Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3631 [DLA 1586-1] openssl security update 22 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openssl Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-5407 CVE-2018-0735 Reference: ESB-2018.3545 Original Bulletin: https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : openssl Version : 1.0.1t-1+deb8u10 CVE ID : CVE-2018-0735 CVE-2018-5407 CVE-2018-0735 Samuel Weiser reported a timing vulnerability in the OpenSSL ECDSA signature generation, which might leak information to recover the private key. CVE-2018-5407 Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri reported a vulnerability to a timing side channel attack, which might be used to recover the private key. For Debian 8 "Jessie", these problems have been fixed in version 1.0.1t-1+deb8u10. We recommend that you upgrade your openssl packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlv10ZJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeicQ//fZQOIcKBBwxz9+NSWP1VG4ObIljohd/rFLHCmRPFgnDruBQ0iifAuga0 e0mC3bnf3/VAZVVqLbqPSKdLI6EsPhDZFfXg92EKvNdiuadSoJG2LAmlvwDIfweS 3TMBHaYhu/RUK6+L7QrEnZFy6PrMY1zvKPd5u/VhKLhPWnrOGGKWmIqy+WFD6Dy/ j+Klq8THBXfVdTF7CeoQhfPN+ukvO4p9C/Eu/Kz89UDXUnVVSZgsIIIj7UexRB5s QHOPwq+QBLLLlKior3zAc3pEf0ugh7wC9nBRQ1bNYobkUwzReFH696s7B8xQIEK6 iXnL7ZbfAiRaKu9EypR4G2zL6RC3BxwqZbOAQNgE0GUn3LplwlzVdXanTZp606Hq DJBnhapIX1VDuINEJcNbsnx3Szej99Vh5ExPZ/IQAak64vzebznZtm9gWWm2fhVY l8sCt+LhwG26ELP2jvw0dvzYKstg37t1+ZIkfl4nwWQE3yA5WzV7ovptnSzgCjg1 BaP0idEPhLqPMx0psYMBaW9DZeICD4LLjOItXqeUDnYfSNXgYCrEXDzJVkDY02A/ nf3MJJnHkZmYxvdcX/njydrWCr1k755e5hBtQLry42c6lJeEjHPuKSvLCHDGAyh+ jOuaI16jX6z3D3cW1nuH/64i/fVrbsFZFgiSnmBCyPQ2MRNN1/Y= =PAHQ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW/X1QmaOgq3Tt24GAQhfXg/9EnoDqokBOZol5p9IuQJUW5GV+As+1EDM xBAcrTAYNMT5Dqiu66bg6PSH+MPC6Fq6kVKl7MazGB18AMmVnqr6+klxDMjGii7j 1ClacrZVyRrOshpAQQSfyHU92xHOuBZPQ5YonttNXad7rYudIdPOv1oje7nzFjYt XnCVrgPZkO8fHL1KNQaG8HqE48RFlqlW16K+LN95JGrE5b+rjyRFlySqMeDDg5DG WUPtHWizYvUSb9u5Dy2eomu7cwt0YRmNRKkUyJivbpvJN/dYubYit6j1kQHSgRUM h0/NMa66XVERP9Idaj+A+s+gc750mdATqsDsRaat46YBlb0Wg/8eei3uaB7zD0Dc kWcqH57CtVMPQX78BIbNphowqd2u1NDyakPOrtPrbVO8EnPi3mygB546DL93LDyu TWgdzIYqtcHL/890VTtM2OnnfxOYzDiUEV91cEUqOvfyn8JWze4lsy9zHiuaH0Z9 +H/L++JnpLw6V0FBZ5iUPj8La/cpBvz8DQHtoD3k81eeASJGo2kVIiTlZ8kIiNWr w81bhZ+WOclTlyDP+TjIjuTaHlTMXfXvdOqI1LS8Q6xWJ4IZKsevlhyTaT8biyb5 Q3CDh0vo5cIo7tiV0WrFYQ4sBT20Yn4g8DHDfG/o6Alr7mpHVBzklpdvadPAlEx1 dw1x3/dWc8o= =lsqg -----END PGP SIGNATURE-----