ESB-2017.3209 - [Debian] openssl1.0: Access privileged data - Remote/unauthenticated 2017-12-18

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.3209
                        openssl1.0 security update
                             18 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openssl1.0
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-3738 CVE-2017-3737 

Reference:         ESB-2017.3169
                   ESB-2017.3144.2

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-4065

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4065-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 17, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : openssl1.0
CVE ID         : CVE-2017-3737 CVE-2017-3738

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3737

    David Benjamin of Google reported that OpenSSL does not properly
    handle SSL_read() and SSL_write() while being invoked in an error
    state, causing data to be passed without being decrypted or
    encrypted directly from the SSL/TLS record layer.

CVE-2017-3738

    It was discovered that OpenSSL contains an overflow bug in the AVX2
    Montgomery multiplication procedure used in exponentiation with
    1024-bit moduli.

Details can be found in the upstream advisory:
https://www.openssl.org/news/secadv/20171207.txt

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2l-2+deb9u2.

We recommend that you upgrade your openssl1.0 packages.

For the detailed security status of openssl1.0 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/openssl1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlo2d9VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QSrg/9FMen2+LCJ6Gia5XeB+RmZ1JqC1eFBYfpgqVwRik1VOZ9bGP3py5saKDZ
JuTwloUXYWPDJu79DZG4M9tWkFt7rcy4jqf5x7UfGXKO0VWvtoGABo4rshYe6Y/3
9qPTkJh3I2A67pMk7UQ+4Cu6MxYIcvBKcmiRnqzUbDxrK0CKn798iWTemUyXxdiC
iNXM6+mdy8tReWX3IWUR1sg6QqwU/wlkKHYXHpe6z1GxR3GYrFgzikFbn4czy6Yu
3H7a+CPfVE8lRwO8zh8VJf6gKkU5DT22GPtR87dvgIi0O8qNvZryXau4aDRgI+io
IzeWo+VFWX6vVQhQXFP1ZT+BQffTOYAEwExvfiAZppEn+0YeuyTresoxBwQodLDz
mpFANGkGvG95294gwaORZxmT/r6drYLOtb0q2ZN0SI4VRly0Jqbg/+jHAUjQSd+y
XcPiEPIRnttJX6UR0kJL2lhn998uJfdiU2gyQ/m6d9Y953I1a0N8HnErTXvUQYty
eEWIKiZ02g0J89P0dPlIDtEHZJ9FBJffkWUuk4Z1UVpb2Ogs5hZ4yPC4oiiqxnxO
DH5u/7z+srm97SNmz+fntoae3LgrOtKjZq3yiyjE3UjNJZdI2yCKPFGd45CCTqRV
bD1Sb0KJCrIlbtPsJiEHKmPXKLoUxICVmAq1n8KdgMnd/jNmMnM=
=y++r
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWjb9Uox+lLeg9Ub1AQgcFQ/+PmL5k1LJliEJuwzn9xdq7+KlVwm1mL6c
f191+GM/9wgY4yAQGtPHPWhTDqHG9+qjYRJiRVBBeDDLIxH7FQLgBiYpUlwNGIf9
p35Nr0cFsbttnmUrQoSz6EAS1MWt3nqNqikvfThEYDOqIvVO2qjTdULeOybcNZq7
rJvU+hZP66Y02Z4u2YFPVcubW7Uc9squIysrnwuJJ3JJ71ccUPreVVK9fIBLBltp
rCJmlG5n5bwolawmXE/CJbi7PxCp1CR+bC3Jfu0upo6DIlRT3LIPnkwJBlsIuHt8
VMpfhB6aAeAymdGbfLaEmuDMkuvr0XEuYM7QdpZUoTgi86Y50zyIZY28aNH0Hmob
Sd8c8x0FzXumUtnecJicqf3L37Bs7Rv3C+zr6Woj7avzooRL6s2e31aJOVXD7ZJk
GGMXUxI8bWnuti7dYKadffkEB3NHiE0/7qFitBXF3ykIomxhoRneWPG7AIVKBwhL
Aqhu8JiDSHR3QV68tcxeHD+zsk1OdFQj72wd/qeI8Ai2XqKvqlKkO/m6lvoC6xU5
CLFtLbzrQ5ZAamlxAj+yBbcHiy123st92TpsS/MyzsW/MbRlUVJHPE8SV3RiNIZm
e6KtADCaRUURcGA8E24s735WiE/bK8gtxeZXgZ3g78lZE+JCEkrGwoERQeuzebph
7CP+34J6o2Y=
=yV2s
-----END PGP SIGNATURE-----

« Back to bulletins