14 DAY TRIAL // Today, December 7, 2015, Canonical's Marc Deslauriers published details about new security fixes for the OpenSSL packages in all supported Ubuntu Linux operating systems.
According to the Ubuntu Security Notice USN-2830-1, there were five security flaws in the OpenSSL packages of the Ubuntu 15.10 (Wily Werewolf), Ubuntu 15.04 (Vivid Vervet), Ubuntu 14.04 LTS (Trusty Tahr), and Ubuntu 12.04 LTS (Precise Pangolin) OSes, as well as any of its official flavors and derivatives, including Kubuntu, Xubuntu, Lubuntu, Edubuntu, Ubuntu Studio, Ubuntu GNOME, Ubuntu Kylin, and Ubuntu MATE.
"A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10, Ubuntu 15.04, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS," said Marc Deslauriers. "Several security issues were fixed in OpenSSL. Software Description: openssl: Secure Socket Layer (SSL) cryptographic library and tools. [...] The problem can be corrected by updating your system to the following package version."
Among the issues fixed in the OpenSSL libraries, we can mention incorrect handling of ServerKeyExchange for anonymous DH ciphersuite, allowing attackers to cause a denial of service, incorrect results of OpenSSL's Montgomery squaring procedure algorithm, allowing attackers to break the encryption, as well as incorrect handling of ASN.1 signatures that contained missing PSS parameters, allowing remote attackers to cause a denial of service.
All Ubuntu Linux users must update as soon as possible
Furthermore, these updates patch incorrect handling of malformed X509_ATTRIBUTE structures, which could allow remote attackers to cause a denial of service by making OpenSSL consume all available resources, and incorrect handling of PSK identity hints, which could allow remote attackers to cause a denial of service by crashing OpenSLL. Please note that the latter does not affect the Ubuntu 15.10 (Wily Werewolf) operating system and its derivatives.
Canonical urges all users of the Ubuntu Linux operating systems mentioned above to update their OpenSSL packages as soon as possible. Ubuntu 15.10 users need to update the OpenSSL packages to version libssl1.0.0 1.0.2d-0ubuntu1.2, Ubuntu 15.04 users to version libssl1.0.0 1.0.1f-1ubuntu11.5, Ubuntu 14.04 LTS users to version libssl1.0.0 1.0.1f-1ubuntu2.16, and Ubuntu 12.04 LTS users to version libssl1.0.0 1.0.1-4ubuntu5.32.