USN-339-1: OpenSSL vulnerability

5 September 2006

openssl vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 6.06 LTS
  • Ubuntu 5.10
  • Ubuntu 5.04

Software Description

Details

Philip Mackenzie, Marius Schilder, Jason Waddle and Ben Laurie of Google Security discovered that the OpenSSL library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge signatures without the need of the secret key.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 6.06 LTS
libssl0.9.8 - 0.9.8a-7ubuntu0.1
Ubuntu 5.10
libssl0.9.7 - 0.9.7g-1ubuntu1.2
Ubuntu 5.04
libssl0.9.7 - 0.9.7e-3ubuntu0.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to reboot your computer to effect the necessary changes.

References