Sicherheit: Mehrere Probleme in OpenSSL (Aktualisierung)

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============5013735025700889056==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="------------enigDEBBDC277DF06FB721372726"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigDEBBDC277DF06FB721372726
Content-Type: text/plain; charset=ISO-8859-
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-1732-3
March 25, 2013

openssl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0169 and
CVE-2012-2686 was reverted in USN-1732-2 because of a regression. This
update restores the security fix, and includes an extra fix from upstream
to address the AES-NI regression. We apologize for the inconvenience.

Original advisory details:

Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as
used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to
perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.3

Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.8

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1732-3
http://www.ubuntu.com/usn/usn-1732-1
CVE-2013-0169

Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.3
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.8

--------------enigDEBBDC277DF06FB721372726
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRUFTxAAoJEGVp2FWnRL6TXjIQAJ1sjAz75G0newiX8veEeeOR
UjyHP32Q668ZkYJH4S1e5VdMJfYz+l3GBYTQ1sEZcVJOlLJYiYu88nVcNM1T3icn
VrOaxUEP+IAGGf4b+huCPyNbQajRl/0mX27Nq2wFWvgdp5+7Q1wkASQQBiIS0PsZ
vIKiqPZRvYTWCqvDp5nS1W7rkXAL5xKG9SCWOV1qxpyKZ+dsu7uhjwqaZYUNtQem
tiwG+nqlRmsy8bbNCEn+PyXvqQmYD3//Ny/ekTPLeJX8JjACRr6Dzb4Az/DDeW31
9pZxc05VMazOS3g7pzDxw4ze1QoQsgqlqPFyi5Do4hTHPoyjul8g6F5mZWdbOHjF
X1MI+7mXkViaaTyRj6aHAtuHKIKgn/58R86W5tiUCklDOA7p8EGGwcLbhLTA/M3H
hjSDraw46b47C0Es7zSR0+G8UxtT9615N6CWR29qHU/58c725gR68OpvYteP/y9C
OrpCAeQlQc9PvkImAC3sYnsR7Zo5h0WVW550PkRwhTsDqu4qw1bmPrNAvfvXdfNO
XL+1gHC37q9R6EANrBzLasfxFLiZs2w3U8xTNoFo+MfjLQEHhfNqr66VTt0Vh5XR
N8UfgpXoaAQrl0bBI7e0D6zRdb/uRIjZf5eDHpOGyAP7ccUZhsZKpE3dAafeBvF3
sX20yi1YCeIK0E53Ay+N
=6M7f
-----END PGP SIGNATURE-----

--------------enigDEBBDC277DF06FB721372726--

--===============5013735025700889056==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============5013735025700889056==--