Ubuntu
openssl package

CVE-2009-3245 not fixed for 8.04LTS

Bug #655884 reported by rfoster55
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Low
Unassigned
Dapper
Fix Released
Low
Unassigned
Hardy
Fix Released
Low
Unassigned
Jaunty
Fix Released
Low
Unassigned
Karmic
Fix Released
Low
Unassigned

Bug Description

Binary package hint: openssl

When trying to make our server PCI compliant I found that the latest openssl package 0.9.8g-4ubuntu3.x hasn't been updated to address CVE-2009-3245. This is surprising since it has been fixed and released in Debian stable so I wonder if this is just an oversight here.

"OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors."

Can we get these changes into the 8.04LTS openssl packages? Thanks.

Marc Deslauriers (mdeslaur)
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue. This isn't an oversight, this CVE is correctly being tracked in our CVE tracker:

http://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-3245.html

Since we consider this to be a "low" priority issue, it will be bundled in a future openssl security update.

Changed in openssl (Ubuntu):
status: New → Confirmed
Changed in openssl (Ubuntu Dapper):
status: New → Confirmed
Changed in openssl (Ubuntu Hardy):
status: New → Confirmed
Changed in openssl (Ubuntu Jaunty):
status: New → Confirmed
Changed in openssl (Ubuntu Karmic):
status: New → Confirmed
Changed in openssl (Ubuntu Hardy):
importance: Undecided → Low
Changed in openssl (Ubuntu Karmic):
importance: Undecided → Low
Changed in openssl (Ubuntu Dapper):
importance: Undecided → Low
Changed in openssl (Ubuntu Jaunty):
importance: Undecided → Low
Changed in openssl (Ubuntu):
importance: Undecided → Low
Revision history for this message
rfoster55 (rfoster55) wrote : Re: [Bug 655884] Re: CVE-2009-3245 not fixed for 8.04LTS

Marc,

Thanks for the reply.  The reason I suspected it got overlooked is that it's been listed for a while in the CVE tracker and openssl updates have subsequently been released and debian stable already has it.  It isn't often that Ubuntu LTS releases are behind debian stable-- which I mean as a complement to the Ubuntu maintainers. Thanks.

Bob

--- On Wed, 10/6/10, Marc Deslauriers <email address hidden> wrote:

From: Marc Deslauriers <email address hidden>
Subject: [Bug 655884] Re: CVE-2009-3245 not fixed for 8.04LTS
To: <email address hidden>
Date: Wednesday, October 6, 2010, 12:08 PM

Thanks for reporting this issue. This isn't an oversight, this CVE is
correctly being tracked in our CVE tracker:

http://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-3245.html

Since we consider this to be a "low" priority issue, it will be bundled
in a future openssl security update.

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-3245

** Changed in: openssl (Ubuntu)
       Status: New => Confirmed

** Also affects: openssl (Ubuntu Dapper)
   Importance: Undecided
       Status: New

** Also affects: openssl (Ubuntu Hardy)
   Importance: Undecided
       Status: New

** Also affects: openssl (Ubuntu Jaunty)
   Importance: Undecided
       Status: New

** Also affects: openssl (Ubuntu Karmic)
   Importance: Undecided
       Status: New

** Changed in: openssl (Ubuntu Dapper)
       Status: New => Confirmed

** Changed in: openssl (Ubuntu Hardy)
       Status: New => Confirmed

** Changed in: openssl (Ubuntu Jaunty)
       Status: New => Confirmed

** Changed in: openssl (Ubuntu Karmic)
       Status: New => Confirmed

** Changed in: openssl (Ubuntu Hardy)
   Importance: Undecided => Low

** Changed in: openssl (Ubuntu Karmic)
   Importance: Undecided => Low

** Changed in: openssl (Ubuntu Dapper)
   Importance: Undecided => Low

** Changed in: openssl (Ubuntu Jaunty)
   Importance: Undecided => Low

** Changed in: openssl (Ubuntu)
   Importance: Undecided => Low

--
CVE-2009-3245 not fixed for 8.04LTS
https://bugs.launchpad.net/bugs/655884
You received this bug notification because you are a direct subscriber
of the bug.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8g-16ubuntu3.3

---------------
openssl (0.9.8g-16ubuntu3.3) karmic-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    unchecked bn_wexpand return values. (LP: #655884)
    - crypto/bn/{bn_mul,bn_div,bn_gf2m}.c, crypto/ec/ec2_smpl.c,
      engines/e_ubsec.c: check return values.
    - http://cvs.openssl.org/chngview?cn=18936
    - http://cvs.openssl.org/chngview?cn=19309
    - CVE-2009-3245
  * SECURITY UPDATE: denial of service and possible code execution via
    crafted private key with an invalid prime.
    - ssl/s3_clnt.c: set bn_ctx to NULL after freeing it.
    - http://<email address hidden>/msg28049.html
    - CVE-2010-2939
 -- Marc Deslauriers <email address hidden> Wed, 06 Oct 2010 17:38:20 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8g-15ubuntu3.6

---------------
openssl (0.9.8g-15ubuntu3.6) jaunty-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    unchecked bn_wexpand return values. (LP: #655884)
    - crypto/bn/{bn_mul,bn_div,bn_gf2m}.c, crypto/ec/ec2_smpl.c,
      engines/e_ubsec.c: check return values.
    - http://cvs.openssl.org/chngview?cn=18936
    - http://cvs.openssl.org/chngview?cn=19309
    - CVE-2009-3245
  * SECURITY UPDATE: denial of service and possible code execution via
    crafted private key with an invalid prime.
    - ssl/s3_clnt.c: set bn_ctx to NULL after freeing it.
    - http://<email address hidden>/msg28049.html
    - CVE-2010-2939
 -- Marc Deslauriers <email address hidden> Wed, 06 Oct 2010 17:50:37 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8g-4ubuntu3.11

---------------
openssl (0.9.8g-4ubuntu3.11) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    unchecked bn_wexpand return values. (LP: #655884)
    - crypto/bn/{bn_mul,bn_div,bn_gf2m}.c, crypto/ec/ec2_smpl.c,
      engines/e_ubsec.c: check return values.
    - http://cvs.openssl.org/chngview?cn=18936
    - http://cvs.openssl.org/chngview?cn=19309
    - CVE-2009-3245
  * SECURITY UPDATE: denial of service and possible code execution via
    crafted private key with an invalid prime.
    - ssl/s3_clnt.c: set bn_ctx to NULL after freeing it.
    - http://<email address hidden>/msg28049.html
    - CVE-2010-2939
 -- Marc Deslauriers <email address hidden> Wed, 06 Oct 2010 18:21:02 -0400

Changed in openssl (Ubuntu Hardy):
status: Confirmed → Fix Released
Changed in openssl (Ubuntu Jaunty):
status: Confirmed → Fix Released
Changed in openssl (Ubuntu Karmic):
status: Confirmed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This has also been released for Dapper and Maverick. Closing this bug.

Changed in openssl (Ubuntu):
status: Confirmed → Fix Released
Changed in openssl (Ubuntu Dapper):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.