copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2015.0004 - [Win][UNIX/Linux][Debian] polarssl: Denial of service - Remote/unauthenticated

Date: 05 January 2015
References: ESB-2016.0005  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0004
                         polarssl security update
                              5 January 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           polarssl
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-8628  

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-3116

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running polarssl check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3116-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
December 30, 2014                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : polarssl
CVE ID         : CVE-2014-8628

It was discovered that a memory leak in parsing X.509 certificates may 
result in denial of service.

For the stable distribution (wheezy), this problem has been fixed in
version 1.2.9-1~deb7u4.

For the upcoming stable distribution (jessie), this problem has been
fixed in version 1.3.9-1.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.9-1.

We recommend that you upgrade your polarssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUof1xAAoJEBDCk7bDfE42TrkP/A7Iw+HG6yaSV3DZ4THEAesN
sMApQQT2IyQ/YjxZ+RGKCgowQiiO+eVVYBjM4v0SafIKWHlcvsPIjMXqDHGR6+Dz
gzUAQ1vHBiWw5gI7Ix7dv8jgV0s2yKaSr6YTLBzDbNX6AmUCIaXbZgKe7wTSAf2u
5kuSoPXb+Vf9I08md6hFbEPvEJfnTZFaqiXl+2nRX2NzDBQGQXzyBbr7aPz06+nl
EVE20HClcKqjusCVaB4KCc9if1D3PswxgbdLIpg0BvVfO7ZugZeaZ4A1QHUVUxm0
m4FxAVDXcmQDBIlgKScT/0tgjUOElpVGGjoE4m6tM3gqULVCdw1NPxJm9vd8sglm
462aYOB75hHrKqyR37h6/1t+3dpt9tq1V8ZY931CucnbEnq3xWSkkIKXkFMMIN7R
asXGNanoLVwkLwF5oylqy+asCHW66m00rJmet4b1ZjKNCIdGD7z/QjCymNWXg7Ya
rXtQn7w7qAlijiNPsvnQnh4Rd1QeNYuqpZ7prYvRfcafhPHX1DwQFR3zSnzMxqL6
UNyjOiO4ZWRIWUPJYtGh8j7OnXTlBaRWibzUCSoYE83kvM0lPC/MLy5RQ2BripaO
Ik7n++UFVGKtW6wbSI8qLB5H5MOWRl78d8J6Yt7hUcHX/at9+dczbq+h5guXXJwX
l78i+xR59Y4GHHoaUiEN
=6w3n
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVKnV9xLndAQH1ShLAQIRYg/+M7xWOiLtPJopbRS/LgEnMYAzRgyRrufg
KmZZsPEBt+FlFDHTDcPv1bo5Rk0CmwQKLQApcPwsXMK4ztqwpFlWepGBSCeVJ9l8
neTRoODdG8XpU/5mQQ+A1QJwm9lKdjuTS6GZq5BV/FfHevdSZso++/fWEzhex7YN
iIz6GgHfeKZXtUXODdtHD/yVRbadfOR5wnqNsN9QwcAX24zPl4BFru4WMzew6Et7
pZTBHoc72IhGeWjUZTRiCfuYQTEdP471COxS9je0TY1kyIok+6KSY0jjdgshnsXW
mxuRMBOfjSaeMELLCGDQhxlNg/aRGgzyUqHbOJ2NE6bkPAce5XSOSkG19BBYm0Pf
t1KvsT+VNUkB6j/rrch+Mh4mBBgGZiA1xrvu1CsvjSDRG0pom7+liqHlvr1Ff+5T
JSdt/oANGDT9Nu9yPpk/k83ZYy/rR1KuH44rV0Fenk/eBxAE93Zpdi4qs2DlBjV7
OmlVpCs+FiPgURd5xkR4BUY3j56oUTZIuEya/Qrfpx11npAOiYwthzq8WYAtxdOV
qV17/akJf7605UxlaLJvA2JiAvSk38eQapWB3U64qt+ucc8v1QgN+zZZRjJ3fTPF
KYlhmsgXLJc4MlXdBoXDVMzK/qCKSor9p6vVrHP3twH09r/EyiykH92+Y+zkMir9
FbRR2Re0qck=
=ficG
-----END PGP SIGNATURE-----