CVE-2020-1967 in Ubuntu

CVE-2020-1967

Priority

Description

Server or client applications that call the SSL_check_chain() function
during or after a TLS 1.3 handshake may crash due to a NULL pointer
dereference as a result of incorrect handling of the
"signature_algorithms_cert" TLS extension. The crash occurs if an invalid
or unrecognised signature algorithm is received from the peer. This could
be exploited by a malicious peer in a Denial of Service attack. OpenSSL
version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue
did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g
(Affected 1.1.1d-1.1.1f).

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967
https://www.openssl.org/news/secadv/20200421.txt

Assigned-to

mdeslaur

Notes

mdeslaur

introduced in 1.1.1d

Package

Source: edk2 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (code not present)
Ubuntu 20.04 LTS:	not-affected (code not compiled)
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: openssl (LP Ubuntu Debian)

Upstream:	released (1.1.1g)
Ubuntu 18.04 LTS:	not-affected (code not present)
Ubuntu 20.04 LTS:	released (1.1.1f-1ubuntu2)
Ubuntu 16.04 ESM:	not-affected (code not present)
Ubuntu 14.04 ESM:	not-affected (code not present)

Patches:

Upstream:	https://github.com/openssl/openssl/commit/a87f3fe01a5a894aa27ccd6a239155fd129988e4
Upstream:	https://github.com/openssl/openssl/commit/3656c08ab4b1b892730cb5e808b6f4298b08a2e6

Package

Source: openssl1.0 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (code not present)
Ubuntu 20.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

More Information

Updated: 2022-04-13 14:16:47 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)