1. Ubuntu Security Notices
  2. USN-1428-1

USN-1428-1: OpenSSL vulnerability

Publication date

24 April 2012

Overview

An application using OpenSSL could be made to crash or run programs if it opened a specially crafted file.

Releases

Packages

  • openssl - Secure Socket Layer (SSL) cryptographic library and tools

Details

It was discovered that the fix for CVE-2012-2110 was incomplete for OpenSSL
0.9.8. A remote attacker could trigger this flaw in services that used SSL
to cause a denial of service or possibly execute arbitrary code with
application privileges. Ubuntu 11.10 was not affected by this issue.
(CVE-2012-2131)

The original upstream fix for CVE-2012-2110 would cause BUF_MEM_grow_clean()
to sometimes return the wrong error condition. This update fixes the
problem.

It was discovered that the fix for CVE-2012-2110 was incomplete for OpenSSL
0.9.8. A remote attacker could trigger this flaw in services that used SSL
to cause a denial of service or possibly execute arbitrary code with
application privileges. Ubuntu 11.10 was not affected by this issue.
(CVE-2012-2131)

The original upstream fix for CVE-2012-2110 would cause BUF_MEM_grow_clean()
to sometimes return the wrong error condition. This update fixes the
problem.

Update instructions

After a standard system update you need to reboot your computer to make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
8.04 hardy libssl0.9.8 –  0.9.8g-4ubuntu3.18
11.10 oneiric libssl1.0.0 –  1.0.0e-2ubuntu4.5
11.04 natty libssl0.9.8 –  0.9.8o-5ubuntu1.5
10.04 lucid libssl0.9.8 –  0.9.8k-7ubuntu8.11

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›