copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0894.2 - UPDATE [Debian] openssl: Multiple vulnerabilities

Date: 17 June 2014
References: ESB-2014.0887  ESB-2014.0888  ESB-2014.0889  ESB-2014.0890  ESB-2014.0891  ESB-2014.0892  ESB-2014.0897  ESB-2014.0898.2  ESB-2014.0902  ESB-2014.0967  
ESB-2014.1028  ESB-2014.1044  ESB-2014.1062  ESB-2014.1131  ESB-2014.1183  ESB-2014.1208  ESB-2014.1388  ESB-2014.2386  ESB-2015.0381  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2014.0894.2
                          openssl security update
                               17 June 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openssl
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3470 CVE-2014-3153 CVE-2014-0224
                   CVE-2014-0221 CVE-2014-0195 

Reference:         ESB-2014.0892
                   ESB-2014.0891
                   ESB-2014.0890
                   ESB-2014.0889
                   ESB-2014.0888
                   ESB-2014.0887

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2950

Revision History:  June 17 2014: This update updates the upstream fix for CVE-2014-0224 to address 
                   problems with CCS which could result in problems with the Postgres database.
                   June  6 2014: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2950-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
June 05, 2014                          http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470

Multiple vulnerabilities have been discovered in OpenSSL:

CVE-2014-0195

    Jueri Aedla discovered that a buffer overflow in processing DTLS
    fragments could lead to the execution of arbitrary code or denial
    of service.

CVE-2014-0221

    Imre Rad discovered the processing of DTLS hello packets is 
    susceptible to denial of service.

CVE-2014-0224

    KIKUCHI Masashi discovered that carefully crafted handshakes can
    force the use of weak keys, resulting in potential man-in-the-middle
    attacks.

CVE-2014-3470

    Felix Groebert and Ivan Fratric discovered that the implementation of
    anonymous ECDH ciphersuites is suspectible to denial of service.

Additional information can be found at 
http://www.openssl.org/news/secadv_20140605.txt

For the stable distribution (wheezy), these problems have been fixed in
version 1.0.1e-2+deb7u10. All applications linked to openssl need to
be restarted. You can use the tool checkrestart from the package
debian-goodies to detect affected programs or reboot your system. There's
also a forthcoming security update for the Linux kernel later the day
(CVE-2014-3153), so you need to reboot anyway. Perfect timing, isn't it?

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTkFmLAAoJEBDCk7bDfE42KeEP/2arDOfqKC72VOtJ+T7jwjTP
x4vdXKCFvDknNTs4sf4/BPa1UeNu2xANWl9UcpueE9UKInuGP61+UeAuyAjBNHiz
GOz1zQ1DvqK71JmlIvK4bnTAnwTHDOwvlNABGPWiahnzhbLDN2eFnNLTT3S33FL7
DDuD5UXvtroNYcPF1N7Uvze3oG1rBIilrX+lmFE+I52v4+TRZJKgUfuydX3OO+z7
gRGsI5nEFff4xe32N32AVh90yf0UbR783BBAW+NZuxsmRFOJ06CvpjmAuycAk33X
1IOkCwxSXtWOlOsi1k1sTK0EvDyB4bY1NSMqNUXgxmZ/IQld25CO4lRZCJj8QBA6
DhFRfEg+70anqZ6uI5+DvG8ichNNpPg8CKKNTv2aGUrKVjFT2jzN6L/d3wBXBqCF
TkDemP/MKu31dU+KmR8TSG1q08satChdbHHdila3wkjOy1PdJF7ksKUjkRq0mMW2
hn/V60Dc0KMZ1O4cj8b369Ngt57ma9wdgNKzD7GNnqucEV2RT7pwSSVAfCUzPopn
KAo3z4SQAyR1HOQP17yH7XoVlwLcpo8Orqvnktz2D9M2ehsopjfNEvLaCkaRRO1t
1IQwbDdjCEStLwbFqdxQA4RfpQU0Fhq01AuuA7/exy5yZrq8So6NarGdpnesTqGa
tsd2gjmQwj7gbB+qL7zk
=MUFq
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - -------------------------------------------------------------------------
Debian Security Advisory DSA-2950-2                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
June 16, 2014                          http://www.debian.org/security/faq
- - - -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470

This update updates the upstream fix for CVE-2014-0224 to address 
problems with CCS which could result in problems with the Postgres 
database.

