Monthly Archives: October 2014

US-CERT

OpenSSL 3.0 Protocol Vulnerability

Original release date: October 17, 2014

US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. Exploitation of this vulnerability may allow a remote attacker to decrypt and extract information from inside an encrypted transaction.

US-CERT recommends users and administrators review TA14-290A for additional information and apply any necessary updates to address this vulnerability.

This product is provided subject to this Notification and this Privacy & Use policy.

Ubuntu

USN-2385-1: OpenSSL vulnerabilities

Ubuntu Security Notice USN-2385-1

16th October, 2014

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Several security issues were fixed in OpenSSL.

Software description

  • openssl
    – Secure Socket Layer (SSL) cryptographic library and tools

Details

It was discovered that OpenSSL incorrectly handled memory when parsing
DTLS SRTP extension data. A remote attacker could possibly use this issue
to cause OpenSSL to consume resources, resulting in a denial of service.
This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-3513)

It was discovered that OpenSSL incorrectly handled memory when verifying
the integrity of a session ticket. A remote attacker could possibly use
this issue to cause OpenSSL to consume resources, resulting in a denial of
service. (CVE-2014-3567)

In addition, this update introduces support for the TLS Fallback Signaling
Cipher Suite Value (TLS_FALLBACK_SCSV). This new feature prevents protocol
downgrade attacks when certain applications such as web browsers attempt
to reconnect using a lower protocol version for interoperability reasons.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
libssl1.0.0

1.0.1f-1ubuntu2.7
Ubuntu 12.04 LTS:
libssl1.0.0

1.0.1-4ubuntu5.20
Ubuntu 10.04 LTS:
libssl0.9.8

0.9.8k-7ubuntu8.22

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all
the necessary changes.

References

CVE-2014-3513,

CVE-2014-3567

Ubuntu

USN-2386-1: OpenJDK 6 vulnerabilities

Ubuntu Security Notice USN-2386-1

16th October, 2014

openjdk-6 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Several security issues were fixed in OpenJDK 6.

Software description

  • openjdk-6
    – Open Source Java implementation

Details

A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to expose
sensitive data over the network. (CVE-2014-6457)

Several vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-6502, CVE-2014-6512, CVE-2014-6519, CVE-2014-6558)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data over the network. (CVE-2014-6504, CVE-2014-6511, CVE-2014-6517,
CVE-2014-6531)

Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-6506, CVE-2014-6513)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
icedtea-6-jre-cacao

6b33-1.13.5-1ubuntu0.12.04
icedtea-6-jre-jamvm

6b33-1.13.5-1ubuntu0.12.04
openjdk-6-jre

6b33-1.13.5-1ubuntu0.12.04
openjdk-6-jre-headless

6b33-1.13.5-1ubuntu0.12.04
openjdk-6-jre-zero

6b33-1.13.5-1ubuntu0.12.04
openjdk-6-jre-lib

6b33-1.13.5-1ubuntu0.12.04
Ubuntu 10.04 LTS:
openjdk-6-jre-headless

6b33-1.13.5-1ubuntu0.10.04
openjdk-6-jre-lib

6b33-1.13.5-1ubuntu0.10.04
icedtea-6-jre-cacao

6b33-1.13.5-1ubuntu0.10.04
openjdk-6-jre

6b33-1.13.5-1ubuntu0.10.04
openjdk-6-jre-zero

6b33-1.13.5-1ubuntu0.10.04

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

This update contains known regressions in the community supported JamVM
alternative Java Virtual Machine and a future update will correct these
issues. See https://launchpad.net/bugs/1382205 for details. We apologize
for the inconvenience.

References

CVE-2014-6457,

CVE-2014-6502,

CVE-2014-6504,

CVE-2014-6506,

CVE-2014-6511,

CVE-2014-6512,

CVE-2014-6517,

CVE-2014-6519,

CVE-2014-6531,

CVE-2014-6558,

LP: 1382205