========================================================================== Ubuntu Security Notice USN-2079-1 January 09, 2014 openssl vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 13.04 - Ubuntu 12.10 - Ubuntu 12.04 LTS Summary: Several security issues were fixed in OpenSSL. Software Description: - openssl: Secure Socket Layer (SSL) cryptographic library and tools Details: Anton Johansson discovered that OpenSSL incorrectly handled certain invalid TLS handshakes. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2013-4353) Ron Barber discovered that OpenSSL used an incorrect data structure to obtain a version number. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2013-6449) Dmitry Sobinov discovered that OpenSSL incorrectly handled certain DTLS retransmissions. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2013-6450) This update also disables the default use of the RdRand feature of certain Intel CPUs as the sole source of entropy. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: libssl1.0.0 1.0.1e-3ubuntu1.1 Ubuntu 13.04: libssl1.0.0 1.0.1c-4ubuntu8.2 Ubuntu 12.10: libssl1.0.0 1.0.1c-3ubuntu2.6 Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.11 After a standard system update you need to reboot your computer to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2079-1 CVE-2013-4353, CVE-2013-6449, CVE-2013-6450 Package Information: https://launchpad.net/ubuntu/+source/openssl/1.0.1e-3ubuntu1.1 https://launchpad.net/ubuntu/+source/openssl/1.0.1c-4ubuntu8.2 https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.6 https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.11