Thursday, February 28, 2013

[USN-1732-2] OpenSSL regression

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRL6V3AAoJEGVp2FWnRL6TNnEP/19pptjoARsiyDs2912zdh+a
Svw730GLal9r4PGpiMe7bEWkOc1CBWkR82oOl2ja1kZ5EGX/k2Ym+xQ+sR0fa04M
NgTmwJ1sdOwHG3Ky95Zllm5fFWgMjUPWTe74f3LG2Ja8IdbqwQb6ESTmXAVTUF0d
su2SkuejnjS+z5DU52neAATRPpcgwQQx1cZFiInRb7vG5CN3N479Ohy+eAnvl8vJ
CNGJ4zaH0fUoKSndX+Br3uMTsR0PIe3UEJLl2KaMXAL+x9C6b7v8XMtcCRENds8w
0EZ5kEe7den/KABI+4MdlglRLT5SNJiIOVfpdWZ2XXnpp9m6hnj8Pn/upKKGgLqJ
iG/pi5Vk4fuYyoV6EG4tliWtqOJwiWTxx+KJh5Dwl23MKCaaSpm+A2Elcy6pe65M
RV3OLU3g9M+Q3E88aeAa5+64t3qDyPesTsLMoNSTJuhcaguXenRvOiL4pzGvsDRk
uKES3LEUXLvkMxOOn6u/F5Rm4BZpdtaCX6iWXCzerxZ0fmONzmu9/Mtdsjriq+Xz
xYCPwVBycW7aN5KcFLR3AEzD6h1wCHS5GKBfv0hxtisKA2CVNA4/cfZfhd8Myc7E
Jnd1bV3flqcsqHu2uzWQG6Pppgq8uY23AqpBMsAZ1Xi0tXgv/1Hh5P+GvmFKSKva
Iuiky6qmJ4s4bL88GqHR
=6ilu
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1732-2
February 28, 2013

openssl regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

USN-1732-1 introduced a regression in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0166 and
CVE-2012-2686 introduced a regression causing decryption failures on
hardware supporting AES-NI. This update temporarily reverts the security
fix pending further investigation. We apologize for the inconvenience.

Original advisory details:

Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as
used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.2
openssl 1.0.1c-3ubuntu2.2

Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.7
openssl 1.0.1-4ubuntu5.7

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1732-2
http://www.ubuntu.com/usn/usn-1732-1
https://launchpad.net/bugs/1133333

Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.2
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.7

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)