[USN-620-1] OpenSSL vulnerabilities
Date: Thu, 26 Jun 2008 09:23:49 -0400
From: Jamie Strandboge <jamie@canonical.com.>
To: [email protected]
Subject: [USN-620-1] OpenSSL vulnerabilities
Message-ID: <20080626132349.GI7895@severus.strandboge.com.>
Reply-To: Jamie Strandboge <jamie@canonical.com.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="byLs0wutDcxFdwtm"
Content-Disposition: inline
User-Agent: Mutt/1.5.17+20080114 (2008-01-14)
X-Virus-Scanned: antivirus-gw at tyumen.ru
--byLs0wutDcxFdwtm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
Ubuntu Security Notice USN-620-1 June 26, 2008
openssl vulnerabilities
CVE-2008-0891, CVE-2008-1672
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
libssl0.9.8 0.9.8g-4ubuntu3.3
After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Details follow:
It was discovered that OpenSSL was vulnerable to a double-free
when using TLS server extensions. A remote attacker could send a
crafted packet and cause a denial of service via application crash
in applications linked against OpenSSL. Ubuntu 8.04 LTS does not
compile TLS server extensions by default. (CVE-2008-0891)
It was discovered that OpenSSL could dereference a NULL pointer.
If a user or automated system were tricked into connecting to a
malicious server with particular cipher suites, a remote attacker
could cause a denial of service via application crash.
(CVE-2008-1672)
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4u=
buntu3.3.diff.gz
Size/MD5: 52995 b1cea7b7db0cb4522acd795c3928f6d6
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4u=
buntu3.3.dsc
Size/MD5: 912 ac4c66a0442648d7b1a1afd326609c54
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g.or=
ig.tar.gz
Size/MD5: 3354792 acf70a16359bf3658bdfb74bda1c4419
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9.8=
g-4ubuntu3.3_all.deb
Size/MD5: 628742 36c2d25fdf6427526076a8d6b5da2e96
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8g-4ubuntu3.3_amd64.udeb
Size/MD5: 603880 84269c06376fba49d325c730777068c6
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g=
-4ubuntu3.3_amd64.deb
Size/MD5: 2064718 33f436e01452fc2731b30700d3e0cb25
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8g-4ubuntu3.3_amd64.deb
Size/MD5: 1604058 c07455422c05690cab6b54026279f9e3
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
g-4ubuntu3.3_amd64.deb
Size/MD5: 931362 43218bfe72915fb66bdf8c081f847fcb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4u=
buntu3.3_amd64.deb
Size/MD5: 390580 1c33397eeeaf9c43dbadbc952effca25
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8g-4ubuntu3.3_i386.udeb
Size/MD5: 564676 2afdf22196bfa295f2847798c28ebc56
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g=
-4ubuntu3.3_i386.deb
Size/MD5: 1941746 9e1601920ffb4579750c62e3bafcc788
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8g-4ubuntu3.3_i386.deb
Size/MD5: 5341160 b92bf74a2f51c864239b7266dc902fd6
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
g-4ubuntu3.3_i386.deb
Size/MD5: 2828380 bdfaf989e6b72ba194845ac03d5c27b4
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4u=
buntu3.3_i386.deb
Size/MD5: 385396 a91bd87423e0063ab2bb18ecf44ae995
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-=
4ubuntu3.3_lpia.udeb
Size/MD5: 535446 5841b6cc1e0fae3393afabc957037822
http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.=
3_lpia.deb
Size/MD5: 1922442 32dcdad159f05decabf11549ff204f37
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubu=
ntu3.3_lpia.deb
Size/MD5: 1512426 4fb1d4039493d3f2d08dcfb27de4dc31
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3=
=2E3_lpia.deb
Size/MD5: 842914 7924b29683950fdde4467c65e0e1d337
http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.3_l=
pia.deb
Size/MD5: 390020 7a31e11f913264848caf9970c8b55859
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-=
4ubuntu3.3_powerpc.udeb
Size/MD5: 610278 7d857eca164bdfff475280cf334fd968
http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.=
3_powerpc.deb
Size/MD5: 2077858 49b892b43342c57136963936314cd850
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubu=
ntu3.3_powerpc.deb
Size/MD5: 1639382 34a79f78df92067f4be10eacbb72463d
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3=
=2E3_powerpc.deb
Size/MD5: 944698 1c4cae202d0012cd143bd81239b36c71
http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.3_p=
owerpc.deb
Size/MD5: 399184 b4a0cd49967333a6e617f7ddf6be1427
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-=
4ubuntu3.3_sparc.udeb
Size/MD5: 559658 d065856a7822c4d5f5382b1ad1a652fe
http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.=
3_sparc.deb
Size/MD5: 1984612 c82132370120b65e6e278df0755eb1a6
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubu=
ntu3.3_sparc.deb
Size/MD5: 3873772 dfcf08c38728d64842da3f378639b191
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3=
=2E3_sparc.deb
Size/MD5: 2241472 37861360b67b2ce0b038e49ea4a6ae67
http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.3_s=
parc.deb
Size/MD5: 397828 ffe5e48d1e71e27bd8adf064f4adcc64
--byLs0wutDcxFdwtm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIY5hlW0JvuRdL8BoRAoj4AKCNtmECUR9NOtsuH/ADt9BRNEuQbwCfZOKK
Nh/etAVgEW62j6Pw5DPtIpI=
=0Kr8
-----END PGP SIGNATURE-----
--byLs0wutDcxFdwtm--
