First published: Tue Jan 31 2017(Updated: )
Guido Vranken discovered that OpenSSL used undefined behaviour when performing pointer arithmetic. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS as other releases were fixed in a previous security update. (CVE-2016-2177) It was discovered that OpenSSL did not properly handle Montgomery multiplication, resulting in incorrect results leading to transient failures. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7055) It was discovered that OpenSSL did not properly use constant-time operations when performing ECDSA P-256 signing. A remote attacker could possibly use this issue to perform a timing attack and recover private ECDSA keys. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-7056) Shi Lei discovered that OpenSSL incorrectly handled certain warning alerts. A remote attacker could possibly use this issue to cause OpenSSL to stop responding, resulting in a denial of service. (CVE-2016-8610) Robert Święcki discovered that OpenSSL incorrectly handled certain truncated packets. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2017-3731) It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery squaring procedure. While unlikely, a remote attacker could possibly use this issue to recover private keys. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2017-3732)
Affected Software | Affected Version | How to fix |
---|---|---|
All of | ||
ubuntu/libssl1.0.0 | <1.0.2g-1ubuntu9.1 | 1.0.2g-1ubuntu9.1 |
=16.10 | ||
All of | ||
ubuntu/libssl1.0.0 | <1.0.2g-1ubuntu4.6 | 1.0.2g-1ubuntu4.6 |
=16.04 | ||
All of | ||
ubuntu/libssl1.0.0 | <1.0.1f-1ubuntu2.22 | 1.0.1f-1ubuntu2.22 |
=14.04 | ||
All of | ||
ubuntu/libssl1.0.0 | <1.0.1-4ubuntu5.39 | 1.0.1-4ubuntu5.39 |
=12.04 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Contains the following vulnerabilities)