Ubuntu Security Notice USN-7786-1 addresses three vulnerabilities in OpenSSL, a secure cryptographic library. The issues were discovered by Stanislav Fort and affect multiple Ubuntu versions, including 25.04, 24.04 LTS, 22.04 LTS, and others. The vulnerabilities could lead to denial of service or arbitrary code execution (CVE-2025-9230) or private data exposure on ARM platforms (CVE-2025-9231).

[USN-7786-1] OpenSSL vulnerabilities

[USN-7786-1] OpenSSL vulnerabilities

==========================================================================
Ubuntu Security Notice USN-7786-1
September 30, 2025

openssl, openssl1.0 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
- openssl1.0: Secure Socket Layer (SSL) cryptographic library and tools

Details:

Stanislav Fort discovered that OpenSSL incorrectly handled memory when
trying to decrypt CMS messages encrypted with password-based encryption. An
attacker could possibly use this issue to cause a denial of service or
execute arbitrary code. (CVE-2025-9230)

Stanislav Fort discovered that OpenSSL had a timing side-channel in SM2
signature computations on ARM platforms. A remote attacker could possibly
use this issue to recover private data. This issue only affected Ubuntu
25.04. (CVE-2025-9231)

Stanislav Fort discovered that OpenSSL incorrectly handled memory during
HTTP requests when "no_proxy" environment variable is set. An attacker
could possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 25.04. (CVE-2025-9232)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
libssl3t64 3.4.1-1ubuntu4
openssl 3.4.1-1ubuntu4

Ubuntu 24.04 LTS
libssl3t64 3.0.13-0ubuntu3.6
openssl 3.0.13-0ubuntu3.6

Ubuntu 22.04 LTS
libssl3 3.0.2-0ubuntu1.20
openssl 3.0.2-0ubuntu1.20

Ubuntu 20.04 LTS
libssl1.1 1.1.1f-1ubuntu2.24+esm1
Available with Ubuntu Pro
openssl 1.1.1f-1ubuntu2.24+esm1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
libssl1.0.0 1.0.2n-1ubuntu5.13+esm2
Available with Ubuntu Pro
libssl1.1 1.1.1-1ubuntu2.1~18.04.23+esm6
Available with Ubuntu Pro
openssl 1.1.1-1ubuntu2.1~18.04.23+esm6
Available with Ubuntu Pro
openssl1.0 1.0.2n-1ubuntu5.13+esm2
Available with Ubuntu Pro

Ubuntu 16.04 LTS
libssl1.0.0 1.0.2g-1ubuntu4.20+esm13
Available with Ubuntu Pro
openssl 1.0.2g-1ubuntu4.20+esm13
Available with Ubuntu Pro

Ubuntu 14.04 LTS
libssl1.0.0 1.0.1f-1ubuntu2.27+esm11
Available with Ubuntu Pro
openssl 1.0.1f-1ubuntu2.27+esm11
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7786-1
CVE-2025-9230, CVE-2025-9231, CVE-2025-9232

Package Information:
https://launchpad.net/ubuntu/+source/openssl/3.4.1-1ubuntu4
https://launchpad.net/ubuntu/+source/openssl/3.0.13-0ubuntu3.6
https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.20