Openssl vs ssl3 attack

C de-Avillez hggdh2 at ubuntu.com
Thu Oct 16 21:12:35 UTC 2014 

On 16/10/14 16:02, Gene Heskett wrote:
> Greetings;
> 
> I just ran my daily session of update-manager and updated the openssl and 
> its libraries.
> 
> No mention of the attack fix in the ChangeLog that I saw.  So is this 
> intended to plug that attack?
> 
> Enquiring(sp?) minds want to know.
> 
> Cheers, Gene Heskett
> 

Since you did not state what version of Ubuntu and openssl, all I can
say is: if the updated openssl package you installed today has a
changelog similar to the one below, then yes, it does plug the attack.

..C..

openssl (1.0.1f-1ubuntu2.7) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via DTLS SRTP memory leak
    - debian/patches/CVE-2014-3513.patch: fix logic in ssl/d1_srtp.c,
      ssl/srtp.h, ssl/t1_lib.c, util/mk1mf.pl, util/mkdef.pl,
      util/ssleay.num.
    - CVE-2014-3513
  * SECURITY UPDATE: denial of service via session ticket integrity check
    memory leak
    - debian/patches/CVE-2014-3567.patch: perform cleanup in ssl/t1_lib.c.
    - CVE-2014-3567
  * SECURITY UPDATE: fix the no-ssl3 build option
    - debian/patches/CVE-2014-3568.patch: fix conditional code in
      ssl/s23_clnt.c, ssl/s23_srvr.c.
    - CVE-2014-3568
  * SECURITY IMPROVEMENT: Added TLS_FALLBACK_SCSV support to mitigate a
    protocol downgrade attack to SSLv3 that exposes the POODLE attack.
    - debian/patches/tls_fallback_scsv_support.patch: added support for
      TLS_FALLBACK_SCSV in apps/s_client.c, crypto/err/openssl.ec,
      ssl/d1_lib.c, ssl/dtls1.h, ssl/s23_clnt.c, ssl/s23_srvr.c,
      ssl/s2_lib.c, ssl/s3_enc.c, ssl/s3_lib.c, ssl/ssl.h, ssl/ssl3.h,
      ssl/ssl_err.c, ssl/ssl_lib.c, ssl/t1_enc.c, ssl/tls1.h,
      doc/apps/s_client.pod, doc/ssl/SSL_CTX_set_mode.pod.

Date: 2014-10-15 17:38:14.520146+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20141016/320e9335/attachment.sig>

More information about the ubuntu-users mailing list