CVE-2013-0169

Publication date 8 February 2013

Last updated 24 July 2024


Ubuntu priority

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Read the notes from the security team

Status

Package Ubuntu Release Status
openjdk-6 14.04 LTS trusty
Fixed 6b27-1.12.3-1ubuntu1
13.10 saucy
Fixed 6b27-1.12.3-1ubuntu1
13.04 raring
Fixed 6b27-1.12.3-1ubuntu1
12.10 quantal
Fixed 6b27-1.12.3-0ubuntu1~12.10
12.04 LTS precise
Fixed 6b27-1.12.3-0ubuntu1~12.04
11.10 oneiric
Fixed 6b27-1.12.3-0ubuntu1~11.10
10.04 LTS lucid
Fixed 6b27-1.12.3-0ubuntu1~10.04
8.04 LTS hardy
Fixed 6b27-1.12.3-0ubuntu1~08.04.1
openjdk-7 14.04 LTS trusty
Fixed 7u15-2.3.7-1ubuntu1
13.10 saucy
Fixed 7u15-2.3.7-1ubuntu1
13.04 raring
Fixed 7u15-2.3.7-1ubuntu1
12.10 quantal
Fixed 7u15-2.3.7-0ubuntu1~12.10
12.04 LTS precise
Fixed 7u15-2.3.7-0ubuntu1~12.04
11.10 oneiric
Fixed 7u15-2.3.7-0ubuntu1~11.10
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release
openssl 14.04 LTS trusty
Fixed 1.0.1c-4ubuntu8
13.10 saucy
Fixed 1.0.1c-4ubuntu8
13.04 raring
Fixed 1.0.1c-4ubuntu8
12.10 quantal
Fixed 1.0.1c-3ubuntu2.3
12.04 LTS precise
Fixed 1.0.1-4ubuntu5.8
11.10 oneiric
Fixed 1.0.0e-2ubuntu4.7
10.04 LTS lucid
Fixed 0.9.8k-7ubuntu8.14
8.04 LTS hardy
Fixed 0.9.8g-4ubuntu3.20
openssl098 14.04 LTS trusty
Fixed 0.9.8o-7ubuntu3.2.14.04.1
13.10 saucy
Fixed 0.9.8o-7ubuntu3.2.13.10.1
13.04 raring Ignored end of life
12.10 quantal Ignored end of life
12.04 LTS precise
Fixed 0.9.8o-7ubuntu3.2
11.10 oneiric Ignored end of life
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release

Notes


jdstrand

1.0.1d has incorrect fix. Use 1.0.1e:


mdeslaur

regression bug: http://rt.openssl.org/Ticket/Display.html?id=2975&user=guest&pass=guest 1.0.1e still contains another regression: another regression: http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest OpenSSL fix reverted by 1732-2 because of regression (see: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1133333) (see: http://rt.openssl.org/Ticket/Display.html?id=3002) (see: bugs.debian.org/cgi-bin/bugreport.cgi?bug=701868)

References

Related Ubuntu Security Notices (USN)

    • USN-1732-1
    • OpenSSL vulnerabilities
    • 21 February 2013
    • USN-1735-1
    • OpenJDK vulnerabilities
    • 21 February 2013

Other references