==========================================================================
Ubuntu Security Notice USN-2079-1
January 09, 2014

openssl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 13.10
– Ubuntu 13.04
– Ubuntu 12.10
– Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
– openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

Anton Johansson discovered that OpenSSL incorrectly handled certain invalid
TLS handshakes. A remote attacker could use this issue to cause OpenSSL to
crash, resulting in a denial of service. (CVE-2013-4353)

Ron Barber discovered that OpenSSL used an incorrect data structure to
obtain a version number. A remote attacker could use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2013-6449)

Dmitry Sobinov discovered that OpenSSL incorrectly handled certain DTLS
retransmissions. A remote attacker could use this issue to cause OpenSSL to
crash, resulting in a denial of service. (CVE-2013-6450)

This update also disables the default use of the RdRand feature of certain
Intel CPUs as the sole source of entropy.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
libssl1.0.0 1.0.1e-3ubuntu1.1

Ubuntu 13.04:
libssl1.0.0 1.0.1c-4ubuntu8.2

Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.6

Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.11

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2079-1
CVE-2013-4353, CVE-2013-6449, CVE-2013-6450

Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1e-3ubuntu1.1
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-4ubuntu8.2
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.6
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.11

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird – http://www.enigmail.net/

iQIcBAEBCgAGBQJSzw1qAAoJEGVp2FWnRL6TP+4P/3PIGpBUdJIdrBvN6MULgCm9
tTwxUjEkNW9IXW9AkhJ3oZdJeaqGTPyGWaY7ZtfYKDR/0uRObVgvmj6ehJW8bksU
sVvf2HUtvcU5VtBLE8wOQ9XfYVkISw0zTbrbxPApDvIxUzdd3p8jhn6gkEE4nZ+J
ynhCYr23O8zKwkO0jRRvfAUXkOIt+OZiOj7X9v3Q0Q8DMsqq86H7v5M7Z6HfFCzd
9QlAKk3ow1xT3pexREAjktmXTFbyq3MQOJpdsvMqSovNCEX8I38ryzYXvLyTdKLY
5EklMj5wDIb/fdJWtVO+DePBLL26oFEgnaN0uyF28vc0SlFZrEiPsuReGbYhlzax
ZGveePmsaRhpewRdBPow6Zz0wYheronxb4di3AzyQc/6UFlB2hUleRALs4d7Dibf
iWtVeE8AW1L9sHcEO+YbwotgkG8UeEgcPOqPckFprOwHEO15Bb4l/twQESBV6hD1
hcFibMQr2VK0IDfe7Lzn5r0LN4/logEdoEsHCRW/c/UUTVD17Xnn0SIZnuPSnfR6
AXoA1WPe5GobplnvIEb+MYUUhPo9BfQyzPGXAG2A/igrySnwD/IjRMsy567c2NUl
Y6TLhACzON36Y54Wo8m7IzA/Cn7Gs+QNSHl3keuEHhbZm/7zL1LBOrTrfHeJttxU
QN/7rfLLYZ2Bc4htqswK
=KNaR
—–END PGP SIGNATURE—–
—