USN-204-1: SSL library vulnerability
14 October 2005
SSL library vulnerability
Releases
Details
Yutaka Oiwa discovered a possible cryptographic weakness in OpenSSL
applications. Applications using the OpenSSL library can use the
SSL_OP_MSIE_SSLV2_RSA_PADDING option (or SSL_OP_ALL, which implies the
former) to maintain compatibility with third party products, which is
achieved by working around known bugs in them.
The SSL_OP_MSIE_SSLV2_RSA_PADDING option disabled a verification step
in the SSL 2.0 server supposed to prevent active protocol-version
rollback attacks. With this verification step disabled, an attacker
acting as a "machine-in-the-middle" could force a client and a server to
negotiate the SSL 2.0 protocol even if these parties both supported
SSL 3.0 or TLS 1.0. The SSL 2.0 protocol is known to have severe
cryptographic weaknesses and is supported as a fallback only.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 5.10
-
libssl0.9.7
-
Ubuntu 5.04
-
libssl0.9.7
-
Ubuntu 4.10
-
libssl0.9.7
-
In general, a standard system update will make all the necessary changes.