[Bug 1915913] Re: OpenSSL Multiple Denial of Service Vulnerabilities

[Seth Arnold]

Hello, there are untested packages in https://launchpad.net/~ubuntu-
security-proposed/+archive/ubuntu/ppa/+packages in case you wish to test
them in your environment.

Thanks

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1915913

Title:
  OpenSSL Multiple Denial of Service Vulnerabilities

Status in openssl package in Ubuntu:
  New

Bug description:
  Multiple vulnerabilities have been reported in OpenSSL, which can be
  exploited by malicious people to cause a DoS (Denial of Service).

  1

  An error related to the "X509_issuer_and_serial_hash()" function
  (crypto/x509/x509_cmp.c) can be exploited to trigger a NULL pointer
  dereference and subsequently cause a crash.

  2

  An integer overflow error related to CipherUpdate calls can be
  exploited to cause a crash.

  The vulnerabilities are reported in versions prior to 1.1.1j and prior
  to 1.0.2y.

  Affected Software

  The following software is affected by the described vulnerability.
  Please check the vendor links below to see if exactly your version is
  affected.

  OpenSSL 1.x

  Solution

  Update to version 1.1.1j or 1.0.2y.

  References

  1. https://www.openssl.org/news/secadv/20210216.txt <https://www.openssl.org/news/secadv/20210216.txt>
  2. https://github.com/openssl/openssl/commit/8130d654d1de922ea224fa18ee3bc7262edc39c0 <https://github.com/openssl/openssl/commit/8130d654d1de922ea224fa18ee3bc7262edc39c0>
  3. https://github.com/openssl/openssl/commit/c9fb704cf3af5524eb8e79961e31b60eee8c3c47 <https://github.com/openssl/openssl/commit/c9fb704cf3af5524eb8e79961e31b60eee8c3c47>

  
  Please provide an update.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1915913/+subscriptions