USN-5051-1: OpenSSL vulnerabilities

Releases

• Ubuntu 21.04
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM

Packages

• openssl - Secure Socket Layer (SSL) cryptographic library and tools

Details

John Ouyang discovered that OpenSSL incorrectly handled decrypting SM2
data. A remote attacker could use this issue to cause applications using
OpenSSL to crash, resulting in a denial of service, or possibly change
application behaviour. (CVE-2021-3711)

Ingo Schwarze discovered that OpenSSL incorrectly handled certain ASN.1
strings. A remote attacker could use this issue to cause OpenSSL to crash,
resulting in a denial of service, or possibly obtain sensitive information.
(CVE-2021-3712)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 21.04

• libssl1.1 - 1.1.1j-1ubuntu3.5

Ubuntu 20.04

• libssl1.1 - 1.1.1f-1ubuntu2.8

Ubuntu 18.04

• libssl1.1 - 1.1.1-1ubuntu2.1~18.04.13

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

• CVE-2021-3711
• CVE-2021-3712

Related notices

• USN-5051-2: libssl1.0.0, libssl-dev, openssl, libssl-doc
• USN-5051-3: libssl1.0.0, openssl1.0, libssl1.0-dev
• USN-5088-1: qemu-efi, edk2, qemu-efi-arm, qemu-efi-aarch64, ovmf, ovmf-ia32