*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
Multiple vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to cause a DoS (Denial of Service). 1 An error related to the "X509_issuer_and_serial_hash()" function (crypto/x509/x509_cmp.c) can be exploited to trigger a NULL pointer dereference and subsequently cause a crash. 2 An integer overflow error related to CipherUpdate calls can be exploited to cause a crash. The vulnerabilities are reported in versions prior to 1.1.1j and prior to 1.0.2y. Affected Software The following software is affected by the described vulnerability. Please check the vendor links below to see if exactly your version is affected. OpenSSL 1.x Solution Update to version 1.1.1j or 1.0.2y. References 1. https://www.openssl.org/news/secadv/20210216.txt <https://www.openssl.org/news/secadv/20210216.txt> 2. https://github.com/openssl/openssl/commit/8130d654d1de922ea224fa18ee3bc7262edc39c0 <https://github.com/openssl/openssl/commit/8130d654d1de922ea224fa18ee3bc7262edc39c0> 3. https://github.com/openssl/openssl/commit/c9fb704cf3af5524eb8e79961e31b60eee8c3c47 <https://github.com/openssl/openssl/commit/c9fb704cf3af5524eb8e79961e31b60eee8c3c47> Please provide an update. ** Affects: openssl (Ubuntu) Importance: Undecided Status: New -- OpenSSL Multiple Denial of Service Vulnerabilities https://bugs.launchpad.net/bugs/1915913 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
