-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRUFTxAAoJEGVp2FWnRL6TXjIQAJ1sjAz75G0newiX8veEeeOR
UjyHP32Q668ZkYJH4S1e5VdMJfYz+l3GBYTQ1sEZcVJOlLJYiYu88nVcNM1T3icn
VrOaxUEP+IAGGf4b+huCPyNbQajRl/0mX27Nq2wFWvgdp5+7Q1wkASQQBiIS0PsZ
vIKiqPZRvYTWCqvDp5nS1W7rkXAL5xKG9SCWOV1qxpyKZ+dsu7uhjwqaZYUNtQem
tiwG+nqlRmsy8bbNCEn+PyXvqQmYD3//Ny/ekTPLeJX8JjACRr6Dzb4Az/DDeW31
9pZxc05VMazOS3g7pzDxw4ze1QoQsgqlqPFyi5Do4hTHPoyjul8g6F5mZWdbOHjF
X1MI+7mXkViaaTyRj6aHAtuHKIKgn/58R86W5tiUCklDOA7p8EGGwcLbhLTA/M3H
hjSDraw46b47C0Es7zSR0+G8UxtT9615N6CWR29qHU/58c725gR68OpvYteP/y9C
OrpCAeQlQc9PvkImAC3sYnsR7Zo5h0WVW550PkRwhTsDqu4qw1bmPrNAvfvXdfNO
XL+1gHC37q9R6EANrBzLasfxFLiZs2w3U8xTNoFo+MfjLQEHhfNqr66VTt0Vh5XR
N8UfgpXoaAQrl0bBI7e0D6zRdb/uRIjZf5eDHpOGyAP7ccUZhsZKpE3dAafeBvF3
sX20yi1YCeIK0E53Ay+N
=6M7f
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1732-3
March 25, 2013
openssl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0169 and
CVE-2012-2686 was reverted in USN-1732-2 because of a regression. This
update restores the security fix, and includes an extra fix from upstream
to address the AES-NI regression. We apologize for the inconvenience.
Original advisory details:
Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as
used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.3
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.8
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1732-3
http://www.ubuntu.com/usn/usn-1732-1
CVE-2013-0169
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.3
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.8
No comments:
Post a Comment