Ubuntu Security Notice (C) 2013-2016 Canonical, Inc. / NASL script (C) 2013-2016 Tenable Network Security, Inc.
The remote Ubuntu host is missing one or more security-related
The TLS protocol 1.2 and earlier can encrypt compressed data without
properly obfuscating the length of the unencrypted data, which allows
man-in-the-middle attackers to obtain plaintext content by observing
length differences during a series of guesses in which a provided
string potentially matches an unknown string in encrypted and
compressed traffic. This is known as a CRIME attack in HTTP. Other
protocols layered on top of TLS may also make these attacks practical.
This update disables compression for all programs using SSL and TLS
provided by the OpenSSL library. To re-enable compression for programs
that need compression to communicate with legacy services, define the
variable OPENSSL_DEFAULT_ZLIB in the program's environment.
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.
Update the affected libssl0.9.8 and / or libssl1.0.0 packages.
Risk factor :
Low / CVSS Base Score : 2.6
CVSS Temporal Score : 2.3
Public Exploit Available : true