Your submission was sent successfully! Close

CVE-2019-1549

Published: 10 September 2019

OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).

Notes

AuthorNote
mdeslaur
only affected 1.1.1
Priority

Low

CVSS 3 base score: 5.3

Status

Package Release Status
edk2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
disco Not vulnerable
(code not present)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(0~20191122.bd85bf54-2)
groovy Not vulnerable
(0~20191122.bd85bf54-2)
hirsute Not vulnerable
(0~20191122.bd85bf54-2)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code not present)
nodejs
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(uses system openssl1.0)
disco Not vulnerable
(uses system openssl1.1)
eoan Not vulnerable
(uses system openssl1.1)
focal Not vulnerable
(uses system openssl1.1)
groovy Not vulnerable
(uses system openssl1.1)
hirsute Not vulnerable
(uses system openssl1.1)
precise Does not exist

trusty Not vulnerable
(uses system openssl)
upstream Needs triage

xenial Not vulnerable
(uses system openssl)
openssl
Launchpad, Ubuntu, Debian
bionic
Released (1.1.1-1ubuntu2.1~18.04.6)
disco Ignored
(reached end-of-life)
eoan
Released (1.1.1c-1ubuntu4.1)
focal
Released (1.1.1d-2ubuntu1)
groovy
Released (1.1.1d-2ubuntu1)
hirsute
Released (1.1.1d-2ubuntu1)
precise Ignored
(end of ESM support, was needs-triage)
trusty Not vulnerable
(code not present)
upstream
Released (1.1.1d)
xenial Not vulnerable
(code not present)
Patches:
upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be
openssl1.0
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist