Ubuntu
openssl package

build openssl upstream update for number of CVEs from 2016-09-22

Bug #1626676 reported by V. Bakayev
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

TLDR:
OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

full report can be found here:
https://www.openssl.org/news/secadv/20160922.txt

CVE References

Revision history for this message
V. Bakayev (vbakayev) wrote :

most impacting issues listed in that report:

OpenSSL Security Advisory [22 Sep 2016]
========================================

OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
=====================================================================

Severity: High

A malicious client can send an excessively large OCSP Status Request extension.
If that client continually requests renegotiation, sending a large OCSP Status
Request extension each time, then there will be unbounded memory growth on the
server. This will eventually lead to a Denial Of Service attack through memory
exhaustion. Servers with a default configuration are vulnerable even if they do
not support OCSP. Builds using the "no-ocsp" build time option are not affected.

Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default
configuration, instead only if an application explicitly enables OCSP stapling
support.

OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 29th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL
development team.

SSL_peek() hang on empty record (CVE-2016-6305)
===============================================

Severity: Moderate

OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an
empty record. This could be exploited by a malicious peer in a Denial Of Service
attack.

OpenSSL 1.1.0 users should upgrade to 1.1.0a

This issue was reported to OpenSSL on 10th September 2016 by Alex Gaynor. The
fix was developed by Matt Caswell of the OpenSSL development team.

summary: - build upstream update for number of CVEs from 2016-09-22
+ build openssl upstream update for number of CVEs from 2016-09-22
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello, fixed packages are currently being copied to the mirrors. A USN will be released shortly, it will be at http://www.ubuntu.com/usn/ and the ubuntu-security-announce mail list when the mirror network shows the updated packages are widely available.

Thanks

information type: Private Security → Public Security
Changed in openssl (Ubuntu):
status: New → Fix Released
Revision history for this message
V. Bakayev (vbakayev) wrote :

The USN is published: http://www.ubuntu.com/usn/usn-3087-1/, this provides updated packages for LTS versions, and that conclude all currently supported versions out there. Thank you.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.