USN-2639-1

Description

openssl vulnerabilities Praveen Kariyanahalli, Ivan Fratric and Felix Groebert discovered that OpenSSL incorrectly handled memory when buffering DTLS data. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-8176) Joseph Barr-Pixton discovered that OpenSSL incorrectly handled malformed ECParameters structures. A remote attacker could use this issue to cause OpenSSL to hang, resulting in a denial of service. (CVE-2015-1788) Robert Swiecki and Hanno Böck discovered that OpenSSL incorrectly handled certain ASN1_TIME strings. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-1789) Michal Zalewski discovered that OpenSSL incorrectly handled missing content when parsing ASN.1-encoded PKCS#7 blobs. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-1790) Emilia Käsper discovered that OpenSSL incorrectly handled NewSessionTicket when being used by a multi-threaded client. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-1791) Johannes Bauer discovered that OpenSSL incorrectly handled verifying signedData messages using the CMS code. A remote attacker could use this issue to cause OpenSSL to hang, resulting in a denial of service. (CVE-2015-1792) As a security improvement, this update also modifies OpenSSL behaviour to reject DH key sizes below 768 bits, preventing a possible downgrade attack.

Affected Systems

• ubuntu•openssl

  < 1.0.1f-1ubuntu2.15

References (7)

• https://ubuntu.com/security/notices/USN-2639-1
• https://ubuntu.com/security/CVE-2014-8176
• https://ubuntu.com/security/CVE-2015-1788
• https://ubuntu.com/security/CVE-2015-1789
• https://ubuntu.com/security/CVE-2015-1790
• https://ubuntu.com/security/CVE-2015-1791
• https://ubuntu.com/security/CVE-2015-1792