Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2020-1967

Published: 21 April 2020

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).

Notes

AuthorNote
mdeslaur
introduced in 1.1.1d

Priority

High

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
edk2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
eoan Not vulnerable
(code not present)
focal Not vulnerable
(code not compiled)
trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code not present)
openssl
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
eoan Not vulnerable
(code not present)
focal
Released (1.1.1f-1ubuntu2)
trusty Not vulnerable
(code not present)
upstream
Released (1.1.1g)
xenial Not vulnerable
(code not present)
Patches:
upstream: https://github.com/openssl/openssl/commit/a87f3fe01a5a894aa27ccd6a239155fd129988e4
upstream: https://github.com/openssl/openssl/commit/3656c08ab4b1b892730cb5e808b6f4298b08a2e6
openssl1.0
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
eoan Does not exist

focal Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H