[Bug 1915913] Re: OpenSSL Multiple Denial of Service Vulnerabilities
Marc Deslauriers
1915913 at bugs.launchpad.net
Tue Mar 9 12:02:23 UTC 2021
Updated for this issue have been released:
https://ubuntu.com/security/notices/USN-4738-1
** Changed in: openssl (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1915913
Title:
OpenSSL Multiple Denial of Service Vulnerabilities
Status in openssl package in Ubuntu:
Fix Released
Bug description:
Multiple vulnerabilities have been reported in OpenSSL, which can be
exploited by malicious people to cause a DoS (Denial of Service).
1
An error related to the "X509_issuer_and_serial_hash()" function
(crypto/x509/x509_cmp.c) can be exploited to trigger a NULL pointer
dereference and subsequently cause a crash.
2
An integer overflow error related to CipherUpdate calls can be
exploited to cause a crash.
The vulnerabilities are reported in versions prior to 1.1.1j and prior
to 1.0.2y.
Affected Software
The following software is affected by the described vulnerability.
Please check the vendor links below to see if exactly your version is
affected.
OpenSSL 1.x
Solution
Update to version 1.1.1j or 1.0.2y.
References
1. https://www.openssl.org/news/secadv/20210216.txt <https://www.openssl.org/news/secadv/20210216.txt>
2. https://github.com/openssl/openssl/commit/8130d654d1de922ea224fa18ee3bc7262edc39c0 <https://github.com/openssl/openssl/commit/8130d654d1de922ea224fa18ee3bc7262edc39c0>
3. https://github.com/openssl/openssl/commit/c9fb704cf3af5524eb8e79961e31b60eee8c3c47 <https://github.com/openssl/openssl/commit/c9fb704cf3af5524eb8e79961e31b60eee8c3c47>
Please provide an update.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1915913/+subscriptions
More information about the foundations-bugs
mailing list