDH ciphersuites. A remote attacker could use this issue to
cause OpenSSL to crash, resulting in a denial of service. This issue only
affected Ubuntu 12.04 LTS, Ubuntu 13.10, and Ubuntu 14.04 LTS.
The problem can be corrected by updating your system to the following
Ubuntu 10.04 LTS:
After a standard system update you need to reboot your computer to make all
the necessary changes.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the ubuntu-security-announce