CVE-2013-0166

Publication date 8 February 2013

Last updated 24 July 2024

Ubuntu priority

OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
openssl	14.04 LTS trusty	Fixed 1.0.1c-4ubuntu4
	13.10 saucy	Fixed 1.0.1c-4ubuntu4
	13.04 raring	Fixed 1.0.1c-4ubuntu4
	12.10 quantal	Fixed 1.0.1c-3ubuntu2.1
	12.04 LTS precise	Fixed 1.0.1-4ubuntu5.6
	11.10 oneiric	Fixed 1.0.0e-2ubuntu4.7
	10.04 LTS lucid	Fixed 0.9.8k-7ubuntu8.14
	8.04 LTS hardy	Fixed 0.9.8g-4ubuntu3.20
openssl098	14.04 LTS trusty	Fixed 0.9.8o-7ubuntu3.2.14.04.1
	13.10 saucy	Fixed 0.9.8o-7ubuntu3.2.13.10.1
	13.04 raring	Ignored
	12.10 quantal	Ignored
	12.04 LTS precise	Fixed 0.9.8o-7ubuntu3.2
	11.10 oneiric	Ignored
	10.04 LTS lucid	Not in release
	8.04 LTS hardy	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
openssl	Upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=66e8211c0b1347970096e04b18aa52567c325200 Upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ebc71865f0506a293242bd4aec97cdc7a8ef24b0 Upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=62e4506a7d4cec1c8e1ff687f6b220f6a62a57c7

References

Related Ubuntu Security Notices (USN)

USN-1732-1
OpenSSL vulnerabilities
21 February 2013

CVE-2013-0166

Status

Patch details

References

Related Ubuntu Security Notices (USN)

Other references