CVE-2019-1549

Published: 10 September 2019

OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).

Priority

Low

CVSS 3 base score: 5.3

Status

Package Release Status
edk2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(0~20191122.bd85bf54-2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(0~20191122.bd85bf54-2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code not present)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

nodejs
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system openssl1.1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system openssl1.1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system openssl1.0)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system openssl)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(uses system openssl)
openssl
Launchpad, Ubuntu, Debian
Upstream
Released (1.1.1d)
Ubuntu 20.10 (Groovy Gorilla)
Released (1.1.1d-2ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1.1.1d-2ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.1.1-1ubuntu2.1~18.04.6)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Patches:
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be
openssl1.0
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code not present)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist