USN-3840-1: OpenSSL vulnerabilities

  • USN-3840-1: OpenSSL vulnerabilities

    Ubuntu Security Notices wrote:

    openssl, openssl1.0 vulnerabilities

    A security issue affects these releases of Ubuntu and its derivatives:

    • Ubuntu 18.10
    • Ubuntu 18.04 LTS
    • Ubuntu 16.04 LTS
    • Ubuntu 14.04 LTS

    Summary

    Several security issues were fixed in OpenSSL.

    Software Description

    • openssl - Secure Socket Layer (SSL) cryptographic library and tools
    • openssl1.0 - Secure Socket Layer (SSL) cryptographic library and tools

    Details

    Samuel Weiser discovered that OpenSSL incorrectly handled DSA signing. An attacker could possibly use this issue to perform a timing side-channel attack and recover private DSA keys. (CVE-2018-0734)

    Samuel Weiser discovered that OpenSSL incorrectly handled ECDSA signing. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-0735)

    Billy Bob Brumley, Cesar Pereida Garcia, Sohaib ul Hassan, Nicola Tuveri, and Alejandro Cabrera Aldaya discovered that Simultaneous Multithreading (SMT) architectures are vulnerable to side-channel leakage. This issue is known as "PortSmash". An attacker could possibly use this issue to perform a timing side-channel attack and recover private keys. (CVE-2018-5407)

    Update instructions

    The problem can be corrected by updating your system to the following package versions:

    Ubuntu 18.10
    libssl1.0.0 - 1.0.2n-1ubuntu6.1
    libssl1.1 - 1.1.1-1ubuntu2.1
    Ubuntu 18.04 LTS
    libssl1.0.0 - 1.0.2n-1ubuntu5.2
    libssl1.1 - 1.1.0g-2ubuntu4.3
    Ubuntu 16.04 LTS
    libssl1.0.0 - 1.0.2g-1ubuntu4.14
    Ubuntu 14.04 LTS
    libssl1.0.0 - 1.0.1f-1ubuntu2.27

    To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

    After a standard system update you need to reboot your computer to make all the necessary changes.

    References

    Source: usn.ubuntu.com/3840-1/