Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3692.3
openssl security update
14 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openssl
Publisher: Debian
Operating System: Debian GNU/Linux 9
Debian GNU/Linux 10
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-1563 CVE-2019-1549 CVE-2019-1547
Reference: ESB-2019.3622
Original Bulletin:
http://www.debian.org/security/2019/dsa-4539
Revision History: October 14 2019: Added [DSA 4539-3]
October 8 2019: Added [DSA 4539-2]
October 2 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4539-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 01, 2019 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : openssl
CVE ID : CVE-2019-1547 CVE-2019-1549 CVE-2019-1563
Three security issues were discovered in OpenSSL: A timing attack against
ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey()
and it was discovered that a feature of the random number generator (RNG)
intended to protect against shared RNG state between parent and child
processes in the event of a fork() syscall was not used by default.
For the oldstable distribution (stretch), these problems have been fixed
in version 1.1.0l-1~deb9u1.
For the stable distribution (buster), these problems have been fixed in
version 1.1.1d-0+deb10u1.
We recommend that you upgrade your openssl packages.
For the detailed security status of openssl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssl
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl2TtFgACgkQEMKTtsN8
TjakOBAAnmXiRjLopoHVkUa9yrzCNBpFYkyxKv/JiVqGQHmSTH35zZrRy6J5UhXo
scIRGxxtcAcv0tfWMsF9aFm9W1K/zcnOOZFXRXP3LU5xr/3QSNItP9SxWESzCpC7
pxCVcAPY6P4ZqUMMxjuQ0Q+NRp3xuYRexusu8QSo9v9c0ZhLqlovTpVUaRuaGwKG
4yzNHpt2weh6kdlS4B7GkitPVXfa1NbirHKlJyowpVizM3Y0XyXKw7BJAOJa6vEX
ihvOLoufhyLi8tmtq8kKtAVNMzuzSuCWbjesK73ssWhKa6hNGoySf+8g6LmzmjZ9
ML4G2heh+jYAnXQYs6w4GuCCaGwFBii3ViRocqdTqwGgiacdUTorpqosLXNvNGOk
HQ9DyVYMZXoEgN+Igxav/rMQmRhLApUYD89hRMVxmnakMGQZop5RlvzsO/sPEjhz
+PI1BYIzDxJmUApkQHymrXRa3p/EtDySiDa1Y80+eyb2i23vg8Y68DI6NeNOHltp
HhwbLSBTOcBmvWhAxVwqtPH4KlK+Wl7F3UX67xKpiFC/422M3pXKQt2PH+MVeSlt
9wXt46VxzwjTqr6uTd7V5S2+CNhj69PkzyjGfg0rQqhiq7a0nQjPwPI91WAtbgm0
1CCbbFCQaNacmy7Cx6yPJzpoBqyYdS4CjE4gJa4wH7AakiiI0II=
=8Ygc
- -----END PGP SIGNATURE-----
====================================================================
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4539-2 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 07, 2019 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : openssh
Debian Bug : 941663
A change introduced in openssl 1.1.1d (which got released as DSA 4539-1)
requires sandboxing features which are not available in Linux kernels
before 3.19, resulting in OpenSSH rejecting connection attempts if
running on an old kernel. This does not affect Linux kernels shipped in
Debian oldstable/stable, but may affect buster systems which are running
on an older kernel.
For the stable distribution (buster), this problem has been fixed in
version 1:7.9p1-10+deb10u1.
We recommend that you upgrade your openssh packages.
For the detailed security status of openssh please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/openssh
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2blxxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q2Fg/+PRTFfyFWa9WwzLKXUPw+4y+jiFkzwbZV+qK1PLO1th0Ho2UCiuc2WGY8
oSc7OOOXJ7McQqsqJJdz6ojaRNxKUjix7/OtfxTx/29s5imL3mXGUtu/v91nuyca
DUKrtEf/eI7EvtaKjgN9Ty3wCdyLhJhGjUqchLsC7vixi2Al7BxR8E7Pt0jkyvyD
qw03AsaiLTgkt7KnKFI4dsRco8tslrowcraAhzKQwrd5pfKIMWoBsJJepnHKqS6w
f2xBGqacSpFkQz2eXAernhPuXZau1Wy0oNpHunGxje3oUqum9WXE7dYJovSU7Nul
thZXkheLYFD7Uu9/8xLoSsOIiD6WQHW9ZLhayPqEfLyIJYqqTETPCyYaRhoqn21T
Jw4FDgoVZ2dC6lCL36S5IpFqVW9ePswHoWlgWSol603ZXRz965K2vbdLAn0A6oxW
XX5k5yuqm2Dl8FTNa5JziCGauLioSavvvAebylfPzekXZ3Jxwi3jUGC4TQPCJ47B
HgOPKf6vP8MF3tY5QBp+lfD6DDESgk6oTtdpFyT4PjqZA1SJV7q5ryb4kkvHcxo8
RaZc4rO0X9x7tWbxp7TmdoiQjc7hei/uYWB3TI5ljuvue9PnbLQxFjbvnwyaigfW
HcOFzpbPJxk1ErijNBglrppMvHMkZA8lYQ6Hg0Ocxkz+5TjPf1U=
=NOpU
- -----END PGP SIGNATURE-----
====================================================================
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4539-3 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 13, 2019 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : openssl
Debian Bug : 941987
The update for openssl released as DSA 4539-1 introduced a regression
where AES-CBC-HMAC-SHA ciphers were not enabled. Updated openssl
packages are now available to correct this issue.
