Ubuntu
openssl package

[CVE-2008-0891, CVE-2008-1672] OpenSSL denial of service vulnerabilities (crashes)

Bug #235913 reported by Till Ulen
256
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: openssl

CVE-2008-0891 description:

"Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a crafted packet. NOTE: some of these details are obtained from third party information."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0891

CVE-2008-1672 description:

"OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites." "

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1672

Upstream advisory: http://www.openssl.org/news/secadv_20080528.txt

Does this apply to Hardy?

CVE References

Revision history for this message
Till Ulen (tillulen) wrote :

See also: http://cert.fi/haavoittuvuudet/2008/advisory-openssl.html

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. This was fixed in 0.9.8g-10.1, and Intrepid now has 0.9.8g-10.1ubuntu1.

Changed in openssl:
status: New → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Hardy is not affected by CVE-2008-1672, because it is not compiled with enable-tlsext (this change was introduced in 0.9.8g-5.

Changed in openssl:
assignee: nobody → jdstrand
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in openssl:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8g-4ubuntu3.3

---------------
openssl (0.9.8g-4ubuntu3.3) hardy-security; urgency=low

  * SECURITY UPDATE: fix denial of service when 'Server Key exchange message'
    is omitted from a TLS handshake
  * ssl/s3_clnt.c: make sure s->session->sess_cert is not NULL
  * SECURITY UPDATE: fix denial of service when using tlsext. Note that
    this version of openssl does not use tlsext by default.
  * ssl/t1_lib.c: make sure s->session->tlsext_hostname is set to NULL to
    prevent double free.
  * References
    CVE-2008-1672
    CVE-2008-0891
    LP: #235913

 -- Jamie Strandboge <email address hidden> Thu, 19 Jun 2008 14:35:20 -0400

Changed in openssl:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.