14 DAY TRIAL // Canonical's Marc Deslauriers announced earlier the availability of updated OpenSSL packages for all supported Ubuntu Linux operating systems, which address several vulnerabilities discovered recently.
According to Ubuntu Security Notice USN-3181-1, it would appear that a total of six security issues were fixed by various developers in the OpenSSL packages included in Ubuntu. These packages provide the Secure Socket Layer (SSL) cryptographic library and tools needed by various applications.
Discovered by Guido Vranken, the first OpenSSL security flaw (CVE-2016-2177) could allow a remote attacker to exploit an undefined behavior when performing pointer arithmetic to cause a denial of service by crashing OpenSSL. This vulnerability is only affecting the Ubuntu 12.04 LTS and Ubuntu 14.04 LTS releases.
The CVE-2016-7055 and CVE-2016-8610 (discovered by Shi Lei) OpenSSL security issues suggest that the software could not handle Montgomery multiplication correctly, nor some warning alerts, which may lead to transient failures or allow a remote attacker to cause a denial of service by making OpenSSL stop responding. The first one only affects Ubuntu 16.04 LTS and Ubuntu 16.10.
Another OpenSSL vulnerability (CVE-2016-7056) fixed in this update shows that the libssl libraries couldn't properly use constant-time operations when performing ECDSA P-256 signing, which could have allowed a remote attacker to recover private ECDSA keys by performing a timing attack. The issue only affects Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
Two other OpenSSL security flaws, CVE-2017-3731, discovered by Robert Święcki, and CVE-2017-3732, could allow remote attackers to cause a denial of service by crashing OpenSSL or recover private keys because OpenSSL incorrectly handled certain truncated packets and performed the x86_64 Montgomery squaring procedure. The last one is only affecting Ubuntu 16.04 LTS and Ubuntu 16.10.
Canonical recommends all Ubuntu users to update their PCs immediately
These issues affect all supported Ubuntu OSes, including Ubuntu 12.04 LTS (Precise Pangolin), Ubuntu 14.04 LTS (Trusty Tahr), Ubuntu 16.04 LTS (Xenial Xerus), and Ubuntu 16.10 (Yakkety Yak), and users are urged to update their installations to libssl1.0.0 1.0.2g on Ubuntu 16.10 and Ubuntu 16.04 LTS, as well as libssl1.0.0 1.0.1f and 1.0.1 on Ubuntu 14.04 LTS and Ubuntu 12.04 LTS respectively.
Canonical recommends all Ubuntu Linux users to update their installations immediately to the new OpenSSL package versions mentioned above. To update your system, simply open the package manager of your choice (e.g. Synaptic Package Manager, APT, or Ubuntu Software), check for updates and install the new releases. The company provides more information at https://wiki.ubuntu.com/Security/Upgrades.