============================================================================ Ubuntu Security Notice USN-2537-1 March 19, 2015 openssl vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: Several security issues were fixed in OpenSSL. Software Description: - openssl: Secure Socket Layer (SSL) cryptographic library and tools Details: It was discovered that OpenSSL incorrectly handled malformed EC private key files. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2015-0209) Stephen Henson discovered that OpenSSL incorrectly handled comparing ASN.1 boolean types. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-0286) Emilia K=C3=A4sper discovered that OpenSSL incorrectly handled ASN.1 structure reuse. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2015-0287) Brian Carpenter discovered that OpenSSL incorrectly handled invalid certificate keys. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-0288) Michal Zalewski discovered that OpenSSL incorrectly handled missing outer ContentInfo when parsing PKCS#7 structures. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2015-0289) Robert Dugal and David Ramos discovered that OpenSSL incorrectly handled decoding Base64 encoded data. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2015-0292) Sean Burford and Emilia K=C3=A4sper discovered that OpenSSL incorrectly handled specially crafted SSLv2 CLIENT-MASTER-KEY messages. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-0293) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.10: libssl1.0.0 1.0.1f-1ubuntu9.4 Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.11 Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.25 Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.27 After a standard system update you need to reboot your computer to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2537-1 CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293 Package Information: https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu9.4 https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.11 https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.25 https://launchpad.net/ubuntu/+source/openssl/0.9.8k-7ubuntu8.27