Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in OpenSSL
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in OpenSSL
ID: USN-1357-1
Distribution: Ubuntu
Plattformen: Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04, Ubuntu 11.10
Datum: Fr, 10. Februar 2012, 12:17
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1945
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4354
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0027
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0050
Applikationen: OpenSSL

Originalnachricht


--===============8437019862855575324==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="CblX+4bnyfN0pR09"
Content-Disposition: inline


--CblX+4bnyfN0pR09
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================================
Ubuntu Security Notice USN-1357-1
February 09, 2012

openssl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Multiple vulnerabilities exist in OpenSSL that could expose
sensitive information or cause applications to crash.

Software Description:
- openssl: Secure Socket Layer (SSL) binary and related cryptographic tools

Details:

It was discovered that the elliptic curve cryptography (ECC) subsystem
in OpenSSL, when using the Elliptic Curve Digital Signature Algorithm
(ECDSA) for the ECDHE_ECDSA cipher suite, did not properly implement
curves over binary fields. This could allow an attacker to determine
private keys via a timing attack. This issue only affected Ubuntu 8.04
LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1945)

Adam Langley discovered that the ephemeral Elliptic Curve
Diffie-Hellman (ECDH) functionality in OpenSSL did not ensure thread
safety while processing handshake messages from clients. This
could allow a remote attacker to cause a denial of service via
out-of-order messages that violate the TLS protocol. This issue only
affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu
11.04. (CVE-2011-3210)

Nadhem Alfardan and Kenny Paterson discovered that the Datagram
Transport Layer Security (DTLS) implementation in OpenSSL performed a
MAC check only if certain padding is valid. This could allow a remote
attacker to recover plaintext. (CVE-2011-4108)

Antonio Martin discovered that a flaw existed in the fix to address
CVE-2011-4108, the DTLS MAC check failure. This could allow a remote
attacker to cause a denial of service. (CVE-2012-0050)

Ben Laurie discovered a double free vulnerability in OpenSSL that could
be triggered when the X509_V_FLAG_POLICY_CHECK flag is enabled. This
could allow a remote attacker to cause a denial of service. This
issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10
and Ubuntu 11.04. (CVE-2011-4109)

It was discovered that OpenSSL, in certain circumstances involving
ECDH or ECDHE cipher suites, used an incorrect modular reduction
algorithm in its implementation of the P-256 and P-384 NIST elliptic
curves. This could allow a remote attacker to obtain the private
key of a TLS server via multiple handshake attempts. This issue only
affected Ubuntu 8.04 LTS. (CVE-2011-4354)

Adam Langley discovered that the SSL 3.0 implementation in OpenSSL
did not properly initialize data structures for block cipher
padding. This could allow a remote attacker to obtain sensitive
information. (CVE-2011-4576)

Andrew Chi discovered that OpenSSL, when RFC 3779 support is enabled,
could trigger an assert when handling an X.509 certificate containing
certificate-extension data associated with IP address blocks or
Autonomous System (AS) identifiers. This could allow a remote attacker
to cause a denial of service. (CVE-2011-4577)

Adam Langley discovered that the Server Gated Cryptography (SGC)
implementation in OpenSSL did not properly handle handshake
restarts. This could allow a remote attacker to cause a denial of
service. (CVE-2011-4619)

Andrey Kulikov discovered that the GOST block cipher engine in OpenSSL
did not properly handle invalid parameters. This could allow a remote
attacker to cause a denial of service via crafted data from a TLS
client. This issue only affected Ubuntu 11.10. (CVE-2012-0027)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
libssl1.0.0 1.0.0e-2ubuntu4.2
openssl 1.0.0e-2ubuntu4.2

Ubuntu 11.04:
libssl0.9.8 0.9.8o-5ubuntu1.2
openssl 0.9.8o-5ubuntu1.2

Ubuntu 10.10:
libssl0.9.8 0.9.8o-1ubuntu4.6
openssl 0.9.8o-1ubuntu4.6

Ubuntu 10.04 LTS:
libssl0.9.8 0.9.8k-7ubuntu8.8
openssl 0.9.8k-7ubuntu8.8

Ubuntu 8.04 LTS:
libssl0.9.8 0.9.8g-4ubuntu3.15
openssl 0.9.8g-4ubuntu3.15

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1357-1
CVE-2011-1945, CVE-2011-3210, CVE-2011-4108, CVE-2011-4109,
CVE-2011-4354, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619,
CVE-2012-0027, CVE-2012-0050

Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.0e-2ubuntu4.2
https://launchpad.net/ubuntu/+source/openssl/0.9.8o-5ubuntu1.2
https://launchpad.net/ubuntu/+source/openssl/0.9.8o-1ubuntu4.6
https://launchpad.net/ubuntu/+source/openssl/0.9.8k-7ubuntu8.8
https://launchpad.net/ubuntu/+source/openssl/0.9.8g-4ubuntu3.15


--CblX+4bnyfN0pR09
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPNExBAAoJEC8Jno0AXoH0L2YQALD01eqsU40nWH3EXeGne3qc
5xNSqXDEzgXYOTh3RwR2J3eerSMz4cnMnKRF+b97jKkECNatel5T2xLrEx6vOgsa
AnKaPlmNdEHXnCFUu8qhEvuHIPE4ty/hsp77X7dJGmTYj8DiEHyM+DWwvAmtpd+M
BbJoFnXMI0bu+rj0C/dHo64bfyO9ME7tdl026GCsD8u4/xymlUMNSpzqi2VVQATJ
J0FCOfSlU9eQ+28uc67nkAKofvdSgnjBhmAeaW/9CPRZpMbtKWelpCL2/bW3nGFz
oz8vXD7rprVYDiL1BuXO6tldjLecmTnSt9b4EkEvyF7JXrzu4o6ORs5KaP+FRaJ5
xDTC5HFm1hB1yz7X4Jjd3tJYtn/GP3Heq3VeWLVvDH6t5IPpHGfayA9uD7O/R4Tk
zPJEmGO5yJUyrsEwaMK20Oj4KazEUH0yiO2nNdDInbIRNbhicUUMekx7jeLszfFo
qGc2GShsAotnVn2S1pepQLj68foM96yTawdc7roDBMn6dkBckiQv7H1Jhb6JCrWs
VXhv04Q0dmwolj3U3oApW+v+O2284OvhBEbQIrfGYqgzbIXBmBqhzxjHnU1kVBgG
rJx83EhlhJbvmqdKUmBxbihz51UXf6hE8BYGI50UrjJO+gKrz2DeRNqPvmdHILXu
elHMPntVrbmGVDdfYqFA
=vhHF
-----END PGP SIGNATURE-----

--CblX+4bnyfN0pR09--


--===============8437019862855575324==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============8437019862855575324==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung