Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 : openssl vulnerability (USN-1898-1)

Ubuntu Security Notice (C) 2013-2014 Canonical, Inc. / NASL script (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

The TLS protocol 1.2 and earlier can encrypt compressed data without
properly obfuscating the length of the unencrypted data, which allows
man-in-the-middle attackers to obtain plaintext content by observing
length differences during a series of guesses in which a provided
string potentially matches an unknown string in encrypted and
compressed traffic. This is known as a CRIME attack in HTTP. Other
protocols layered on top of TLS may also make these attacks practical.

This update disables compression for all programs using SSL and TLS
provided by the OpenSSL library. To re-enable compression for programs
that need compression to communicate with legacy services, define the
variable OPENSSL_DEFAULT_ZLIB in the program's environment.

Solution :

Update the affected libssl0.9.8 and / or libssl1.0.0 packages.

Risk factor :

Low / CVSS Base Score : 2.6
(CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 2.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 67189 ()

Bugtraq ID: 55704

CVE ID: CVE-2012-4929