Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [SECURITY] [DSA 4065-1] openssl1.0 security update

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [SECURITY] [DSA 4065-1] openssl1.0 security update


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: Salvatore Bonaccorso <carnil AT debian.org>
  • To: debian-security-announce AT lists.debian.org
  • Subject: [IT-SecNots] [SECURITY] [DSA 4065-1] openssl1.0 security update
  • Date: Sun, 17 Dec 2017 13:59:28 +0000
  • List-archive: https://lists.debian.org/msgid-search/E1eQZTU-0002Wn-5f AT seger.debian.org
  • List-id: <debian-security-announce.lists.debian.org>
  • List-url: <http://lists.debian.org/debian-security-announce/>
  • Old-return-path: <carnil AT seger.debian.org>
  • Priority: urgent
  • Resent-date: Sun, 17 Dec 2017 13:59:51 +0000 (UTC)
  • Resent-from: debian-security-announce AT lists.debian.org
  • Resent-message-id: <QcM6PhZkWkP.A.stH.XhnNaB@bendel>
  • Resent-sender: debian-security-announce-request AT lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4065-1 security AT debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 17, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl1.0
CVE ID : CVE-2017-3737 CVE-2017-3738

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3737

David Benjamin of Google reported that OpenSSL does not properly
handle SSL_read() and SSL_write() while being invoked in an error
state, causing data to be passed without being decrypted or
encrypted directly from the SSL/TLS record layer.

CVE-2017-3738

It was discovered that OpenSSL contains an overflow bug in the AVX2
Montgomery multiplication procedure used in exponentiation with
1024-bit moduli.

Details can be found in the upstream advisory:
https://www.openssl.org/news/secadv/20171207.txt

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2l-2+deb9u2.

We recommend that you upgrade your openssl1.0 packages.

For the detailed security status of openssl1.0 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/openssl1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlo2d9VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QSrg/9FMen2+LCJ6Gia5XeB+RmZ1JqC1eFBYfpgqVwRik1VOZ9bGP3py5saKDZ
JuTwloUXYWPDJu79DZG4M9tWkFt7rcy4jqf5x7UfGXKO0VWvtoGABo4rshYe6Y/3
9qPTkJh3I2A67pMk7UQ+4Cu6MxYIcvBKcmiRnqzUbDxrK0CKn798iWTemUyXxdiC
iNXM6+mdy8tReWX3IWUR1sg6QqwU/wlkKHYXHpe6z1GxR3GYrFgzikFbn4czy6Yu
3H7a+CPfVE8lRwO8zh8VJf6gKkU5DT22GPtR87dvgIi0O8qNvZryXau4aDRgI+io
IzeWo+VFWX6vVQhQXFP1ZT+BQffTOYAEwExvfiAZppEn+0YeuyTresoxBwQodLDz
mpFANGkGvG95294gwaORZxmT/r6drYLOtb0q2ZN0SI4VRly0Jqbg/+jHAUjQSd+y
XcPiEPIRnttJX6UR0kJL2lhn998uJfdiU2gyQ/m6d9Y953I1a0N8HnErTXvUQYty
eEWIKiZ02g0J89P0dPlIDtEHZJ9FBJffkWUuk4Z1UVpb2Ogs5hZ4yPC4oiiqxnxO
DH5u/7z+srm97SNmz+fntoae3LgrOtKjZq3yiyjE3UjNJZdI2yCKPFGd45CCTqRV
bD1Sb0KJCrIlbtPsJiEHKmPXKLoUxICVmAq1n8KdgMnd/jNmMnM=
=y++r
-----END PGP SIGNATURE-----


  • [IT-SecNots] [SECURITY] [DSA 4065-1] openssl1.0 security update, Salvatore Bonaccorso, 17.12.2017

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang