ESB-2017.2822 - [Win][UNIX/Linux][Debian] openssl: Multiple vulnerabilities 2017-11-06

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2822
                        openssl1.0 security update
                              6 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openssl
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 8
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-3736 CVE-2017-3735 

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-4017
   http://www.debian.org/security/2017/dsa-4018

Comment: Researchers have noted that CVE-2017-3736, while potentially 
         resulting in a high severity impact, is only feasible against Diffie
         Helman implementations, and would require significant skill and a 
         very specific set of conditions to exploit, resulting in Hight 
         attack complexity.
         
         This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running openssl1.0 check for an updated version of the software for
         their operating system.
         
         This bulletin contains two (2) Debian security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4017-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 03, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : openssl1.0
CVE ID         : CVE-2017-3735 CVE-2017-3736

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3735

    It was discovered that OpenSSL is prone to a one-byte buffer
    overread while parsing a malformed IPAddressFamily extension in an
    X.509 certificate.

    Details can be found in the upstream advisory:
    https://www.openssl.org/news/secadv/20170828.txt

CVE-2017-3736

    It was discovered that OpenSSL contains a carry propagation bug in
    the x86_64 Montgomery squaring procedure.

    Details can be found in the upstream advisory:
    https://www.openssl.org/news/secadv/20171102.txt

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2l-2+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.2m-1.

We recommend that you upgrade your openssl1.0 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAln89M1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QEKA//WLYi+MT1Z5cU4JcxyweUuk5wSX/KkgxGjdvWVShxeA/w1Pk6xOjjwkDN
aI/lKHVOi2PTaaWGi6RnA8wyMREJHVYuXyidDreZbK8weFMEqsz1yYkVmS+XuN3y
ERJAFn2CK1Zf4Ep6C9Q02b+TecqhfwJiFO/AzMbjcGgDqBGpfXy/Lw1ujYxOAkTk
Yu4FyUEaRGzrlKxHx/o0FxUYimEzXgW4f4N/S6lievW2ssGa3qz+aKiG7Klxg1j3
MSa60bb2o6gnDrxl7yztHyNRNB6MffIrww5jMV5388THOCTtBl7nUyEmeGwLUaMt
k+ho7vjmW+2a1s2r+TgCCMxFlDPVNsk7Uz2vJADLo9lUPvoTm/YOi7LjRCutUXkk
BThDsiltNBDjBlqwL9v/vNQO6xrTLVuS0ZG++5KgafaYPMg5TqTjdTLVRSiXrFcZ
FkzrOgFFeN/Ce3+HS9bSK0h0q1+b75KfY7IKvB7nc/XMG+x917pEthmy4P1I9kxy
0YVLgv0iLtYz+JEq78DYQhsRRovFJNC6M5PvY+uRoC6ccyYFMx9GBGz83suAD3TO
cJxr7HKVJGDh9Xx+f9iLN/Zt/sP1CLRML1mViXvasEuRjM+OE+77qunuGy7SP6EB
H/3wo4mO0WnKnCBBH+doeCdL4Ui/S0m9JBurAEXzegfgULlNCAI=
=UXDB
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4018-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 04, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2017-3735 CVE-2017-3736

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3735

    It was discovered that OpenSSL is prone to a one-byte buffer
    overread while parsing a malformed IPAddressFamily extension in an
    X.509 certificate.

    Details can be found in the upstream advisory:
    https://www.openssl.org/news/secadv/20170828.txt

CVE-2017-3736

    It was discovered that OpenSSL contains a carry propagation bug in
    the x86_64 Montgomery squaring procedure.

    Details can be found in the upstream advisory:
    https://www.openssl.org/news/secadv/20171102.txt

For the oldstable distribution (jessie), CVE-2017-3735 has been fixed in
version 1.0.1t-1+deb8u7. The oldstable distribution is not affected by
CVE-2017-3736.

For the stable distribution (stretch), these problems have been fixed in
version 1.1.0f-3+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.1.0g-1.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAln8+KxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0ShThAAi/M+s4MaSBlWobNp0XPHZHc7xRxtEJFTwgWSwv55nvgCCd425E8m8Q0X
Y//wRpiBTUGkgVFW0pUeWXlGzyDhT3fDago88ytt3aeT6/hLxWkOPsZwBFqj4adh
2ABheh7t1pUSlKYKT7LO8qIE46I3mYqvJZASqSoJe+BdJdYZajEU6WM20k7fYfzP
4eNIA98BL2H1OSRxdLqC5GucJDIntYtOM6NlhBEEFre1o7t2GyCqS4xtdCwD18Mz
BaLqiaFB2ozxJqDITkS2Hw1bK96w/VfrNsz7Ptwpq5SL3RQ55pTyR1P8yhzUdZ97
Ke0q+p0/fQlOFKMgC5wUC+Ew2Mf6aCo5ysSpq7xjALNE0+mxYmwfoKG/8In4Qc+2
KEFJN+6VhB0Vs+UcLZmkMe3yE7P0hmxyI4c4ilYi54vKfx0AO3KyfINCuE9mJ6H5
xV6tlar4OtO7a+KPbk6g72vQ4zxgs09FUoMoip8ndizAO10y3+1lMQxjHXdtSIkh
/V7VpRjhceRFhfhhTVk7Qn+H025WiP52J3MptIqRMTS0KFsnAMbJJe7cecW+w1YR
GzRPEN2KlFJ7Jb2HVe9G0h4dkF/6LjvaVHGoWVyIOdMEOCnCRlWl63bhKjkBKf+Z
DYUyPjX8fnfmb7iKvR6piIfMenMXYHxTzR5bD+669RN71bO0NBU=
=o+6O
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWf+nfYx+lLeg9Ub1AQgg9g//QdlgG1dzrt6judTwedT644F2WV0uMrsW
PGUxZBjhyVfp4CrwjEJpFmkcs6c0b8AwW40lgk51GPsU6aLxUbE4MZfPv4KPMYie
9LwdHqEOBuGlBZJhmo18Jn8b8gd5shwcLtLyhbGCkjF60QtP1y352uIMvMoSsvq4
lIZezu+e7IVGbl+qF7BAOxs/JnXWBdFCG8cWlyP7mP2mhDArWYcQKJ8YXrpdZcXF
Am+/KP44XWTJcHEjLQhrdWN5hI7xIsq9p8y4rrR/QDUx0wJY8VbWIWfmtfo8OAK2
DhV1xOk120W+8dHBF4IJ1dNpCeqvKwqVrACv0nvfin6YHWGaLESLPMudE7KkHLJq
/lAKmYkgfWLWb5ZZ3wpEL/0xM1kD4w/2aulSmBF3QxWCPsBYSvA6rEhBotNn8T1O
N6+4aM9L3l1dprdomayfDxc60B1VjhGZWMAqw59NQrd11BOs3IHQ014ZGmleRHN+
binHzrL3WAQNDJMUAGWC89rliuEk7N0NenLhQCP1V1tJX5xhw/3gZEfD2AkvJKT4
T4pevcbKXMS4gNCsr93xik4ibslu2r3m5w0OEb7l6Vy5fVsDbtde3rj3B2k4zC0m
xGoW7WSiS1NMMxAb2ySHyC5XmIMcWQu3HQ3QUEM7v8Z80eVs/YMWv87GOKlV0bAd
95uRHuJXw5I=
=0u8b
-----END PGP SIGNATURE-----

« Back to bulletins