Ubuntu Security Notice USN-1424-1
19th April, 2012
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
An application using OpenSSL could be made to crash or run programs if it opened a specially crafted file.
- openssl - Secure Socket Layer (SSL) cryptographic library and tools
It was discovered that OpenSSL could be made to dereference a NULL pointer
when processing S/MIME messages. A remote attacker could use this to cause
a denial of service. These issues did not affect Ubuntu 8.04 LTS.
Tavis Ormandy discovered that OpenSSL did not properly perform bounds
checking when processing DER data via BIO or FILE functions. A remote
attacker could trigger this flaw in services that used SSL to cause a
denial of service or possibly execute arbitrary code with application
The problem can be corrected by updating your system to the following package version:
- Ubuntu 11.10:
- libssl1.0.0 1.0.0e-2ubuntu4.4
- Ubuntu 11.04:
- libssl0.9.8 0.9.8o-5ubuntu1.4
- Ubuntu 10.04 LTS:
- libssl0.9.8 0.9.8k-7ubuntu8.10
- Ubuntu 8.04 LTS:
- libssl0.9.8 0.9.8g-4ubuntu3.17
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.