USN-1003-1: OpenSSL vulnerabilities

07 October 2010

Releases

Packages

  • openssl -

Details

It was discovered that OpenSSL incorrectly handled return codes from the
bn_wexpand function calls. A remote attacker could trigger this flaw in
services that used SSL to cause a denial of service or possibly execute
arbitrary code with application privileges. This issue only affected Ubuntu
6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2009-3245)

It was discovered that OpenSSL incorrectly handled certain private keys
with an invalid prime. A remote attacker could trigger this flaw in
services that used SSL to cause a denial of service or possibly execute
arbitrary code with application privileges. The default compiler options
for affected releases should reduce the vulnerability to a denial of
service. (CVE-2010-2939)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
Ubuntu 9.04
Ubuntu 8.04
Ubuntu 6.06
Ubuntu 10.10
Ubuntu 10.04

After a standard system update you need to reboot your computer to make all
the necessary changes.