USN-620-1: OpenSSL vulnerabilities

26 June 2008

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 8.04 LTS

Software Description

  • openssl

Details

It was discovered that OpenSSL was vulnerable to a double-free when using TLS server extensions. A remote attacker could send a crafted packet and cause a denial of service via application crash in applications linked against OpenSSL. Ubuntu 8.04 LTS does not compile TLS server extensions by default. (CVE-2008-0891)

It was discovered that OpenSSL could dereference a NULL pointer. If a user or automated system were tricked into connecting to a malicious server with particular cipher suites, a remote attacker could cause a denial of service via application crash. (CVE-2008-1672)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.04 LTS
libssl0.9.8 - 0.9.8g-4ubuntu3.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to reboot your computer to effect the necessary changes.

References