USN-2959-1: OpenSSL vulnerabilities

Ubuntu Security Notice USN-2959-1

3rd May, 2016

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in OpenSSL.

Software description

  • openssl
    – Secure Socket Layer (SSL) cryptographic library and tools

Details

Huzaifa Sidhpurwala, Hanno Böck, and David Benjamin discovered that OpenSSL
incorrectly handled memory when decoding ASN.1 structures. A remote
attacker could use this issue to cause OpenSSL to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2016-2108)

Juraj Somorovsky discovered that OpenSSL incorrectly performed padding when
the connection uses the AES CBC cipher and the server supports AES-NI. A
remote attacker could possibly use this issue to perform a padding oracle
attack and decrypt traffic. (CVE-2016-2107)

Guido Vranken discovered that OpenSSL incorrectly handled large amounts of
input data to the EVP_EncodeUpdate() function. A remote attacker could use
this issue to cause OpenSSL to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2016-2105)

Guido Vranken discovered that OpenSSL incorrectly handled large amounts of
input data to the EVP_EncryptUpdate() function. A remote attacker could use
this issue to cause OpenSSL to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2016-2106)

Brian Carpenter discovered that OpenSSL incorrectly handled memory when
ASN.1 data is read from a BIO. A remote attacker could possibly use this
issue to cause memory consumption, resulting in a denial of service.
(CVE-2016-2109)

As a security improvement, this update also modifies OpenSSL behaviour to
reject DH key sizes below 1024 bits, preventing a possible downgrade
attack.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
libssl1.0.0

1.0.2g-1ubuntu4.1
Ubuntu 15.10:
libssl1.0.0

1.0.2d-0ubuntu1.5
Ubuntu 14.04 LTS:
libssl1.0.0

1.0.1f-1ubuntu2.19
Ubuntu 12.04 LTS:
libssl1.0.0

1.0.1-4ubuntu5.36

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-2105,

CVE-2016-2106,

CVE-2016-2107,

CVE-2016-2108,

CVE-2016-2109

CEBA-2016:0713 CentOS 6 initscripts BugFix Update

CentOS Errata and Bugfix Advisory 2016:0713 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2016-0713.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
65ed46aeaddec92e92bbb9501164ef3800bb88ba16f3309a36e324a114b49d34  debugmode-9.03.49-1.el6.centos.5.i686.rpm
f6efaf9160b02c157c0d72a6b9b44a306b17a0ee5c920733491abe54344b9d0e  initscripts-9.03.49-1.el6.centos.5.i686.rpm

x86_64:
505383d600b993ac8986f0557ba28ef65dc12b6e738e7fa5fb55cf5bdce966a2  debugmode-9.03.49-1.el6.centos.5.x86_64.rpm
74007651137890193f328fc113fc1fb79fdf6985fddce5a5d0232fb0efaeffd3  initscripts-9.03.49-1.el6.centos.5.x86_64.rpm

Source:
f6b1847129f1030e550ab1213f2113eb6bb172be943697da3fc7bfeefb198ab1  initscripts-9.03.49-1.el6.centos.5.src.rpm



CEBA-2016:0714 CentOS 6 mod_nss BugFix Update

CentOS Errata and Bugfix Advisory 2016:0714 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2016-0714.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
6721dd9ce9edab03f763b556b9efe1f2b88bb98c587f7ea5326bc6f160f9e945  mod_nss-1.0.10-2.el6_7.i686.rpm

x86_64:
9004453c2296db298f12473fa2b395daa60eee6cc90936a435f7cc78eac6fc99  mod_nss-1.0.10-2.el6_7.x86_64.rpm

Source:
aa71f2f7677c51de96b83855ee697f847a002598bd86a392ca2df78cf7edc704  mod_nss-1.0.10-2.el6_7.src.rpm



OpenSSL Releases Security Updates

Original release date: May 03, 2016

OpenSSL has released security updates to address vulnerabilities in previous versions. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected system.

Available updates include:

  • OpenSSL 1.0.2h  for 1.0.2 users
  • OpenSSL 1.0.1t  for 1.0.1 users

US-CERT encourages users and administrators to review the OpenSSL Security Advisory page and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.