[USN-4504-1] OpenSSL vulnerabilities

Marc Deslauriers marc.deslauriers at canonical.com
Wed Sep 16 15:04:43 UTC 2020


==========================================================================
Ubuntu Security Notice USN-4504-1
September 16, 2020

openssl, openssl1.0 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- openssl1.0: Secure Socket Layer (SSL) cryptographic library and tools
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky
discovered that certain Diffie-Hellman ciphersuites in the TLS
specification and implemented by OpenSSL contained a flaw. A remote
attacker could possibly use this issue to eavesdrop on encrypted
communications. This was fixed in this update by removing the insecure
ciphersuites from OpenSSL. (CVE-2020-1968)

Cesar Pereida GarcĂ­a, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin,
Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL
incorrectly handled ECDSA signatures. An attacker could possibly use this
issue to perform a timing side-channel attack and recover private ECDSA
keys. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1547)

Guido Vranken discovered that OpenSSL incorrectly performed the x86_64
Montgomery squaring procedure. While unlikely, a remote attacker could
possibly use this issue to recover private keys. This issue only affected
Ubuntu 18.04 LTS. (CVE-2019-1551)

Bernd Edlinger discovered that OpenSSL incorrectly handled certain
decryption functions. In certain scenarios, a remote attacker could
possibly use this issue to perform a padding oracle attack and decrypt
traffic. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1563)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  libssl1.0.0                     1.0.2n-1ubuntu5.4

Ubuntu 16.04 LTS:
  libssl1.0.0                     1.0.2g-1ubuntu4.17

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
  https://usn.ubuntu.com/4504-1
  CVE-2019-1547, CVE-2019-1551, CVE-2019-1563, CVE-2020-1968

Package Information:
  https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu5.4
  https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.17

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20200916/c921233d/attachment-0001.sig>


More information about the ubuntu-security-announce mailing list