In addition this update disables ZLIB compress by default. If you need
to re-enable it for some reason, you can set the environment variable
OPENSSL_NO_DEFAULT_ZLIB.

This update also fixes a header declaration which could result in
build failures in applications using OpenSSL.

For the stable distribution (wheezy), these problems have been fixed in
version 1.0.1e-2+deb7u11. 

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTnzVQAAoJEBDCk7bDfE42ym4P/iO9in92XQ7Lj1pmk8TNFD/c
wCWzw+cSqA+iRElPV3Aho0iwfJraS+mh/hmTHxCYiBab8rvwXBBbg5MiNmr6gscB
tdNkuBIgszMFNgbawozdhbApeVD0cmILq5V+xtlLsZLAtfqDc0rnCzmv9oVxn5pe
5WNE1xHy4h3nfI9dquOQPT9/3nnWQSNnSYqhhL43r1n0FVB2GuHlkl3gIdJUwPmz
iXawuNnmuHamElrRcqsLmZxz8cdprEaKTPa0Pdc6ljzyWnX80C3lqVNb9NQzh2jw
82HNFkPIONGr8sTZ9dcxdtJiKR1qXWGVmC9BobSBLCnsmDy3z1olgZr8BIdGOQJc
9XAWBodBUNBsndaX3eWfbDdaa0uJ0lJnSjZkJ67qMZg4/S0U5w2GehJr6SbCopov
uLaoKT3dQbOJkNPVe1AIoG2XL3NCoOMET/+yaKyBoEhKSwzA+Z0p/UckasVmcWhH
H7Cy05IETj7rwvkG2DtjUTEFPcj9CwG7PDgC/ncB75vToZA8SKMQ3TMK5KgSB1HT
sF3KqOw56qvanGucl7W5iwG12bwNTMVmC1/7yCGw0cAhnB1NdyrBU0oo4l1TlRnV
XmhYIXhG9jobI8qghe19nNMsk9YYOOBzgPqitfRkIqOfgyPH3ufbX46IMTTOtHRG
rVzwCdeAdNsepcQM6SqN
=lJYd
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU5+h5hLndAQH1ShLAQJKBQ/9EHA/3/kgIZ1wZP5Ur4VCJx9x+HEWeEc9
LCczd6CUlo9l35NIAbQIhxT+kMtGu8QSpD5mmk62z0DmoYvBv3i7sIRh/v4DatyM
Q/cnm9zUn/h2VZpUsc8PECi+IezzV95nMTvlK4nOmMQcpddml3MrwUNTgh5Mk+yz
6g5RuRlKuRAWhREMXypddToiHizxhiFO4rDdSTokS8CL0ggj47XkCWZRXbIy0GUo
/WcQCF/MRws69tM8gzZMRw8mTozKuJi9UYsiQ4O26fluSZFQfhkuf3RJ8uQMvwsH
6z6eJ0A/2P8RiCJTKHl1dTUo11motTNF5Odu6xifXrraIDK0SHWaxpUNy53E8Stq
8wJNXTEsyyZOc6Q0KmOYxKD/K1dImZQGLgcRdoqZdfYSEkzpXoSi29wxNnOxugP4
EktAOwOFendX4QCeATi+reWNoOtKPYgip3yNp8F5bYkdwLxFkTD/x0VS7URflzgc
7REqjCyuF3Akw73+l5u+SG2AmW3x/odhSfJOhaoF2Alb/2pOSBgeRv/DzemoccSe
TLDciqQbCo+IUkjkCcKhNqdlgzg0PYFtgm4hEVE4KlEoa85Wbw2/XsJs5dgsaQVA
0oW+aYkA5EwLJGk/iU+dHN9IU8N/bRB0mEs2mnuyOl5qtLBMly2p6F0tyVI8ym5e
5r5xeIn2/XM=
=ml0M
-----END PGP SIGNATURE-----