USN-620-1: OpenSSL vulnerabilities

26 June 2008

OpenSSL vulnerabilities

Releases

Packages

  • openssl -

Details

It was discovered that OpenSSL was vulnerable to a double-free
when using TLS server extensions. A remote attacker could send a
crafted packet and cause a denial of service via application crash
in applications linked against OpenSSL. Ubuntu 8.04 LTS does not
compile TLS server extensions by default. (CVE-2008-0891)

It was discovered that OpenSSL could dereference a NULL pointer.
If a user or automated system were tricked into connecting to a
malicious server with particular cipher suites, a remote attacker
could cause a denial of service via application crash.
(CVE-2008-1672)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.04

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.