Home / mailings [USN-2165-1] OpenSSL vulnerabilities
Posted on 08 April 2014
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-2165-1
April 07, 2014
openssl vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
OpenSSL could be made to expose sensitive information over the network,
possibly including private keys.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
Neel Mehta discovered that OpenSSL incorrectly handled memory in the TLS
heartbeat extension. An attacker could use this issue to obtain up to 64k=
of memory contents from the client or server, possibly leading to the
disclosure of private keys and other sensitive information. (CVE-2014-016=
0)
Yuval Yarom and Naomi Benger discovered that OpenSSL incorrectly handled
timing during swap operations in the Montgomery ladder implementation. An=
attacker could use this issue to perform side-channel attacks and possibl=
y
recover ECDSA nonces. (CVE-2014-0076)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
libssl1.0.0 1.0.1e-3ubuntu1.2
Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.7
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.12
After a standard system update you need to reboot your computer to make a=
ll
the necessary changes. Since this issue may have resulted in compromised
private keys, it is recommended to regenerate them.
References:
http://www.ubuntu.com/usn/usn-2165-1
CVE-2014-0076, CVE-2014-0160
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1e-3ubuntu1.2
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.7
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12
