lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Feb 2013 21:07:41 +0100 (CET) From: Thijs Kinkhorst <thijs@...ian.org> To: debian-security-announce@...ts.debian.org Subject: [SECURITY] [DSA 2621-1] openssl security update -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2621-1 security@...ian.org http://www.debian.org/security/ Thijs Kinkhorst February 13, 2013 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssl Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-0166 CVE-2013-0169 Debian Bug : 699889 Multiple vulnerabilities have been found in OpenSSL. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2013-0166 OpenSSL does not properly perform signature verification for OCSP responses, which allows remote attackers to cause a denial of service via an invalid key. CVE-2013-0169 A timing side channel attack has been found in CBC padding allowing an attacker to recover pieces of plaintext via statistical analysis of crafted packages, known as the "Lucky Thirteen" issue. For the stable distribution (squeeze), these problems have been fixed in version 0.9.8o-4squeeze14. For the testing distribution (wheezy), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 1.0.1e-1. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@...ts.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRG/JcAAoJEFb2GnlAHawEXbAH/16o5HCWPDrLN8USWuBKPi9R ECdIC/8JlxIqaTgCzYn8T704y05Q9orT2SwjThpkbqwgjhWtCvDVozYmHIrznoVQ g2Vi+kk1o0qmSuuWC6F2GUIgiaqWQkrt1zm2E6XPirL8WNGB71GJfDEAGR+xCwGJ h8JEOgoqIadiyZ9ZcSMqMnyMdktRReRuCLUhYlnK5Ls1iEA7Cuu+l/kvLQjRrTJ5 mybsFt+f7edaDRVlXIBjNLKT7/Xo0bcVdRN5Jm5fKNtoTCrOsf5Qzpx0lQuAFA4l fTooy9XvKKvWvilhZhQPHygMHTyqEPbEoMViwdNnVmrN3XISS4MgsCPjZet47CU= =r0Ii -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists