Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2389 openssl security update 2 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openssl Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-1543 Reference: ESB-2019.1037 ESB-2019.0926 ESB-2019.0731 Original Bulletin: http://www.debian.org/security/2019/dsa-4475 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4475-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 01, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : openssl CVE ID : CVE-2019-1543 Joran Dirk Greef discovered that overly long nonces used with ChaCha20-Poly1305 were incorrectly processed and could result in nonce reuse. This doesn't affect OpenSSL-internal uses of ChaCha20-Poly1305 such as TLS. For the stable distribution (stretch), this problem has been fixed in version 1.1.0k-1~deb9u1. This DSA also upgrades openssl1.0 (which itself is not affected by CVE-2019-1543) to 1.0.2s-1~deb9u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl0adR4ACgkQEMKTtsN8 Tjbh4RAArq1enTQE05VZeU6jPVXsMcZXUbFlGrMysFqUvGiR9UZaOwbFYhtmXKH9 4sjCGFRJXpyHkY2P33r6G+NmGEimD24ZdcLZnnZzO5y3uPpNsGvmBZwROt63E3zM jXCigJAFSoJV5wctIZmD0HsaIJng1VlYXEkLI9UKA+xLYaklSFB8hSQsxeDbgazv TqFjFJa6e7l2B81LRBC4bs0X5VmXrZKOrKcteGvSRVdtQsPnimjaEmtWVjVdzYAm zGbEBOVckTiaYVrk9qTXHX4o4NUGuZlssLPTMK636ypMriN/Idd8g5wQFgEzYUGm 0efOFIvOIQh/ziOndA3GeWNrb7LM9Nb8viGtkRw6LoNvcjsSFNeiH36MPhc2wcqZ HuO6UgIHmbmNFWucTCrmHdIitYJI9IJRDPOtG4lCO9AXbrZR+jRup2Q4+XYx937H cF18bjgfIKUJ9FcKX3X/knsgfhxkFzFORycarE7lLWafr/8SxnxbZGGDyK00hTym bQIpp/H9kOIR0dFXlahwkHMQl4b8SA1kUqf6Ts+3KceaCSQ7GilGJ6eZob1/CyQo 1xmRJvi28fwbyeuQDxtmXm/HcjkPnucYN47lwWNIE/sjmdTnstbImz4ehUuMRrkf PQjhjhBgorRGcZbcqGyMfnZAr/Y9m+6pzXjdprSu8ZsfP1ATrKw= =tnxv - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXRqspWaOgq3Tt24GAQg+Yg/+NVn8Qg75X4LR2pBwK/vJQf2OZxJnbLNk uukNEvxF9LG/o6hm00fcEXmVJUuulXuGr3XiV20lwcco6N0WYNwS91GkJWwJx9h1 cgcEffkJyH4Qwkie7CZcbw/GMgZ45vMp4kP5YjMzJYNIukLDa6Rmna0LbaN9rPp4 r+kP4q5TpB2wqx5RmLVIPp8FFfAoa+ZQaVBiMXWGRpkkDZ9sZsESIjmxPiak0OAS JOgGBuVGELDf8TR5+bQJgIDeYvUgbGrYM6DYeQf7SoRxhwATRNmvJrwS1IKpF4jv JHscWdL1NuBwQgaz+DeuLQkRDrRvNYTa8oFX8OgWr/y+309GkcN48hlzcXhou0UI GGJV5sEf/hjmnRhnbTaJdEs/ddyH7kcSpmDcVRcieVfgDhq9UR7WZdWwOHxy5ykt RyQMIu3LAmg+FNtXxjWroHVpKObC+VJXsLpF+zI9lce85HK95kNepfEldoXPIDmI xvVz/2+JgEbMEyUVdTzTs3qGHkjL7eLI4+bZQ5dwMdSYi7wJdcnboQ6Sab+erhuV 1BHefh64nhJjfcYFIsg2KUuOrlVWhBhAz776GF+FiymdJRPFTsIIrXaCV5b5zk2P In2jV4yRtxl7BlcYbVELi6M4HTIzWJk9tvpQw2h3yRwbGNqOekO7hoOTaQakfSMc JEccmCoT0RE= =Zijl -----END PGP SIGNATURE-----