Mehrere Probleme in OpenSSL
ID: | USN-1357-1 |
Distribution: | Ubuntu |
Plattformen: | Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04, Ubuntu 11.10 |
Datum: | Fr, 10. Februar 2012, 12:17 |
Referenzen: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1945
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3210 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4354 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0027 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0050 |
Applikationen: | OpenSSL |
Originalnachricht |
|
--===============8437019862855575324== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="CblX+4bnyfN0pR09" Content-Disposition: inline --CblX+4bnyfN0pR09 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline ========================================================================== Ubuntu Security Notice USN-1357-1 February 09, 2012 openssl vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Multiple vulnerabilities exist in OpenSSL that could expose sensitive information or cause applications to crash. Software Description: - openssl: Secure Socket Layer (SSL) binary and related cryptographic tools Details: It was discovered that the elliptic curve cryptography (ECC) subsystem in OpenSSL, when using the Elliptic Curve Digital Signature Algorithm (ECDSA) for the ECDHE_ECDSA cipher suite, did not properly implement curves over binary fields. This could allow an attacker to determine private keys via a timing attack. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1945) Adam Langley discovered that the ephemeral Elliptic Curve Diffie-Hellman (ECDH) functionality in OpenSSL did not ensure thread safety while processing handshake messages from clients. This could allow a remote attacker to cause a denial of service via out-of-order messages that violate the TLS protocol. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-3210) Nadhem Alfardan and Kenny Paterson discovered that the Datagram Transport Layer Security (DTLS) implementation in OpenSSL performed a MAC check only if certain padding is valid. This could allow a remote attacker to recover plaintext. (CVE-2011-4108) Antonio Martin discovered that a flaw existed in the fix to address CVE-2011-4108, the DTLS MAC check failure. This could allow a remote attacker to cause a denial of service. (CVE-2012-0050) Ben Laurie discovered a double free vulnerability in OpenSSL that could be triggered when the X509_V_FLAG_POLICY_CHECK flag is enabled. This could allow a remote attacker to cause a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-4109) It was discovered that OpenSSL, in certain circumstances involving ECDH or ECDHE cipher suites, used an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves. This could allow a remote attacker to obtain the private key of a TLS server via multiple handshake attempts. This issue only affected Ubuntu 8.04 LTS. (CVE-2011-4354) Adam Langley discovered that the SSL 3.0 implementation in OpenSSL did not properly initialize data structures for block cipher padding. This could allow a remote attacker to obtain sensitive information. (CVE-2011-4576) Andrew Chi discovered that OpenSSL, when RFC 3779 support is enabled, could trigger an assert when handling an X.509 certificate containing certificate-extension data associated with IP address blocks or Autonomous System (AS) identifiers. This could allow a remote attacker to cause a denial of service. (CVE-2011-4577) Adam Langley discovered that the Server Gated Cryptography (SGC) implementation in OpenSSL did not properly handle handshake restarts. This could allow a remote attacker to cause a denial of service. (CVE-2011-4619) Andrey Kulikov discovered that the GOST block cipher engine in OpenSSL did not properly handle invalid parameters. This could allow a remote attacker to cause a denial of service via crafted data from a TLS client. This issue only affected Ubuntu 11.10. (CVE-2012-0027) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: libssl1.0.0 1.0.0e-2ubuntu4.2 openssl 1.0.0e-2ubuntu4.2 Ubuntu 11.04: libssl0.9.8 0.9.8o-5ubuntu1.2 openssl 0.9.8o-5ubuntu1.2 Ubuntu 10.10: libssl0.9.8 0.9.8o-1ubuntu4.6 openssl 0.9.8o-1ubuntu4.6 Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.8 openssl 0.9.8k-7ubuntu8.8 Ubuntu 8.04 LTS: libssl0.9.8 0.9.8g-4ubuntu3.15 openssl 0.9.8g-4ubuntu3.15 After a standard system update you need to reboot your computer to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1357-1 CVE-2011-1945, CVE-2011-3210, CVE-2011-4108, CVE-2011-4109, CVE-2011-4354, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2012-0027, CVE-2012-0050 Package Information: https://launchpad.net/ubuntu/+source/openssl/1.0.0e-2ubuntu4.2 https://launchpad.net/ubuntu/+source/openssl/0.9.8o-5ubuntu1.2 https://launchpad.net/ubuntu/+source/openssl/0.9.8o-1ubuntu4.6 https://launchpad.net/ubuntu/+source/openssl/0.9.8k-7ubuntu8.8 https://launchpad.net/ubuntu/+source/openssl/0.9.8g-4ubuntu3.15 --CblX+4bnyfN0pR09 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCgAGBQJPNExBAAoJEC8Jno0AXoH0L2YQALD01eqsU40nWH3EXeGne3qc 5xNSqXDEzgXYOTh3RwR2J3eerSMz4cnMnKRF+b97jKkECNatel5T2xLrEx6vOgsa AnKaPlmNdEHXnCFUu8qhEvuHIPE4ty/hsp77X7dJGmTYj8DiEHyM+DWwvAmtpd+M BbJoFnXMI0bu+rj0C/dHo64bfyO9ME7tdl026GCsD8u4/xymlUMNSpzqi2VVQATJ J0FCOfSlU9eQ+28uc67nkAKofvdSgnjBhmAeaW/9CPRZpMbtKWelpCL2/bW3nGFz oz8vXD7rprVYDiL1BuXO6tldjLecmTnSt9b4EkEvyF7JXrzu4o6ORs5KaP+FRaJ5 xDTC5HFm1hB1yz7X4Jjd3tJYtn/GP3Heq3VeWLVvDH6t5IPpHGfayA9uD7O/R4Tk zPJEmGO5yJUyrsEwaMK20Oj4KazEUH0yiO2nNdDInbIRNbhicUUMekx7jeLszfFo qGc2GShsAotnVn2S1pepQLj68foM96yTawdc7roDBMn6dkBckiQv7H1Jhb6JCrWs VXhv04Q0dmwolj3U3oApW+v+O2284OvhBEbQIrfGYqgzbIXBmBqhzxjHnU1kVBgG rJx83EhlhJbvmqdKUmBxbihz51UXf6hE8BYGI50UrjJO+gKrz2DeRNqPvmdHILXu elHMPntVrbmGVDdfYqFA =vhHF -----END PGP SIGNATURE----- --CblX+4bnyfN0pR09-- --===============8437019862855575324== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce --===============8437019862855575324==-- |