===========================================================
Ubuntu Security Notice USN-1029-1 December 08, 2010
openssl vulnerabilities
CVE-2008-7270, CVE-2010-4180
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
libssl0.9.8 0.9.8a-7ubuntu0.14

Ubuntu 8.04 LTS:
libssl0.9.8 0.9.8g-4ubuntu3.13

Ubuntu 9.10:
libssl0.9.8 0.9.8g-16ubuntu3.5

Ubuntu 10.04 LTS:
libssl0.9.8 0.9.8k-7ubuntu8.5

Ubuntu 10.10:
libssl0.9.8 0.9.8o-1ubuntu4.3

After a standard system update you need to reboot your computer to make
all the necessary changes.

Details follow:

It was discovered that an old bug workaround in the SSL/TLS
server code allowed an attacker to modify the stored session cache
ciphersuite. This could possibly allow an attacker to downgrade the
ciphersuite to a weaker one on subsequent connections. (CVE-2010-4180)

It was discovered that an old bug workaround in the SSL/TLS
server code allowed an attacker to modify the stored session cache
ciphersuite. An attacker could possibly take advantage of this to
force the use of a disabled cipher. This vulnerability only affects
the versions of OpenSSL in Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and
Ubuntu 9.10. (CVE-2008-7270)