openssl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

* Ubuntu 14.04 ESM
* Ubuntu 12.04 ESM

Summary

Several security issues were fixed in OpenSSL.

Software Description

* openssl - Secure Socket Layer (SSL) cryptographic library and
tools

Details

USN-4376-1 fixed several vulnerabilities in OpenSSL. This update
provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu
14.04 ESM.

Original advisory details:

Cesar Pereida Garc**a, Sohaib ul Hassan, Nicola Tuveri, Iaroslav
Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered
that OpenSSL incorrectly handled ECDSA signatures. An attacker
could possibly use this issue to perform a timing side-channel
attack and recover private ECDSA keys. (CVE-2019-1547)

Juraj Somorovsky, Robert Merget, and Nimrod Aviram discovered that
certain applications incorrectly used OpenSSL and could be exposed
to a padding oracle attack. A remote attacker could possibly use
this issue to decrypt data. (CVE-2019-1559)

Bernd Edlinger discovered that OpenSSL incorrectly handled certain
decryption functions. In certain scenarios, a remote attacker
could possibly use this issue to perform a padding oracle attack
and decrypt traffic. (CVE-2019-1563)

Update instructions

The problem can be corrected by updating your system to the
following package versions:

Ubuntu 14.04 ESM
libssl1.0.0 - 1.0.1f-1ubuntu2.27+esm1

Ubuntu 12.04 ESM
libssl1.0.0 - 1.0.1-4ubuntu5.44

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to
make all the necessary changes.

References

* USN-4376-1
* CVE-2019-1547
* CVE-2019-1559
* CVE-2019-1563

--- Mystic BBS v1.12 A45 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)

openssl, openssl1.0 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

* Ubuntu 18.04 LTS
* Ubuntu 16.04 LTS

Summary

Several security issues were fixed in OpenSSL.

Software Description

* openssl1.0 - Secure Socket Layer (SSL) cryptographic library
and tools
* openssl - Secure Socket Layer (SSL) cryptographic library and
tools

Details

Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj
Somorovsky discovered that certain Diffie-Hellman ciphersuites in
the TLS specification and implemented by OpenSSL contained a flaw.
A remote attacker could possibly use this issue to eavesdrop on
encrypted communications. This was fixed in this update by
removing the insecure ciphersuites from OpenSSL. (CVE-2020-1968)

Cesar Pereida Garc**a, Sohaib ul Hassan, Nicola Tuveri, Iaroslav
Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered
that OpenSSL incorrectly handled ECDSA signatures. An attacker
could possibly use this issue to perform a timing side-channel
attack and recover private ECDSA keys. This issue only affected
Ubuntu 18.04 LTS. (CVE-2019-1547)

Guido Vranken discovered that OpenSSL incorrectly performed the
x86_64 Montgomery squaring procedure. While unlikely, a remote
attacker could possibly use this issue to recover private keys.
This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1551)

Bernd Edlinger discovered that OpenSSL incorrectly handled certain
decryption functions. In certain scenarios, a remote attacker
could possibly use this issue to perform a padding oracle attack
and decrypt traffic. This issue only affected Ubuntu 18.04 LTS.
(CVE-2019-1563)

Update instructions

The problem can be corrected by updating your system to the
following package versions:

Ubuntu 18.04 LTS
libssl1.0.0 - 1.0.2n-1ubuntu5.4

Ubuntu 16.04 LTS
libssl1.0.0 - 1.0.2g-1ubuntu4.17

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to
make all the necessary changes.

References

* CVE-2019-1547
* CVE-2019-1551
* CVE-2019-1563
* CVE-2020-1968

--- Mystic BBS v1.12 A46 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)