ESB-2018.3631 - [Debian] openssl: Access privileged data - Existing account 2018-11-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3631
                   [DLA 1586-1] openssl security update
                             22 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openssl
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-5407 CVE-2018-0735 

Reference:         ESB-2018.3545

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : openssl
Version        : 1.0.1t-1+deb8u10
CVE ID         : CVE-2018-0735 CVE-2018-5407


CVE-2018-0735
      Samuel Weiser reported a timing vulnerability in the OpenSSL ECDSA
      signature generation, which might leak information to recover the
      private key.

CVE-2018-5407
      Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar
      Pereida Garcia and Nicola Tuveri reported a vulnerability to a
      timing side channel attack, which might be used to recover the
      private key.


For Debian 8 "Jessie", these problems have been fixed in version
1.0.1t-1+deb8u10.

We recommend that you upgrade your openssl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlv10ZJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEeicQ//fZQOIcKBBwxz9+NSWP1VG4ObIljohd/rFLHCmRPFgnDruBQ0iifAuga0
e0mC3bnf3/VAZVVqLbqPSKdLI6EsPhDZFfXg92EKvNdiuadSoJG2LAmlvwDIfweS
3TMBHaYhu/RUK6+L7QrEnZFy6PrMY1zvKPd5u/VhKLhPWnrOGGKWmIqy+WFD6Dy/
j+Klq8THBXfVdTF7CeoQhfPN+ukvO4p9C/Eu/Kz89UDXUnVVSZgsIIIj7UexRB5s
QHOPwq+QBLLLlKior3zAc3pEf0ugh7wC9nBRQ1bNYobkUwzReFH696s7B8xQIEK6
iXnL7ZbfAiRaKu9EypR4G2zL6RC3BxwqZbOAQNgE0GUn3LplwlzVdXanTZp606Hq
DJBnhapIX1VDuINEJcNbsnx3Szej99Vh5ExPZ/IQAak64vzebznZtm9gWWm2fhVY
l8sCt+LhwG26ELP2jvw0dvzYKstg37t1+ZIkfl4nwWQE3yA5WzV7ovptnSzgCjg1
BaP0idEPhLqPMx0psYMBaW9DZeICD4LLjOItXqeUDnYfSNXgYCrEXDzJVkDY02A/
nf3MJJnHkZmYxvdcX/njydrWCr1k755e5hBtQLry42c6lJeEjHPuKSvLCHDGAyh+
jOuaI16jX6z3D3cW1nuH/64i/fVrbsFZFgiSnmBCyPQ2MRNN1/Y=
=PAHQ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW/X1QmaOgq3Tt24GAQhfXg/9EnoDqokBOZol5p9IuQJUW5GV+As+1EDM
xBAcrTAYNMT5Dqiu66bg6PSH+MPC6Fq6kVKl7MazGB18AMmVnqr6+klxDMjGii7j
1ClacrZVyRrOshpAQQSfyHU92xHOuBZPQ5YonttNXad7rYudIdPOv1oje7nzFjYt
XnCVrgPZkO8fHL1KNQaG8HqE48RFlqlW16K+LN95JGrE5b+rjyRFlySqMeDDg5DG
WUPtHWizYvUSb9u5Dy2eomu7cwt0YRmNRKkUyJivbpvJN/dYubYit6j1kQHSgRUM
h0/NMa66XVERP9Idaj+A+s+gc750mdATqsDsRaat46YBlb0Wg/8eei3uaB7zD0Dc
kWcqH57CtVMPQX78BIbNphowqd2u1NDyakPOrtPrbVO8EnPi3mygB546DL93LDyu
TWgdzIYqtcHL/890VTtM2OnnfxOYzDiUEV91cEUqOvfyn8JWze4lsy9zHiuaH0Z9
+H/L++JnpLw6V0FBZ5iUPj8La/cpBvz8DQHtoD3k81eeASJGo2kVIiTlZ8kIiNWr
w81bhZ+WOclTlyDP+TjIjuTaHlTMXfXvdOqI1LS8Q6xWJ4IZKsevlhyTaT8biyb5
Q3CDh0vo5cIo7tiV0WrFYQ4sBT20Yn4g8DHDfG/o6Alr7mpHVBzklpdvadPAlEx1
dw1x3/dWc8o=
=lsqg
-----END PGP SIGNATURE-----

« Back to bulletins