ESB-2017.2838 - [Ubuntu] libssl1.0.0: Multiple vulnerabilities 2017-11-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2838
                          OpenSSL vulnerabilities
                              7 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libssl1.0.0
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Access Confidential Data       -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-3736 CVE-2017-3735 

Reference:         ESB-2017.2822

Original Bulletin: 
   http://www.ubuntu.com/usn/usn-3475-1

- --------------------------BEGIN INCLUDED TEXT--------------------

==========================================================================
Ubuntu Security Notice USN-3475-1
November 06, 2017

openssl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 17.10
- - Ubuntu 17.04
- - Ubuntu 16.04 LTS
- - Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- - openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

It was discovered that OpenSSL incorrectly parsed the IPAddressFamily
extension in X.509 certificates, resulting in an erroneous display of the
certificate in text format. (CVE-2017-3735)

It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery
squaring procedure. While unlikely, a remote attacker could possibly use
this issue to recover private keys. This issue only applied to Ubuntu 16.04
LTS, Ubuntu 16.10 and Ubuntu 17.04. (CVE-2017-3736)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
  libssl1.0.0                     1.0.2g-1ubuntu13.2

Ubuntu 17.04:
  libssl1.0.0                     1.0.2g-1ubuntu11.3

Ubuntu 16.04 LTS:
  libssl1.0.0                     1.0.2g-1ubuntu4.9

Ubuntu 14.04 LTS:
  libssl1.0.0                     1.0.1f-1ubuntu2.23

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
  https://www.ubuntu.com/usn/usn-3475-1
  CVE-2017-3735, CVE-2017-3736

Package Information:
  https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu13.2
  https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu11.3
  https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.9
  https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.23

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWgEs6Ix+lLeg9Ub1AQiDVBAAqGof0ZOW1UEU6FmrRfJNFN7bhTH2Dr51
a7CljauWiPKbfIsEMiynCUpGOpPWhNN38v8yumaJlawf1IWBCTTCXwS5Nj+Im3OB
55QaQkr3LW8IbQSYjGWv87KorMkBBpCij4hwMCdFFzz5PF3YLqGqJHQXP86i5wU2
h3JzkXC8TacV27UHe3aYLOCHPh4qnxVMMLbNs2eVKItiYVncsrmaXlQB2zLbwEjA
06SI/kk5Hm8fiYeNh+iTBWxLm0h9QZAZf4jvMERdO54XwLzQx3zsNXhTAkwD2VQb
NNIkSaUDmFwz1sURlKIJylqTSREli2C5osnqXcaq+GzpYXqsBzUnU2zkPsa53tg6
evF/ndrAbMzMZ1vX9VfzVfcxI4GKC6K1cTWQAyseHisYEB6qRNvs7IMuSdKYt+9j
4eo7K6qwEEDxOXjzc8ce5vaUlFkblAVQYruVNegpe9Ag8w+kpdhCrHz5zx/b+7tJ
STCU3b6bZu55+WePAeYj5gxTud6eu1g0DEHK9Ex158Fyro+QhT7cl0kwvGdHCGA+
HzYxbuXc6pqR6iFM345yztYxQbkUHIXdczaWt9DlsNU5JJE3YJAj4n9PQMm4Tv21
JAy5hMuvtuU4JPsnuA71WpweqJHvegdYkY8pMUUKo0gatwhv5GXd1Ex2sR7BHhxI
TQHLnnShDwg=
=0VFM
-----END PGP SIGNATURE-----

« Back to bulletins