UBUNTU-CVE-2025-27587

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-27587

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-27587.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2025-27587

Upstream

CVE-2025-27587

Published

2025-06-16T22:15:00Z

Modified

2026-04-22T19:13:41.516187Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Ubuntu - low

Summary

[none]

Details

OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack, exploitable by measuring the time of signing of random messages using the EVP_DigestSign API, and then using the private key to extract the K value (nonce) from the signatures. Next, based on the bit size of the extracted nonce, one can compare the signing time of full-sized nonces to signatures that used smaller nonces, via statistical tests. There is a side-channel in the P-364 curve that allows private key extraction (also, there is a dependency between the bit size of K and the size of the side channel). NOTE: This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.

References

Affected packages

Ubuntu:22.04:LTS

nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@12.22.9~dfsg-1ubuntu3.6?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

12.*

12.22.5~dfsg-5ubuntu1

12.22.7~dfsg-2ubuntu1

12.22.7~dfsg-2ubuntu3

12.22.9~dfsg-1ubuntu2

12.22.9~dfsg-1ubuntu3

12.22.9~dfsg-1ubuntu3.1

12.22.9~dfsg-1ubuntu3.2

12.22.9~dfsg-1ubuntu3.3

12.22.9~dfsg-1ubuntu3.4

12.22.9~dfsg-1ubuntu3.5

12.22.9~dfsg-1ubuntu3.6

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "12.22.9~dfsg-1ubuntu3.6",
            "binary_name": "libnode72"
        },
        {
            "binary_version": "12.22.9~dfsg-1ubuntu3.6",
            "binary_name": "nodejs"
        }
    ],
    "priority_reason": "Not considered a security issue by OpenSSL developers"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-27587.json"

openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.23?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.1l-1ubuntu1

3.*

3.0.0-1ubuntu1

3.0.1-0ubuntu1

3.0.2-0ubuntu1

3.0.2-0ubuntu1.1

3.0.2-0ubuntu1.2

3.0.2-0ubuntu1.4

3.0.2-0ubuntu1.5

3.0.2-0ubuntu1.6

3.0.2-0ubuntu1.7

3.0.2-0ubuntu1.8

3.0.2-0ubuntu1.9

3.0.2-0ubuntu1.10

3.0.2-0ubuntu1.12

3.0.2-0ubuntu1.13

3.0.2-0ubuntu1.14

3.0.2-0ubuntu1.15

3.0.2-0ubuntu1.16

3.0.2-0ubuntu1.17

3.0.2-0ubuntu1.18

3.0.2-0ubuntu1.19

3.0.2-0ubuntu1.20

3.0.2-0ubuntu1.21

3.0.2-0ubuntu1.23

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.0.2-0ubuntu1.23",
            "binary_name": "libssl3"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.23",
            "binary_name": "openssl"
        }
    ],
    "priority_reason": "Not considered a security issue by OpenSSL developers"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-27587.json"

Ubuntu:24.04:LTS

openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.0.13-0ubuntu3.9?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.10-1ubuntu2

3.0.10-1ubuntu2.1

3.0.10-1ubuntu3

3.0.10-1ubuntu4

3.0.13-0ubuntu2

3.0.13-0ubuntu3

3.0.13-0ubuntu3.1

3.0.13-0ubuntu3.2

3.0.13-0ubuntu3.3

3.0.13-0ubuntu3.4

3.0.13-0ubuntu3.5

3.0.13-0ubuntu3.6

3.0.13-0ubuntu3.7

3.0.13-0ubuntu3.9

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.0.13-0ubuntu3.9",
            "binary_name": "libssl3t64"
        },
        {
            "binary_version": "3.0.13-0ubuntu3.9",
            "binary_name": "openssl"
        }
    ],
    "priority_reason": "Not considered a security issue by OpenSSL developers"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-27587.json"

Ubuntu:Pro:16.04:LTS

nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@4.2.6~dfsg-1ubuntu4.2+esm3?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.25~dfsg2-2ubuntu1

4.*

4.2.2~dfsg-1

4.2.3~dfsg-1

4.2.4~dfsg-1ubuntu1

4.2.4~dfsg-2

4.2.6~dfsg-1ubuntu1

4.2.6~dfsg-1ubuntu4

4.2.6~dfsg-1ubuntu4.1

4.2.6~dfsg-1ubuntu4.2

4.2.6~dfsg-1ubuntu4.2+esm1

4.2.6~dfsg-1ubuntu4.2+esm2

4.2.6~dfsg-1ubuntu4.2+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4.2.6~dfsg-1ubuntu4.2+esm3",
            "binary_name": "nodejs"
        },
        {
            "binary_version": "4.2.6~dfsg-1ubuntu4.2+esm3",
            "binary_name": "nodejs-legacy"
        }
    ],
    "priority_reason": "Not considered a security issue by OpenSSL developers"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-27587.json"

Ubuntu:Pro:18.04:LTS

nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@8.10.0~dfsg-2ubuntu0.4+esm6?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.11.4~dfsg-1ubuntu1

6.11.4~dfsg-1ubuntu2

6.12.0~dfsg-1ubuntu1

6.12.0~dfsg-2ubuntu1

6.12.0~dfsg-2ubuntu2

8.*

8.10.0~dfsg-2

8.10.0~dfsg-2ubuntu0.2

8.10.0~dfsg-2ubuntu0.3

8.10.0~dfsg-2ubuntu0.4

8.10.0~dfsg-2ubuntu0.4+esm1

8.10.0~dfsg-2ubuntu0.4+esm2

8.10.0~dfsg-2ubuntu0.4+esm3

8.10.0~dfsg-2ubuntu0.4+esm4

8.10.0~dfsg-2ubuntu0.4+esm5

8.10.0~dfsg-2ubuntu0.4+esm6

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "8.10.0~dfsg-2ubuntu0.4+esm6",
            "binary_name": "nodejs"
        }
    ],
    "priority_reason": "Not considered a security issue by OpenSSL developers"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-27587.json"

Ubuntu:Pro:FIPS-preview:22.04:LTS

openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.12+Fips1?arch=source&distro=fips-preview/jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.2-0ubuntu1.10+Fips1

3.0.2-0ubuntu1.12+Fips1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.0.2-0ubuntu1.12+Fips1",
            "binary_name": "libssl3"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.12+Fips1",
            "binary_name": "openssl"
        }
    ],
    "priority_reason": "Not considered a security issue by OpenSSL developers"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-27587.json"

Ubuntu:Pro:FIPS-updates:22.04:LTS

openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.23+Fips1?arch=source&distro=fips-updates/jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.2-0ubuntu1.10+Fips1

3.0.2-0ubuntu1.12+Fips1

3.0.2-0ubuntu1.14+Fips1

3.0.2-0ubuntu1.15+Fips1

3.0.2-0ubuntu1.16+Fips1

3.0.2-0ubuntu1.17+Fips1

3.0.2-0ubuntu1.18+Fips1

3.0.2-0ubuntu1.19+Fips1

3.0.2-0ubuntu1.20+Fips1

3.0.2-0ubuntu1.21+Fips1

3.0.2-0ubuntu1.23+Fips1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.0.2-0ubuntu1.23+Fips1",
            "binary_name": "libssl3"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.23+Fips1",
            "binary_name": "openssl"
        }
    ],
    "priority_reason": "Not considered a security issue by OpenSSL developers"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-27587.json"