OpenSSL DTLS Vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
High
|
Steve Beattie |
Bug Description
The following URL is for a DTLS vulnerability in OpenSSL 0.9.8s and earlier which appears to be unpatched in Ubuntu. This vulnerability permits a man-in-the-middle attack on UDP-based TLS implementations, such as OpenVPN and leads to disclosure of encrypted material:
http://
I apologize for the Debian link, I was not sure what else to provide.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: openssl 0.9.8k-7ubuntu8.6
ProcVersionSign
Uname: Linux 2.6.32-38-server x86_64
NonfreeKernelMo
Architecture: amd64
Date: Thu Jan 26 12:52:22 2012
InstallationMedia: Ubuntu 10.04.3 LTS "Lucid Lynx" - Release amd64 (20110719.2)
ProcEnviron:
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: openssl
visibility: | private → public |
I want to mention that CVE 2012-0050 is a fix for CVE 2011-4108, which also fixed some DTLS vulnerabilities. I am unclear whether CVE 2011-4108 was ever fixed in Ubuntu, in particular in Lucid. I do not think that it was.
I think the best thing to do at this point would be to review CVE 2011-4108, but understand that it has some defects which resulted in CVE 2012-0050. Whoever performs the fix should review both of these bugs.