[USN-4376-2] OpenSSL vulnerabilities

Leonidas S. Barbosa leo.barbosa at canonical.com
Thu Jul 9 17:54:01 UTC 2020 

==========================================================================
Ubuntu Security Notice USN-4376-2
July 09, 2020

openssl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

USN-4376-1 fixed several vulnerabilities in OpenSSL. This update provides
the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

 Cesar Pereida GarcĂ­a, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin,
 Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL
 incorrectly handled ECDSA signatures. An attacker could possibly use this
 issue to perform a timing side-channel attack and recover private ECDSA
 keys. (CVE-2019-1547)

 Juraj Somorovsky, Robert Merget, and Nimrod Aviram discovered that certain
 applications incorrectly used OpenSSL and could be exposed to a padding
 oracle attack. A remote attacker could possibly use this issue to decrypt
 data. (CVE-2019-1559)

 Bernd Edlinger discovered that OpenSSL incorrectly handled certain
 decryption functions. In certain scenarios, a remote attacker could
 possibly use this issue to perform a padding oracle attack and decrypt
 traffic. (CVE-2019-1563)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
  libssl1.0.0                     1.0.1f-1ubuntu2.27+esm1

Ubuntu 12.04 ESM:
  libssl1.0.0                     1.0.1-4ubuntu5.44

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
  https://usn.ubuntu.com/4376-2
  https://usn.ubuntu.com/4376-1
  CVE-2019-1547, CVE-2019-1559, CVE-2019-1563
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20200709/780d0e9d/attachment.sig>

More information about the ubuntu-security-announce mailing list