drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Zwei Probleme in OpenSSL
Name: |
Zwei Probleme in OpenSSL |
|
ID: |
USN-2165-1 |
|
Distribution: |
Ubuntu |
|
Plattformen: |
Ubuntu 12.04 LTS, Ubuntu 12.10, Ubuntu 13.10 |
|
Datum: |
Di, 8. April 2014, 07:14 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 |
|
Applikationen: |
OpenSSL |
|
Originalnachricht |
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============7205491748165222760== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="M7ASnbhfjuwOdf2wLJXqxn1SJgjIKPoKF"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --M7ASnbhfjuwOdf2wLJXqxn1SJgjIKPoKF Content-Type: text/plain; charset=UTF- Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-2165-1 April 07, 2014
openssl vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10 - Ubuntu 12.10 - Ubuntu 12.04 LTS
Summary:
OpenSSL could be made to expose sensitive information over the network, possibly including private keys.
Software Description: - openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
Neel Mehta discovered that OpenSSL incorrectly handled memory in the TLS heartbeat extension. An attacker could use this issue to obtain up to 64k of memory contents from the client or server, possibly leading to the disclosure of private keys and other sensitive information. (CVE-2014-0160)
Yuval Yarom and Naomi Benger discovered that OpenSSL incorrectly handled timing during swap operations in the Montgomery ladder implementation. An attacker could use this issue to perform side-channel attacks and possibly recover ECDSA nonces. (CVE-2014-0076)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 13.10: libssl1.0.0 1.0.1e-3ubuntu1.2
Ubuntu 12.10: libssl1.0.0 1.0.1c-3ubuntu2.7
Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.12
After a standard system update you need to reboot your computer to make all the necessary changes. Since this issue may have resulted in compromised private keys, it is recommended to regenerate them.
References: http://www.ubuntu.com/usn/usn-2165-1 CVE-2014-0076, CVE-2014-0160
Package Information: https://launchpad.net/ubuntu/+source/openssl/1.0.1e-3ubuntu1.2 https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.7 https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12
--M7ASnbhfjuwOdf2wLJXqxn1SJgjIKPoKF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJTQyBNAAoJEGVp2FWnRL6TVe4P/3bTy+PAgK7BycpofC5U/acX VUnh7lCGj0xK+Z47eYtvJddAF7IqdB6Gbs8RhA+4wy7Bs6PvmiTW61DrZr7kuUUp qzWdE03LE+Wl/dBmuECGay067DDK7YqaRzvXhU3zYxHlhHtB+S0lMgYLVOkel51T 2c0/H7s/kzRuPRNNWNftYm8pKJQodsgLoEcCu7T1HnIKvcp4TpvJv34LHmPvTG/t k7FiHh1W79G5oupOLNmuwsssjOn87bsx9qxlGrhz7eTA2slONXhuXvvsapEUEP8z 7Qsf2FeW9vj4XTW0Evv8UXb4Q8Pd9h1O7vpf6pjBJU1oTP+XirwzabLO2sySCl2e w0OdqsqHWW1wjc/JCz5svjtVYpcZzBN7jH3C70gQ4pQmZkaNZiES4nAuBjyV5H54 yP5R2EAwTCc5AFr58+u8pdrf5gcyGwdN4oMpsiQ5GgKEa0gKvYs4RE2EoRp9jyzj ao2dTg0mPl1I5YZOMXeJqjIwcd5UQXFKtRAzof9EJt9fQZlDpN4EtBZbvPQ+0Iey ilgsWFw4dKc68LIoJWABUGMvjPlaY7EgPI2sRax7ozd8J8OxWFMtjz6//KkdT9N2 p8152pXqlX8c7lEEPU03WwFoUlts7QChcOXpHxBpZpLBpxNNT6fjxAj2EGPSGtKG Xew95/84bw1BoeIeEUP0 =CLjG -----END PGP SIGNATURE-----
--M7ASnbhfjuwOdf2wLJXqxn1SJgjIKPoKF--
--===============7205491748165222760== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============7205491748165222760==--
|
|
|
|