sshd & [USN-2459-1] OpenSSL vulnerabilities

Vangelis Katsikaros ibob17 at yahoo.gr
Tue Jan 13 12:26:40 UTC 2015 

Hi

On 01/13/2015 02:06 PM, Colin Law wrote:
> On 13 January 2015 at 11:42, Vangelis Katsikaros <ibob17 at yahoo.gr> wrote:
>> Hi
>>
>> Sorry in case the question is stupid :) Does the ssh service need a restart
>> after this update?
>
> An update to any service should normally restart it automatically.  If
> in doubt just restart it anyway.

Thanks for the info. However:
- The update in this case is not for the service openssh-server (the service), 
it's for libssl, and from the output I don't see that it triggered any restarts.
- I know I can restart the service, but I don't want to do this without a reason 
to a 20+ VMs.

Regards
Vangelis

>
> Colin
>
>>
>> Regards
>> Vangelis
>>
>>> ==========================================================================
>>> Ubuntu Security Notice USN-2459-1
>>> January 12, 2015
>>>
>>> openssl vulnerabilities
>>> ==========================================================================
>>>
>>> A security issue affects these releases of Ubuntu and its derivatives:
>>>
>>> - Ubuntu 14.10
>>> - Ubuntu 14.04 LTS
>>> - Ubuntu 12.04 LTS
>>> - Ubuntu 10.04 LTS
>>>
>>> Summary:
>>>
>>> Several security issues were fixed in OpenSSL.
>>>
>>> Software Description:
>>> - openssl: Secure Socket Layer (SSL) cryptographic library and tools
>>>
>>> Details:
>>>
>>> Pieter Wuille discovered that OpenSSL incorrectly handled Bignum squaring.
>>> (CVE-2014-3570)
>>>
>>> Markus Stenberg discovered that OpenSSL incorrectly handled certain
>>> crafted
>>> DTLS messages. A remote attacker could use this issue to cause OpenSSL to
>>> crash, resulting in a denial of service. (CVE-2014-3571)
>>>
>>> Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain
>>> handshakes. A remote attacker could possibly use this issue to downgrade
>>> to
>>> ECDH, removing forward secrecy from the ciphersuite. (CVE-2014-3572)
>>>
>>> Antti Karjalainen, Tuomo Untinen and Konrad Kraszewski discovered that
>>> OpenSSL incorrectly handled certain certificate fingerprints. A remote
>>> attacker could possibly use this issue to trick certain applications that
>>> rely on the uniqueness of fingerprints. (CVE-2014-8275)
>>>
>>> Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain
>>> key exchanges. A remote attacker could possibly use this issue to
>>> downgrade
>>> the security of the session to EXPORT_RSA. (CVE-2015-0204)
>>>
>>> Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled client
>>> authentication. A remote attacker could possibly use this issue to
>>> authenticate without the use of a private key in certain limited
>>> scenarios.
>>> This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
>>> (CVE-2015-0205)
>>>
>>> Chris Mueller discovered that OpenSSL incorrect handled memory when
>>> processing DTLS records. A remote attacker could use this issue to cause
>>> OpenSSL to consume resources, resulting in a denial of service. This issue
>>> only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 14.10.
>>> (CVE-2015-0206)
>>>
>>> Update instructions:
>>>
>>> The problem can be corrected by updating your system to the following
>>> package versions:
>>>
>>> Ubuntu 14.10:
>>>    libssl1.0.0                     1.0.1f-1ubuntu9.1
>>>
>>> Ubuntu 14.04 LTS:
>>>    libssl1.0.0                     1.0.1f-1ubuntu2.8
>>>
>>> Ubuntu 12.04 LTS:
>>>    libssl1.0.0                     1.0.1-4ubuntu5.21
>>>
>>> Ubuntu 10.04 LTS:
>>>    libssl0.9.8                     0.9.8k-7ubuntu8.23
>>>
>>> After a standard system update you need to reboot your computer to make
>>> all the necessary changes.
>>>
>>> References:
>>>    http://www.ubuntu.com/usn/usn-2459-1
>>>    CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275,
>>>    CVE-2015-0204, CVE-2015-0205, CVE-2015-0206
>>>
>>> Package Information:
>>>    https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu9.1
>>>    https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.8
>>>    https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.21
>>>    https://launchpad.net/ubuntu/+source/openssl/0.9.8k-7ubuntu8.23
>>
>>
>> --
>> ubuntu-users mailing list
>> ubuntu-users at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>

More information about the ubuntu-users mailing list