Ubuntu Security Notice USN-2459-1

12th January, 2015

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in OpenSSL.

Software description

• openssl
  – Secure Socket Layer (SSL) cryptographic library and tools

Details

Pieter Wuille discovered that OpenSSL incorrectly handled Bignum squaring.
(CVE-2014-3570)

Markus Stenberg discovered that OpenSSL incorrectly handled certain crafted
DTLS messages. A remote attacker could use this issue to cause OpenSSL to
crash, resulting in a denial of service. (CVE-2014-3571)

Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain
handshakes. A remote attacker could possibly use this issue to downgrade to
ECDH, removing forward secrecy from the ciphersuite. (CVE-2014-3572)

Antti Karjalainen, Tuomo Untinen and Konrad Kraszewski discovered that
OpenSSL incorrectly handled certain certificate fingerprints. A remote
attacker could possibly use this issue to trick certain applications that
rely on the uniqueness of fingerprints. (CVE-2014-8275)

Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain
key exchanges. A remote attacker could possibly use this issue to downgrade
the security of the session to EXPORT_RSA. (CVE-2015-0204)

Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled client
authentication. A remote attacker could possibly use this issue to
authenticate without the use of a private key in certain limited scenarios.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-0205)

Chris Mueller discovered that OpenSSL incorrect handled memory when
processing DTLS records. A remote attacker could use this issue to cause
OpenSSL to consume resources, resulting in a denial of service. This issue
only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-0206)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

libssl1.0.0

1.0.1f-1ubuntu9.1

Ubuntu 14.04 LTS:

libssl1.0.0

1.0.1f-1ubuntu2.8

Ubuntu 12.04 LTS:

libssl1.0.0

1.0.1-4ubuntu5.21

Ubuntu 10.04 LTS:

libssl0.9.8

0.9.8k-7ubuntu8.23

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2014-3570,

CVE-2014-3571,

CVE-2014-3572,

CVE-2014-8275,

CVE-2015-0204,

CVE-2015-0205,

CVE-2015-0206

Ubuntu Security Notice USN-2461-3

12th January, 2015

pyyaml vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Applications using PyYAML could be made to crash if they received
specially crafted input.

Software description

• pyyaml
  – YAML parser and emitter for Python

Details

Stanisław Pitucha and Jonathan Gray discovered that PyYAML did not
properly handle wrapped strings. An attacker could create specially
crafted YAML data to trigger an assert, causing a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

python-yaml

3.11-1ubuntu0.1

python3-yaml

3.11-1ubuntu0.1

Ubuntu 14.04 LTS:

python-yaml

3.10-4ubuntu0.1

python3-yaml

3.10-4ubuntu0.1

Ubuntu 12.04 LTS:

python-yaml

3.10-2ubuntu0.1

python3-yaml

3.10-2ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart applications using
PyYAML to make all the necessary changes.

References

CVE-2014-9130

Ubuntu Security Notice USN-2461-1

12th January, 2015

libyaml vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Applications using LibYAML could be made to crash if they received
specially crafted input.

Software description

• libyaml
  – Fast YAML 1.1 parser and emitter library

Details

Stanisław Pitucha and Jonathan Gray discovered that LibYAML did not
properly handle wrapped strings. An attacker could create specially
crafted YAML data to trigger an assert, causing a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

libyaml-0-2

0.1.6-1ubuntu0.1

Ubuntu 14.04 LTS:

libyaml-0-2

0.1.4-3ubuntu3.1

Ubuntu 12.04 LTS:

libyaml-0-2

0.1.4-2ubuntu0.12.04.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart applications using
LibYAML to make all the necessary changes.

References

CVE-2014-9130

Ubuntu Security Notice USN-2461-2

12th January, 2015

libyaml-libyaml-perl vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Applications using libyaml-libyaml-perl could be made to crash if
they received specially crafted input.

Software description

• libyaml-libyaml-perl
  – Perl interface to libyaml, a YAML implementation

Details

Stanisław Pitucha and Jonathan Gray discovered that
libyaml-libyaml-perl did not properly handle wrapped strings. An
attacker could create specially crafted YAML data to trigger an assert,
causing a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

libyaml-libyaml-perl

0.41-5ubuntu0.14.10.1

Ubuntu 14.04 LTS:

libyaml-libyaml-perl

0.41-5ubuntu0.14.04.1

Ubuntu 12.04 LTS:

libyaml-libyaml-perl

0.38-2ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart applications using
libyaml-libyaml-perl to make all the necessary changes.

References

CVE-2014-9130