Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

USN-6709-1: OpenSSL vulnerabilities

21 March 2024

Several security issues were fixed in OpenSSL.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • openssl1.0 - Secure Socket Layer (SSL) cryptographic library and tools

Details

It was discovered that checking excessively long DH keys or parameters
may be very slow. A remote attacker could possibly use this issue to
cause OpenSSL to consume resources, resulting in a denial of service.
(CVE-2023-3446)

After the fix for CVE-2023-3446 Bernd Edlinger discovered that a large
q parameter value can also trigger an overly long computation during
some of these checks. A remote attacker could possibly use this issue
to cause OpenSSL to consume resources, resulting in a denial of
service. (CVE-2023-3817)

David Benjamin discovered that generating excessively long X9.42 DH
keys or checking excessively long X9.42 DH keys or parameters may be
very slow. A remote attacker could possibly use this issue to cause
OpenSSL to consume resources, resulting in a denial of service.
(CVE-2023-5678)

Bahaa Naamneh discovered that processing a maliciously formatted
PKCS12 file may lead OpenSSL to crash leading to a potential Denial of
Service attack. (CVE-2024-0727)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04

After a standard system update you need to reboot your computer to make
all the necessary changes.

Related notices

  • USN-6622-1: libssl3, libssl-doc, openssl, libssl1.1, libssl-dev
  • USN-6632-1: libssl1.0.0, libssl-doc, openssl, libssl1.1, libssl-dev
  • USN-7018-1: libssl1.0.0, libssl-doc, openssl, libssl-dev
  • USN-6435-1: libssl1.0.0, libssl-doc, openssl, libssl1.1, libssl-dev
  • USN-6450-1: libssl3, libssl-doc, openssl, libssl-dev
  • USN-6435-2: libssl1.1, libssl-doc, openssl, libssl-dev