-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0616
                          openssl security update
                             19 February 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openssl
                   openssl1.0
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Denial of Service -- Remote/Unauthenticated
                   Reduced Security  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-23841 CVE-2021-23840 

Reference:         ESB-2021.0613
                   ESB-2021.0597

Original Bulletin: 
   https://www.debian.org/lts/security/2021/dla-2563
   https://www.debian.org/lts/security/2021/dla-2565

Comment: This bulletin contains two (2) Debian security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2563-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
February 18, 2021                             https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : openssl
Version        : 1.1.0l-1~deb9u3
CVE IDs        : CVE-2021-23840 CVE-2021-23841

It was discovered that there were two issues in the openssl
cryptographic system:

 * CVE-2021-23840: Prevent an issue where "Digital EnVeloPe"
   EVP-related calls could cause applications to behave incorrectly
   or even crash.

 * CVE-2021-23841: Prevent an issue in the X509 certificate parsing
   caused by the lack of error handling while ingesting the "issuer"
   field.

For Debian 9 "Stretch", these problems have been fixed in version
1.1.0l-1~deb9u3.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmAuWPsACgkQHpU+J9Qx
Hlivtg/+OX6t69A/LOd6uKcmjIyUHDMYcEC3+Zc7EZYqAAMJubt/bgAFwIP02kIh
JZ+wjnD/b44ykykAN30txv+8stNbqA7OXmaX3VRmL9V/7HpZmgdjX+mBUg7QADvT
jkHOtUGGH+9MZJ8/RBE1Iyh4yJld0SzC6jnkQes2FLzWkIRgw5hkVnA4Qwvvs4hV
dV3gVnxA9HpPw8Ldh3+9CReMHxh2YZc+7aCXoOJYqcbYCpFjg7H/IkrojICJrRme
SnxYOSv1cTvqj0BZ+UfGzYmxhtLcG6zePvM0yTvJWqKJubHXwo3YkotkylkeILqi
/vRrR0tU3SxhgahvSyDbusgLlMoVoy+kAp/kiWM0A/G0dgmWPLtI2QHTsmHXCpBX
0s05aTI7uLh/LBqCbMToxLqYCA+tjA/CTa3iNtpPoXB/kif0Ybj1RU+ALTDZpKRw
Gi8bDjr/c4xB8OEU0oAhUY0WyQ6gGYxXppxByIDvtG11NRG52AWyUtEQTEGWCKoD
hdjQvruA37XMfPTDxRl84a/+WcuM7znwxKT/UaEB9airfK8S2SZz1tMK5p68jxx6
TQYr1asQYffBKMoCLhxymaBH5/VIShnUvL/jMtOvo4k/1PkVpvWetmMety60CJ9F
OUvaCjWjns3XvrlfDsj0/7n/AfTFqXxsl0+DncmimonK7Ss+53s=
=97i6
- -----END PGP SIGNATURE-----

- --------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2563-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
February 18, 2021                             https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : openssl
Version        : 1.1.0l-1~deb9u3
CVE IDs        : CVE-2021-23840 CVE-2021-23841

It was discovered that there were two issues in the openssl
cryptographic system:

 * CVE-2021-23840: Prevent an issue where "Digital EnVeloPe"
   EVP-related calls could cause applications to behave incorrectly
   or even crash.

 * CVE-2021-23841: Prevent an issue in the X509 certificate parsing
   caused by the lack of error handling while ingesting the "issuer"
   field.

For Debian 9 "Stretch", these problems have been fixed in version
1.1.0l-1~deb9u3.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmAuWPsACgkQHpU+J9Qx
Hlivtg/+OX6t69A/LOd6uKcmjIyUHDMYcEC3+Zc7EZYqAAMJubt/bgAFwIP02kIh
JZ+wjnD/b44ykykAN30txv+8stNbqA7OXmaX3VRmL9V/7HpZmgdjX+mBUg7QADvT
jkHOtUGGH+9MZJ8/RBE1Iyh4yJld0SzC6jnkQes2FLzWkIRgw5hkVnA4Qwvvs4hV
dV3gVnxA9HpPw8Ldh3+9CReMHxh2YZc+7aCXoOJYqcbYCpFjg7H/IkrojICJrRme
SnxYOSv1cTvqj0BZ+UfGzYmxhtLcG6zePvM0yTvJWqKJubHXwo3YkotkylkeILqi
/vRrR0tU3SxhgahvSyDbusgLlMoVoy+kAp/kiWM0A/G0dgmWPLtI2QHTsmHXCpBX
0s05aTI7uLh/LBqCbMToxLqYCA+tjA/CTa3iNtpPoXB/kif0Ybj1RU+ALTDZpKRw
Gi8bDjr/c4xB8OEU0oAhUY0WyQ6gGYxXppxByIDvtG11NRG52AWyUtEQTEGWCKoD
hdjQvruA37XMfPTDxRl84a/+WcuM7znwxKT/UaEB9airfK8S2SZz1tMK5p68jxx6
TQYr1asQYffBKMoCLhxymaBH5/VIShnUvL/jMtOvo4k/1PkVpvWetmMety60CJ9F
OUvaCjWjns3XvrlfDsj0/7n/AfTFqXxsl0+DncmimonK7Ss+53s=
=97i6
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYC8DduNLKJtyKPYoAQjY0g//ccGHLFTN0PIsISrkPVjPUvEuuF5PXv3t
9aLOwFYuJBEol3UUNympWVFFg4bYHo4MG2TXsdCTnSPFAahxk19BFN7JMR4LZzl0
sV0ShNh5oN6fIhISGmHvIqnqs5YOpzkFrw/MWtAVfuHg5ig8R0ThJXJ8dw7cYevf
Tk7jUBWykc3VxPSz2MmBbRc+z10eB7iSGsg9M7KnYtLM4tAFWiPY+aIqoSKB9knM
nfBR/w/cueoYUM1s0gqM2KdlaaaGlvL/KB7/aS+CQyZ0t7CsKBGkzw8rqSiCQN5t
c7ZiJelSHwqlQxV16GfxD7gNIazGhXhR15YfhdbscgY/tp8KpF/2excSZMymi2Tp
LyVKcAuh8ElllezNsXgYz/dUfVgkEMX+X30tlOPP1jkIO13pOtVqYkDHsMtHDJqP
Xa/dbp9zdlJZ5tl4KV0S71ETSvFX3ndge55vC/76TV1pT8ZsElA+0bRamJMOe57h
lMZy7Mv5bXgwOh86ms/NjqCcD2UWG0OXLhYbyMJUzjtB7/jRC5V7uJzSjQ8k6x1d
vM+7MFiGpUgWDPcwWdgDAftj+imZDMxRLE43R5PLqMLr3S8uNd5HMYf9ui4Hz8bg
fA2ZMfe+dDuvFvbKxIVdngCZ6MptrXJbl6GVO9d43i4FXCAn6nhVUQbN2Rk1TFiX
JOqqvC7wCiU=
=KsPQ
-----END PGP SIGNATURE-----