Ubuntu Security Notice USN-2830-1

7th December, 2015

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 15.10
• Ubuntu 15.04
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in OpenSSL.

Software description

• openssl - Secure Socket Layer (SSL) cryptographic library and tools

Details

Guy Leaver discovered that OpenSSL incorrectly handled a ServerKeyExchange
for an anonymous DH ciphersuite with the value of p set to 0. A remote
attacker could possibly use this issue to cause OpenSSL to crash, resulting
in a denial of service. This issue only applied to Ubuntu 15.10.
(CVE-2015-1794)

Hanno Böck discovered that the OpenSSL Montgomery squaring procedure
algorithm may produce incorrect results when being used on x86_64. A remote
attacker could possibly use this issue to break encryption. This issue only
applied to Ubuntu 15.10. (CVE-2015-3193)

Loïc Jonas Etienne discovered that OpenSSL incorrectly handled ASN.1
signatures with a missing PSS parameter. A remote attacker could possibly
use this issue to cause OpenSSL to crash, resulting in a denial of service.
(CVE-2015-3194)

Adam Langley discovered that OpenSSL incorrectly handled malformed
X509_ATTRIBUTE structures. A remote attacker could possibly use this issue
to cause OpenSSL to consume resources, resulting in a denial of service.
(CVE-2015-3195)

It was discovered that OpenSSL incorrectly handled PSK identity hints. A
remote attacker could possibly use this issue to cause OpenSSL to crash,
resulting in a denial of service. This issue only applied to Ubuntu 12.04
LTS, Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-3196)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:

libssl1.0.0 1.0.2d-0ubuntu1.2

Ubuntu 15.04:

libssl1.0.0 1.0.1f-1ubuntu11.5

Ubuntu 14.04 LTS:

libssl1.0.0 1.0.1f-1ubuntu2.16

Ubuntu 12.04 LTS:

libssl1.0.0 1.0.1-4ubuntu5.32

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-1794, CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 

$ sudo dpkg -l openssl

희망상태=알수없음(U)/설치(I)/지우기(R)/깨끗이(P)/고정(H)

| 상태=아님(N)/설치(I)/설정(C)/풀림(U)/절반설정(F)/일부설치(H)/트리거대기(W)/

| /    트리거밀림(T)

|/ 오류?=(없음)/다시설치필요(R) (상태, 오류가 대문자=불량)

||/ 이름           버전         Architecture 설명

-------------------------------------------------------

ii  openssl        1.0.1f-1ubun amd64        Secure Sockets Layer toolkit - cr