lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1WXWMr-0004lG-EY@master.debian.org>
Date: Tue, 08 Apr 2014 13:47:13 +0000
From: Salvatore Bonaccorso <carnil@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 2896-2] openssl security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2896-2                   security@...ian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
April 08, 2014                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2014-0160

This revision to the recent OpenSSL update, DSA-2896-1, checks for some
services that may use OpenSSL in a way that they expose the
vulnerability.  Such services are proposed to be restarted during the
upgrade to help in the actual deployment of the fix.

The list of services that are checked is not comprehensive. For a more
detailed check, it is recommended to use the checkrestart tool from the
debian-goodies package. Note that client applications also need to be
restarted.

In case of doubt a full system restart is recommended.

For reference, the original advisory text follows.

A vulnerability has been discovered in OpenSSL's support for the
TLS/DTLS Hearbeat extension. Up to 64KB of memory from either client or
server can be recovered by an attacker. This vulnerability might allow
an attacker to compromise the private key and other sensitive data in
memory.

All users are urged to upgrade their openssl packages (especially
libssl1.0.0) and restart applications as soon as possible.

According to the currently available information, private keys should be
considered as compromised and regenerated as soon as possible. More
details will be communicated at a later time.

The oldstable distribution (squeeze) is not affected by this
vulnerability.

For the stable distribution (wheezy), this problem has been fixed in
version 1.0.1e-2+deb7u6.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTQ/sNAAoJEAVMuPMTQ89EsEYP/0u8fG6OS/RDFgaARZeEDNGc
NfqSY6xcCRXxhgdxyq72HH0aU4TeYCTqMlD+AAcCLq8Y2hJ4hU/1rXwDlndgwUnj
NS0lkrwji0tVfX13A0iRFT0xf60dAUISd5EfcjJAwmZ9e4hHqCGgaMNpezmy5tUl
M0SgVptlxRaG4mISUeuHlvyMZ36bNwtEnnYL9vm2xBkMwzgotpcwDznrfbxRo9kx
VsIkXD5tmyFzvhPOYikE4ROVY62HKpwssWV2oaHK6xKSVPSyqUvuNCzPTV8nh8PC
Ndlwhqt1On4ui03pcbB5Ms2wPHEnu7IxJCci84P6XBH5XQ+dLTEmb8EIOsmteell
pLRJUAyFoyAQAilgNw2A1fiUHJn58jLmLmW3b0ce9ZfrLcNtnpBuqHHuWZZLZij0
CWA8etYEmj8d80+ERqw0A3BpSxt5RKuKVLGq8iqypWmIlBaTBCJWwwp+lXVEvPbi
4JxPfo9NYnS0wzgZMC96PGAQq5Dw9yf9weV4PE2ZaxH3vHYNc+7DDmsUF44a7/qN
rXKU6cliIs1syIT7q4Br7Xn9FNyfoY9cwhGintC5u20+8mewLnTDjmHUOKQJuXOo
eQAPZOSgQZRQ+u40Hg93BXHU8dMkZ329huodQeR7RTlpPK3iM7lXxi+yd7bkvEwQ
pkSzcpXQmGsZ3Vp9wC58
=VRqT
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