[USN-7264-1] OpenSSL vulnerabilities

Marc Deslauriers marc.deslauriers at canonical.com
Tue Feb 11 21:01:52 UTC 2025 

==========================================================================
Ubuntu Security Notice USN-7264-1
February 11, 2025

openssl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

It was discovered that OpenSSL clients incorrectly handled authenticating
servers using RFC7250 Raw Public Keys. In certain cases, the connection
will not abort as expected, possibly causing the communication to be
intercepted. (CVE-2024-12797)

George Pantelakis and Alicja Kario discovered that OpenSSL had a timing
side-channel when performing ECDSA signature computations. A remote
attacker could possibly use this issue to recover private data.
(CVE-2024-13176)

It was discovered that OpenSSL incorrectly handled certain memory
operations when using low-level GF(2^m) elliptic curve APIs with untrusted
explicit values for the field polynomial. When being used in this uncommon
fashion, a remote attacker could use this issue to cause OpenSSL to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2024-9143)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
   libssl3t64                      3.3.1-2ubuntu2.1
   openssl                         3.3.1-2ubuntu2.1

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7264-1
   CVE-2024-12797, CVE-2024-13176, CVE-2024-9143

Package Information:
   https://launchpad.net/ubuntu/+source/openssl/3.3.1-2ubuntu2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20250211/72719f0c/attachment.sig>

More information about the ubuntu-security-announce mailing list