Ubuntu Security Notice 3692-1 - Keegan Ryan discovered that OpenSSL incorrectly handled ECDSA key generation. An attacker could possibly use this issue to perform a cache-timing attack and recover private ECDSA keys. Guido Vranken discovered that OpenSSL incorrectly handled very large prime values during a key agreement. A remote attacker could possibly use this issue to consume resources, leading to a denial of service. Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA key generation. An attacker could possibly use this issue to perform a cache-timing attack and recover private RSA keys. Various other issues were also addressed.
64a55400d3928d560eed60fa189b3f16e104aacf734c115775b42e7ec6f162c5==========================================================================
Ubuntu Security Notice USN-3692-1
June 26, 2018
openssl, openssl1.0 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
- openssl1.0: Secure Socket Layer (SSL) cryptographic library and tools
Details:
Keegan Ryan discovered that OpenSSL incorrectly handled ECDSA key
generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private ECDSA keys. (CVE-2018-0495)
Guido Vranken discovered that OpenSSL incorrectly handled very large prime
values during a key agreement. A remote attacker could possibly use this
issue to consume resources, leading to a denial of service. (CVE-2018-0732)
Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis
Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA key
generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private RSA keys. (CVE-2018-0737)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
libssl1.0.0 1.0.2n-1ubuntu5.1
libssl1.1 1.1.0g-2ubuntu4.1
Ubuntu 17.10:
libssl1.0.0 1.0.2g-1ubuntu13.6
Ubuntu 16.04 LTS:
libssl1.0.0 1.0.2g-1ubuntu4.13
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.26
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3692-1
CVE-2018-0495, CVE-2018-0732, CVE-2018-0737
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.1.0g-2ubuntu4.1
https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu5.1
https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu13.6
https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.13
https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.26
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed