copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.1189 - [Win][UNIX/Linux][Debian] polarssl: Denial of service - Remote/unauthenticated

Date: 21 July 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1189
                         polarssl security update
                               21 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           polarssl
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-4911  

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2981

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running polarssl check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2981-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
July 18, 2014                          http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : polarssl
CVE ID         : CVE-2014-4911
Debian Bug     : 754655

A flaw was discovered in PolarSSL, a lightweight crypto and SSL/TLS
library, which can be exploited by a remote unauthenticated attacker to
mount a denial of service against PolarSSL servers that offer GCM
ciphersuites. Potentially clients are affected too if a malicious server
decides to execute the denial of service attack against its clients.

For the stable distribution (wheezy), this problem has been fixed in
version 1.2.9-1~deb7u3.

For the testing distribution (jessie), this problem has been fixed in
version 1.3.7-2.1.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.7-2.1.

We recommend that you upgrade your polarssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTyTxWAAoJEAVMuPMTQ89EOtgP/jQTbv+uZvjTH1pW9YWdRifE
1u1uqWvBhMySn/SpOi1M8gG8SbI0J3Zf2hhe619GWQTizIGyCsDf912j5EYMPZct
U+4GkGZvH6JSREHFHgzsj4Y284mO6tr4gEmx053tx1JyY4ZE4QCDwVWjXUw/jl6e
vi68m4vf/ul3Bo0oo4eivkAVewQf8zCf4M/nvpL0vKVRVzBaca8K9tEWNdN5vYvJ
MfjF35k6QmHlx1ntr9QwwaUPvuzhDE83CXtdNqKHvIiu31Q1sH7fDWHb+2EXQnJZ
qAa9a4Xz/cCNHNDYJdZKMqQ801b/FAE+WpMv/p+iKZJ+b8Qe4hi1jxnZFSCI8s5S
IAOiyM/xETZGjqywWxIzU8WBvYVRWZX82wL01Pq0uNMhNpdLC1PAV0ayi//4z0iK
Ep6O70bCAqxEUpNv71CWJdP/uZg38PCNiDgnV4Il6bXPVpW13l3nWzDKvQmLepdg
32CJ2b93HG4oB9dK5PrAAXsI4q9H0pJihF4oSzqYrxvtk6kN5QGszTguCWNh0zlg
VGgejjww5zKO9vyJdaDoiCn+qBVL08FlTPEMBArulh3R+6D1ih8ftPDlZbNRVQXb
FCPqqZRIeIGBMPGGwmaTMrlC3QGjhJILJxqu5/SpCqGlG+/90cYDrlOwB/9oXtNn
uDyFK2A4oQPutCpJLH91
=/4R/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU8xfHRLndAQH1ShLAQJ2NQ/9GvGspVOnM00qJHPeppkcVsizo/jFRQ53
ZUt8cBcr/5j8I0O0tHHBXcuz8uuszwsOpT0WRtJA19dK7KSlG68ZSyVu5+ZYTQxd
Tee/aKZP3IXCXcgyj7VW6ZIxT/AAlH+jwtZOPlSgJFQvGq4B/I5TOMJWvxbv3wj1
yPZePzkY2WHDuxgyPGfQcCL5mhBL6o27ht0RIZheFo6IfaFDg3VumGXmyp17t0WO
5KNhaV2vzJZeRavgP8OFn9J6DFCEhV2Z1HNeULuFtjDWSPuX6IBBBswuE4k0Ql3K
bANmoXvQbimBfSI5HA0lejNwAeWP1AO3yNnXb7omRzsU0YsqDRGAF0t5AslyUf3l
X3oDg+wjeujZACKVWvUhDFXQ9SNRCCiSTmo2PN5e45wqEDH+bDBw4t8zmgZdjFys
yY2a5XnktbdOTwEaNlNW8mrgfrkehqq4Z75O+zBRf3W2jCxKn2VCUpIDVSDR72pW
wDq7j0XHPpyJsBiPb962BWwzgdlqoOpVwtajeZihp3k6OysmGXh4xZzyyOfsU/2F
/AhxOOZ/KWXsHk1VxtAz5NuTBlaVeqpAXnF6n4vLFa239mmXhaZHZoALXU3PPDwu
gG7YLbiXqJgyrBsoG9ZhdKjjO4afil15LvwUFFB9Pdt0diyxxDkNPJ4HhEFMFUnw
/jEy3rMvIRI=
=Z3U/
-----END PGP SIGNATURE-----