CVE-2011-5095

Publication date 20 June 2012

Last updated 24 July 2024

Ubuntu priority

Negligible

Why this priority?

The Diffie-Hellman key-exchange implementation in OpenSSL 0.9.8, when FIPS mode is enabled, does not properly validate a public parameter, which makes it easier for man-in-the-middle attackers to obtain the shared secret key by modifying network traffic, a related issue to CVE-2011-1923.

Read the notes from the security team

Status

No maintained releases are affected by this CVE.

Package Ubuntu Release Status
openssl 12.04 LTS precise
Not affected
11.10 oneiric
Not affected
11.04 natty
Not affected
10.04 LTS lucid
Not affected
8.04 LTS hardy
Not affected
openssl098 12.04 LTS precise
Not affected
11.10 oneiric
Not affected
11.04 natty Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release

Notes

jdstrand

RedHat fixed this with the openssl-fips-0.9.8e-dh-check.patch patch in 0.9.8e-20.el5 by adding the DH_check_pub_key() check to fips/dh/fips_dh_key.c:compute_key() code not present in 1.0 series and the existing dh_key.c code already uses DH_check_pub_key() (as does the dh_key.c code in 0.9.8, but this is not used when compiled in fips mode). For details of 1.0’s FIPS status, see http://www.openssl.org/docs/fips/fipsvalidation.html for details upstream has not included RedHat’s patch in their 0.9.8 series fips_dh_key.c not compiled in Ubuntu

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
openssl