USN-1003-1: OpenSSL vulnerabilities

Releases

• Ubuntu 10.10
• Ubuntu 10.04
• Ubuntu 9.10
• Ubuntu 9.04
• Ubuntu 8.04
• Ubuntu 6.06

Packages

• openssl -

Details

It was discovered that OpenSSL incorrectly handled return codes from the
bn_wexpand function calls. A remote attacker could trigger this flaw in
services that used SSL to cause a denial of service or possibly execute
arbitrary code with application privileges. This issue only affected Ubuntu
6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2009-3245)

It was discovered that OpenSSL incorrectly handled certain private keys
with an invalid prime. A remote attacker could trigger this flaw in
services that used SSL to cause a denial of service or possibly execute
arbitrary code with application privileges. The default compiler options
for affected releases should reduce the vulnerability to a denial of
service. (CVE-2010-2939)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10

• libssl0.9.8 - 0.9.8g-16ubuntu3.3

Ubuntu 9.04

• libssl0.9.8 - 0.9.8g-15ubuntu3.6

Ubuntu 8.04

• libssl0.9.8 - 0.9.8g-4ubuntu3.11

Ubuntu 6.06

• libssl0.9.8 - 0.9.8a-7ubuntu0.13

Ubuntu 10.10

• libssl0.9.8 - 0.9.8o-1ubuntu4.1

Ubuntu 10.04

• libssl0.9.8 - 0.9.8k-7ubuntu8.3

After a standard system update you need to reboot your computer to make all
the necessary changes.

References

• CVE-2009-3245
• CVE-2010-2939