Ubuntu Local Security Checks : Ubuntu USN-1029-1 (openssl)

Price/Feature Summary | Order | New Vulnerabilities | Confidentiality | Vulnerability Search

Vulnerability Search		Search 77617 CVE descriptions and 40605 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.68684

Category: Ubuntu Local Security Checks

Title: Ubuntu USN-1029-1 (openssl)

Summary: Ubuntu USN-1029-1 (openssl)

Description: The remote host is missing an update to openssl
announced via advisory USN-1029-1.

Details follow:

It was discovered that an old bug workaround in the SSL/TLS
server code allowed an attacker to modify the stored session cache
ciphersuite. This could possibly allow an attacker to downgrade the
ciphersuite to a weaker one on subsequent connections. (CVE-2010-4180)

It was discovered that an old bug workaround in the SSL/TLS server
code allowed allowed an attacker to modify the stored session cache
ciphersuite. An attacker could possibly take advantage of this to
force the use of a disabled cipher. This vulnerability only affects
the versions of OpenSSL in Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and
Ubuntu 9.10. (CVE-2008-7270)

Solution:
The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
libssl0.9.8 0.9.8a-7ubuntu0.14

Ubuntu 8.04 LTS:
libssl0.9.8 0.9.8g-4ubuntu3.13

Ubuntu 9.10:
libssl0.9.8 0.9.8g-16ubuntu3.5

Ubuntu 10.04 LTS:
libssl0.9.8 0.9.8k-7ubuntu8.5

Ubuntu 10.10:
libssl0.9.8 0.9.8o-1ubuntu4.3

After a standard system update you need to reboot your computer to make
all the necessary changes.

http://www.securityspace.com/smysecure/catid.html?in=USN-1029-1

Risk factor : Medium

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2008-7270
HPdes Security Advisory: HPSBHF02706
http://marc.info/?l=bugtraq&m=132077688910227&w=2
HPdes Security Advisory: SSRT100613
HPdes Security Advisory: HPSBMU02759
http://www.securityfocus.com/archive/1/522176
HPdes Security Advisory: SSRT100817
http://www.redhat.com/support/errata/RHSA-2010-0977.html
http://www.redhat.com/support/errata/RHSA-2010-0978.html
http://www.redhat.com/support/errata/RHSA-2011-0896.html
http://ubuntu.com/usn/usn-1029-1
BugTraq ID: 45254
http://www.securityfocus.com/bid/45254
http://secunia.com/advisories/42493
Common Vulnerability Exposure (CVE) ID: CVE-2010-4180
http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html
Debian Security Information: DSA-2141 (Google Search)
http://www.debian.org/security/2011/dsa-2141
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052027.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052315.html
HPdes Security Advisory: HPSBMA02658
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777
HPdes Security Advisory: SSRT100413
http://www.mandriva.com/security/advisories?name=MDVSA-2010:248
http://www.redhat.com/support/errata/RHSA-2010-0979.html
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.668471
SuSE Security Announcement: SUSE-SR:2011:001 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html
SuSE Security Announcement: SUSE-SU-2011:0847 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html
SuSE Security Announcement: openSUSE-SU-2011:0845 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html
SuSE Security Announcement: SUSE-SR:2011:009 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html
CERT/CC vulnerability note: VU#737740
http://www.kb.cert.org/vuls/id/737740
BugTraq ID: 45164
http://www.securityfocus.com/bid/45164
http://osvdb.org/69565
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:18910
http://www.securitytracker.com/id?1024822
http://secunia.com/advisories/42473
http://secunia.com/advisories/42469
http://secunia.com/advisories/42571
http://secunia.com/advisories/42620
http://secunia.com/advisories/42811
http://secunia.com/advisories/42877
http://secunia.com/advisories/43169
http://secunia.com/advisories/43170
http://secunia.com/advisories/43171
http://secunia.com/advisories/43172
http://secunia.com/advisories/43173
http://secunia.com/advisories/44269
http://www.vupen.com/english/advisories/2010/3120
http://www.vupen.com/english/advisories/2010/3122
http://www.vupen.com/english/advisories/2010/3134
http://www.vupen.com/english/advisories/2010/3188
http://www.vupen.com/english/advisories/2011/0032
http://www.vupen.com/english/advisories/2011/0076
http://www.vupen.com/english/advisories/2011/0268

Copyright Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com

This is only one of 40605 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

New User Registration
Email:

UserID:

Passwd:

Please email me your monthly newsletters, informing the latest services, improvements & surveys.

