[Bug 1921485] Re: Bosch CERT Advisory: OpenSSL Multiple Vulnerabilities

Steve Beattie 1921485 at bugs.launchpad.net
Wed Mar 31 03:43:18 UTC 2021 

This was addressed in https://ubuntu.com/security/notices/USN-4891-1 .

** Information type changed from Private Security to Public Security

** Changed in: openssl (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921485

Title:
  Bosch CERT Advisory: OpenSSL Multiple Vulnerabilities

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  Description

  Multiple vulnerabilities have been reported in OpenSSL, which can be
  exploited by malicious people to bypass certain security restrictions
  and cause a DoS (Denial of Service).

  1

  An error when validating CA certificates can be exploited to bypass
  certificate validation checks.

  Successful exploitation of the vulnerability #1 requires the
  X509_V_FLAG_X509_STRICT flag to be enabled (not enabled by default)
  and an application to either not set a purpose for certificate
  verification or override the default purpose.

  2

  A NULL-pointer deference error when handling renegotiation ClientHello
  messages can be exploited to crash the OpenSSL TLS server.

  Successful exploitation of the vulnerability #2 requires an OpenSSL
  server with TLSv1.2 and renegotiation enabled (enabled by default).

  The vulnerabilities are reported in versions prior to 1.1.1k.

  Affected Software

  The following software is affected by the described vulnerability.
  Please check the vendor links below to see if exactly your version is
  affected.

  OpenSSL 1.x

  Solution

  Update to version 1.1.1k.

  References

  1. https://www.openssl.org/news/vulnerabilities.html <https://www.openssl.org/news/vulnerabilities.html>
  2. https://www.openssl.org/news/secadv/20210325.txt <https://www.openssl.org/news/secadv/20210325.txt>

  
  Please provide a fix as soon as possible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921485/+subscriptions

More information about the foundations-bugs mailing list