For the stable distribution (buster), this problem has been fixed in
version 1.1.1d-0+deb10u2.
We recommend that you upgrade your openssl packages.
For the detailed security status of openssl please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/openssl
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2i1SBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qftw//SnbKmK414n/3dPnhaWJKn8sIbcx+sCUc/3sQ5ZJfDrq+fkgbLhzZIlY4
1tumctsArHw313g/bHwGyCkI3su/0otfRCoBxZW6xcJOHc5IAQZ9QplMj+rjMdxW
Y7lESG1eU8Se21G7yvFx+Y01dqpsdaqL8RphkIQBVCcqZiwdknGnB/8CuBzIjbP7
zAViB6btkdHkrVXG+2fbec8IvVCVrI6IYeTSSsfo5YxpO5xtOiyYj3owEo5x4pUi
FExr+kSzbyZILPFtRA84sG/WOuKy59vFtri3TnaPP2PKPMp/08P9jBXCWAyDX3EP
WIUVdWugt6hUVcQ8CuqyVCtnRaWpd8i1Aftxs6y17E1hWajjL7hUF2gTXBhnUK4f
VZvBDSHyzP8MVRk7ic2BiApEcPC8p9Z0+ItvnTXHI1GNOquQ5/KLZSeM/eGR6hKo
oft3ThptO9aIWD+w8efhe7BMzj7JX89cPfo64RLgLBL4gdVhCRnxI31sxLv5wAO/
c2v/iFBWgoh67b1RsDeHtlKsZVuJzZbp2xFdFy+suUQSBuw+6QnaFbdzoLTYXezU
vZrAC1WYvg3msdpJBWW1zHlhL51VJN8QalsvxT7se1nTEYfwAs0sarnnhe2My6Dw
ZFRiGUEIyJfb1SJFh7O2wm2xLkyjwZg8hWGfCVatqTverY/yFEM=
=2zTK
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXaPXI2aOgq3Tt24GAQiNYBAAw3P8EALJx31h6t3GziOraShKcKGM9ojP
5l8GiTHeCtBbO8u6z3+GZDZlPdHeBxpCWkLDW30PnKTkQCd9jSn9A+9eIZLOF18k
MPnFNJuBw7U+1OtTBjVq4X2uBupB69v0FaKJRWwEPRYGBar0m98AIqSZwLFtzKIN
Z8/5ZpfjD/Fm1Nr86KGlvBuZYBwUCB78RSV/aUlGzuaJd7XGbXakk8rBVFQM7zRG
NlZfSAPVSejEtw4hiWodk51LZ2rF9JKZavmBkp/ya0TGiFSKXy4Q72VzJSyNq2xF
vMUv3meVI5zmC2eMwYRU1XtheycUdt9uZdD8SBJS3Isnh98AH4vqCdW7TfxvOycm
kZvcTjJ6sl+aogLaFtIzRWZZN59Nvtjaqbss79X5JIRKdbE6daLYAXAHSQ81IDfo
9d195ymvsZHbnKGb23IuAMBG+E0BTdSxyS8lngAJzVBuI5doLIDHI4KE0sUMwP2x
lGi8cAKXwf5UDerg97ZoPFg658mUBZaG+Vc215DRDQbQD78GkKtXuNYlqKwS1h3y
LiNXeA1RMOIklsby9IGezLYXZOmzVLJQ+7EqQzDbB+P6195bZXJMX05z2TL9U3vY
YP28cJVXFCLedKlsNf+J3vtDRNI5AyStqHF2Jo/2GxK2LLo2UyMgCjTchFOowYB3
ejvIJuAL/Lc=
=+7cB
-----END PGP SIGNATURE-----