==========================================================================
Ubuntu Security Notice USN-2165-1
April 07, 2014
openssl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 13.10
– Ubuntu 12.10
– Ubuntu 12.04 LTS
Summary:
OpenSSL could be made to expose sensitive information over the network,
possibly including private keys.
Software Description:
– openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
Neel Mehta discovered that OpenSSL incorrectly handled memory in the TLS
heartbeat extension. An attacker could use this issue to obtain up to 64k
of memory contents from the client or server, possibly leading to the
disclosure of private keys and other sensitive information. (CVE-2014-0160)
Yuval Yarom and Naomi Benger discovered that OpenSSL incorrectly handled
timing during swap operations in the Montgomery ladder implementation. An
attacker could use this issue to perform side-channel attacks and possibly
recover ECDSA nonces. (CVE-2014-0076)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
libssl1.0.0 1.0.1e-3ubuntu1.2
Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.7
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.12
After a standard system update you need to reboot your computer to make all
the necessary changes. Since this issue may have resulted in compromised
private keys, it is recommended to regenerate them.
References:
http://www.ubuntu.com/usn/usn-2165-1
CVE-2014-0076, CVE-2014-0160
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1e-3ubuntu1.2
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.7
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird – http://www.enigmail.net/
iQIcBAEBCgAGBQJTQyBNAAoJEGVp2FWnRL6TVe4P/3bTy+PAgK7BycpofC5U/acX
VUnh7lCGj0xK+Z47eYtvJddAF7IqdB6Gbs8RhA+4wy7Bs6PvmiTW61DrZr7kuUUp
qzWdE03LE+Wl/dBmuECGay067DDK7YqaRzvXhU3zYxHlhHtB+S0lMgYLVOkel51T
2c0/H7s/kzRuPRNNWNftYm8pKJQodsgLoEcCu7T1HnIKvcp4TpvJv34LHmPvTG/t
k7FiHh1W79G5oupOLNmuwsssjOn87bsx9qxlGrhz7eTA2slONXhuXvvsapEUEP8z
7Qsf2FeW9vj4XTW0Evv8UXb4Q8Pd9h1O7vpf6pjBJU1oTP+XirwzabLO2sySCl2e
w0OdqsqHWW1wjc/JCz5svjtVYpcZzBN7jH3C70gQ4pQmZkaNZiES4nAuBjyV5H54
yP5R2EAwTCc5AFr58+u8pdrf5gcyGwdN4oMpsiQ5GgKEa0gKvYs4RE2EoRp9jyzj
ao2dTg0mPl1I5YZOMXeJqjIwcd5UQXFKtRAzof9EJt9fQZlDpN4EtBZbvPQ+0Iey
ilgsWFw4dKc68LIoJWABUGMvjPlaY7EgPI2sRax7ozd8J8OxWFMtjz6//KkdT9N2
p8152pXqlX8c7lEEPU03WwFoUlts7QChcOXpHxBpZpLBpxNNT6fjxAj2EGPSGtKG
Xew95/84bw1BoeIeEUP0
=CLjG
—–END PGP SIGNATURE—–
—