Please email me a vulnerability test announcement whenever a new test is added.

Privacy

Registered User Login

UserID:

Passwd:

Forgot userid or passwd?

Email/Userid:

Test ID:	1.3.6.1.4.1.25623.1.0.68684
Category:	Ubuntu Local Security Checks
Title:	Ubuntu USN-1029-1 (openssl)
Summary:	Ubuntu USN-1029-1 (openssl)
Description:	The remote host is missing an update to openssl announced via advisory USN-1029-1. Details follow: It was discovered that an old bug workaround in the SSL/TLS server code allowed an attacker to modify the stored session cache ciphersuite. This could possibly allow an attacker to downgrade the ciphersuite to a weaker one on subsequent connections. (CVE-2010-4180) It was discovered that an old bug workaround in the SSL/TLS server code allowed allowed an attacker to modify the stored session cache ciphersuite. An attacker could possibly take advantage of this to force the use of a disabled cipher. This vulnerability only affects the versions of OpenSSL in Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and Ubuntu 9.10. (CVE-2008-7270) Solution: The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libssl0.9.8 0.9.8a-7ubuntu0.14 Ubuntu 8.04 LTS: libssl0.9.8 0.9.8g-4ubuntu3.13 Ubuntu 9.10: libssl0.9.8 0.9.8g-16ubuntu3.5 Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.5 Ubuntu 10.10: libssl0.9.8 0.9.8o-1ubuntu4.3 After a standard system update you need to reboot your computer to make all the necessary changes. http://www.securityspace.com/smysecure/catid.html?in=USN-1029-1 Risk factor : Medium
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2008-7270 HPdes Security Advisory: HPSBHF02706 http://marc.info/?l=bugtraq&m=132077688910227&w=2 HPdes Security Advisory: SSRT100613 HPdes Security Advisory: HPSBMU02759 http://www.securityfocus.com/archive/1/522176 HPdes Security Advisory: SSRT100817 http://www.redhat.com/support/errata/RHSA-2010-0977.html http://www.redhat.com/support/errata/RHSA-2010-0978.html http://www.redhat.com/support/errata/RHSA-2011-0896.html http://ubuntu.com/usn/usn-1029-1 BugTraq ID: 45254 http://www.securityfocus.com/bid/45254 http://secunia.com/advisories/42493 Common Vulnerability Exposure (CVE) ID: CVE-2010-4180 http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html Debian Security Information: DSA-2141 (Google Search) http://www.debian.org/security/2011/dsa-2141 http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052027.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052315.html HPdes Security Advisory: HPSBMA02658 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777 HPdes Security Advisory: SSRT100413 http://www.mandriva.com/security/advisories?name=MDVSA-2010:248 http://www.redhat.com/support/errata/RHSA-2010-0979.html http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.668471 SuSE Security Announcement: SUSE-SR:2011:001 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html SuSE Security Announcement: SUSE-SU-2011:0847 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html SuSE Security Announcement: openSUSE-SU-2011:0845 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html SuSE Security Announcement: SUSE-SR:2011:009 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html CERT/CC vulnerability note: VU#737740 http://www.kb.cert.org/vuls/id/737740 BugTraq ID: 45164 http://www.securityfocus.com/bid/45164 http://osvdb.org/69565 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:18910 http://www.securitytracker.com/id?1024822 http://secunia.com/advisories/42473 http://secunia.com/advisories/42469 http://secunia.com/advisories/42571 http://secunia.com/advisories/42620 http://secunia.com/advisories/42811 http://secunia.com/advisories/42877 http://secunia.com/advisories/43169 http://secunia.com/advisories/43170 http://secunia.com/advisories/43171 http://secunia.com/advisories/43172 http://secunia.com/advisories/43173 http://secunia.com/advisories/44269 http://www.vupen.com/english/advisories/2010/3120 http://www.vupen.com/english/advisories/2010/3122 http://www.vupen.com/english/advisories/2010/3134 http://www.vupen.com/english/advisories/2010/3188 http://www.vupen.com/english/advisories/2011/0032 http://www.vupen.com/english/advisories/2011/0076 http://www.vupen.com/english/advisories/2011/0268
Copyright	Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com