lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1f1ec8-0003NI-7z@seger.debian.org>
Date: Thu, 29 Mar 2018 20:57:40 +0000
From: Salvatore Bonaccorso <carnil@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 4157-1] openssl security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4157-1                   security@...ian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 29, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2017-3738 CVE-2018-0739

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3738

    David Benjamin of Google reported an overflow bug in the AVX2
    Montgomery multiplication procedure used in exponentiation with
    1024-bit moduli.

CVE-2018-0739

    It was discovered that constructed ASN.1 types with a recursive
    definition could exceed the stack, potentially leading to a denial
    of service.

Details can be found in the upstream advisory:
https://www.openssl.org/news/secadv/20180327.txt

For the oldstable distribution (jessie), these problems have been fixed
in version 1.0.1t-1+deb8u8. The oldstable distribution is not affected
by CVE-2017-3738.

For the stable distribution (stretch), these problems have been fixed in
version 1.1.0f-3+deb9u2.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/openssl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlq9UxtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qi/Q//U7BsT4ITKgPcpErXfKx5RXi2xcPw/trUr83HqZvNIR99HUnQPVYbkyyX
PLvB6xhmPAjx4cQFff8e5EIHR2OpoRzZ5nAvqo2b2bn1liVL1/pllYmj5HiHz5tb
8NXuDrDpO432rFDgrba6LDlXulq4Kux/NJpg1G/CkzNHMXXZR9xi3JZDMZU7jiZC
eGynQd1MLlF2+6qWIX/7KJHI+tmT4ZNDK9IDMv/YH71gvku0ICY8zB+1qeHP7mPN
dYYC6v5rqrES1SF//NxYu26E/YNo7krn6tN0OPhoDRZ3aPuqyOfB7QpxHOsdztfQ
2mIcXzS5JXdhQ5J8aEBrziAQ/nSoW+T533LniXVIiSQn+sYjrjg1vRt5PrBLx2N0
CNX4OVcstV2bGYKknOGYBVnEzURGoeydHx3zZn/OflCe+X6lpxQAwmfgrw4+T+FX
QxnjVEn4e5HeR2RGOnHzA6g3GuyJ+OeU3g0WEbAgOhqowTx3OOX7/htYnt702GKQ
9aA4ypYG8228owbno857nfnDb6eGbeqeH3BF8B20p4VHwlL1+XxyMmM+yzgbwCoA
8npl1DiiyUNBFl3WpQrjg7NwWXw+EGp5F+GxRip9yO/8cxKXn3+LqZP7gGR/+Mz5
ATXpKzuY6L8Gzh4Y+W7IH+iApSpSOlDXzo18PVCfp9qxnKNjetA=
=whaV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