CVE-2009-3245 not fixed for 8.04LTS

Bug #655884 reported by rfoster55 on 2010-10-06
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Low
Unassigned
Dapper
Low
Unassigned
Hardy
Low
Unassigned
Jaunty
Low
Unassigned
Karmic
Low
Unassigned

Bug Description

Binary package hint: openssl

When trying to make our server PCI compliant I found that the latest openssl package 0.9.8g-4ubuntu3.x hasn't been updated to address CVE-2009-3245. This is surprising since it has been fixed and released in Debian stable so I wonder if this is just an oversight here.

"OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors."

Can we get these changes into the 8.04LTS openssl packages? Thanks.

visibility: private → public
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue. This isn't an oversight, this CVE is correctly being tracked in our CVE tracker:

http://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-3245.html

Since we consider this to be a "low" priority issue, it will be bundled in a future openssl security update.

Changed in openssl (Ubuntu):
status: New → Confirmed
Changed in openssl (Ubuntu Dapper):
status: New → Confirmed
Changed in openssl (Ubuntu Hardy):
status: New → Confirmed
Changed in openssl (Ubuntu Jaunty):
status: New → Confirmed
Changed in openssl (Ubuntu Karmic):
status: New → Confirmed
Changed in openssl (Ubuntu Hardy):
importance: Undecided → Low
Changed in openssl (Ubuntu Karmic):
importance: Undecided → Low
Changed in openssl (Ubuntu Dapper):
importance: Undecided → Low
Changed in openssl (Ubuntu Jaunty):
importance: Undecided → Low
Changed in openssl (Ubuntu):
importance: Undecided → Low

Marc,

Thanks for the reply.  The reason I suspected it got overlooked is that it's been listed for a while in the CVE tracker and openssl updates have subsequently been released and debian stable already has it.  It isn't often that Ubuntu LTS releases are behind debian stable-- which I mean as a complement to the Ubuntu maintainers. Thanks.

Bob

--- On Wed, 10/6/10, Marc Deslauriers <email address hidden> wrote:

From: Marc Deslauriers <email address hidden>
Subject: [Bug 655884] Re: CVE-2009-3245 not fixed for 8.04LTS
To: <email address hidden>
Date: Wednesday, October 6, 2010, 12:08 PM

Thanks for reporting this issue. This isn't an oversight, this CVE is
correctly being tracked in our CVE tracker:

http://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-3245.html

Since we consider this to be a "low" priority issue, it will be bundled
in a future openssl security update.

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-3245

** Changed in: openssl (Ubuntu)
       Status: New => Confirmed

** Also affects: openssl (Ubuntu Dapper)
   Importance: Undecided
       Status: New

** Also affects: openssl (Ubuntu Hardy)
   Importance: Undecided
       Status: New

** Also affects: openssl (Ubuntu Jaunty)
   Importance: Undecided
       Status: New

** Also affects: openssl (Ubuntu Karmic)
   Importance: Undecided
       Status: New

** Changed in: openssl (Ubuntu Dapper)
       Status: New => Confirmed

** Changed in: openssl (Ubuntu Hardy)
       Status: New => Confirmed

** Changed in: openssl (Ubuntu Jaunty)
       Status: New => Confirmed

** Changed in: openssl (Ubuntu Karmic)
       Status: New => Confirmed

** Changed in: openssl (Ubuntu Hardy)
   Importance: Undecided => Low

** Changed in: openssl (Ubuntu Karmic)
   Importance: Undecided => Low

** Changed in: openssl (Ubuntu Dapper)
   Importance: Undecided => Low

** Changed in: openssl (Ubuntu Jaunty)
   Importance: Undecided => Low

** Changed in: openssl (Ubuntu)
   Importance: Undecided => Low

--
CVE-2009-3245 not fixed for 8.04LTS
https://bugs.launchpad.net/bugs/655884
You received this bug notification because you are a direct subscriber
of the bug.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8g-16ubuntu3.3

---------------
openssl (0.9.8g-16ubuntu3.3) karmic-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    unchecked bn_wexpand return values. (LP: #655884)
    - crypto/bn/{bn_mul,bn_div,bn_gf2m}.c, crypto/ec/ec2_smpl.c,
      engines/e_ubsec.c: check return values.
    - http://cvs.openssl.org/chngview?cn=18936
    - http://cvs.openssl.org/chngview?cn=19309
    - CVE-2009-3245
  * SECURITY UPDATE: denial of service and possible code execution via
    crafted private key with an invalid prime.
    - ssl/s3_clnt.c: set bn_ctx to NULL after freeing it.
    - http://<email address hidden>/msg28049.html
    - CVE-2010-2939
 -- Marc Deslauriers <email address hidden> Wed, 06 Oct 2010 17:38:20 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8g-15ubuntu3.6

---------------
openssl (0.9.8g-15ubuntu3.6) jaunty-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    unchecked bn_wexpand return values. (LP: #655884)
    - crypto/bn/{bn_mul,bn_div,bn_gf2m}.c, crypto/ec/ec2_smpl.c,
      engines/e_ubsec.c: check return values.
    - http://cvs.openssl.org/chngview?cn=18936
    - http://cvs.openssl.org/chngview?cn=19309
    - CVE-2009-3245
  * SECURITY UPDATE: denial of service and possible code execution via
    crafted private key with an invalid prime.
    - ssl/s3_clnt.c: set bn_ctx to NULL after freeing it.
    - http://<email address hidden>/msg28049.html
    - CVE-2010-2939
 -- Marc Deslauriers <email address hidden> Wed, 06 Oct 2010 17:50:37 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8g-4ubuntu3.11

---------------
openssl (0.9.8g-4ubuntu3.11) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    unchecked bn_wexpand return values. (LP: #655884)
    - crypto/bn/{bn_mul,bn_div,bn_gf2m}.c, crypto/ec/ec2_smpl.c,
      engines/e_ubsec.c: check return values.
    - http://cvs.openssl.org/chngview?cn=18936
    - http://cvs.openssl.org/chngview?cn=19309
    - CVE-2009-3245
  * SECURITY UPDATE: denial of service and possible code execution via
    crafted private key with an invalid prime.
    - ssl/s3_clnt.c: set bn_ctx to NULL after freeing it.
    - http://<email address hidden>/msg28049.html
    - CVE-2010-2939
 -- Marc Deslauriers <email address hidden> Wed, 06 Oct 2010 18:21:02 -0400

Changed in openssl (Ubuntu Hardy):
status: Confirmed → Fix Released
Changed in openssl (Ubuntu Jaunty):
status: Confirmed → Fix Released
Changed in openssl (Ubuntu Karmic):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

This has also been released for Dapper and Maverick. Closing this bug.

Changed in openssl (Ubuntu):
status: Confirmed → Fix Released
Changed in openssl (Ubuntu Dapper):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers