Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0916 OpenSSL Security Advisory [6 September 2011] 8 September 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenSSL Publisher: OpenSSL Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011-3210 CVE-2011-3207 Original Bulletin: http://www.openssl.org/news/secadv_20110906.txt - --------------------------BEGIN INCLUDED TEXT-------------------- OpenSSL Security Advisory [6 September 2011] Two security flaws have been fixed in OpenSSL 1.0.0e CRL verification vulnerability in OpenSSL ========================================= Under certain circumstances OpenSSL's internal certificate verification routines can incorrectly accept a CRL whose nextUpdate field is in the past. (CVE-2011-3207) This issue applies to OpenSSL versions 1.0.0 through 1.0.0d. Versions of OpenSSL before 1.0.0 are not affected. Users of affected versions of OpenSSL should update to the OpenSSL 1.0.0e release, which contains a patch to correct this issue. Thanks to Kaspar Brand <ossl@velox.ch> for identifying this bug and suggesting a fix. TLS ephemeral ECDH crashes in OpenSSL ===================================== OpenSSL server code for ephemeral ECDH ciphersuites is not thread-safe, and furthermore can crash if a client violates the protocol by sending handshake messages in incorrect order. (CVE-2011-3210) This issue applies to OpenSSL 0.9.8 through 0.9.8s (experimental "ECCdraft" ciphersuites) and to OpenSSL 1.0.0 through 1.0.0d. Affected users of OpenSSL should update to the OpenSSL 1.0.0e release, which contains a patch to correct this issue. If you cannot immediately upgrade, we recommend that you disable ephemeral ECDH ciphersuites if you have enabled them. Thanks to Adam Langley <agl@chromium.org> for identifying and fixing this issue. Which applications are affected =============================== Applications are only affected by the CRL checking vulnerability if they enable OpenSSL's internal CRL checking which is off by default. For example by setting the verification flag X509_V_FLAG_CRL_CHECK or X509_V_FLAG_CRL_CHECK_ALL. Applications which use their own custom CRL checking (such as Apache) are not affected. Only server-side applications that specifically support ephemeral ECDH ciphersuites are affected by the ephemeral ECDH crash bug and only if ephemeral ECDH ciphersuites are enabled in the configuration. You can check to see if application supports ephemeral ECDH ciphersuites by looking for SSL_CTX_set_tmp_ecdh, SSL_set_tmp_ecdh, SSL_CTRL_SET_TMP_ECDH, SSL_CTX_set_tmp_ecdh_callback, SSL_set_tmp_ecdh_callback, SSL_CTRL_SET_TMP_ECDH_CB in the source code. References ========== URL for this Security Advisory: http://www.openssl.org/news/secadv_20110906.txt - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTmhSxu4yVqjM2NGpAQLi0g/9HfVb/dibR9V3tInT0bttVx22fkMy/8ep 7r9kyqLs+4J5MPBTjNZgQXJVf+ZY2m9r9EhnzClkqxuVFh5Vng3ThfhfoZRJt4P2 iugQrmOeceCw0HVzZ19faGpASwha1zVWpkyPRzNvSuBNZ3JXkxE9O1BKJac6xtxr TIPdctmLV74caetyrQdz4XIHNgggDS2TMV/gUbLSCVbFGLNwjJaknzCszZLVvqIW ngnhLevhdDkTlpENUG+RiRnu7oKheA3cfb0Ctx+BxkeA2TKqmmYM+3l1hBytxoaZ zWFJrOZTT9U3VFr9lLH3RmYvyn83HU6cT/BUGamLQostMJ0xIhui1/ys1HxK1FS6 0hL5ptKxp6NrSGzQ8j/Tz+lD0D1kVUq+UwTlqLpBg3QUNhIGf8aJmZYNA8ynMl1o tjuSry6ckIr1s18JxzmYqwlvwLoXnFjb5G3cedXLpOql3In1diUY01Eav2++TlVr abPSFmdOdyAqhIOJFwtdEGQlzUDinUgipbVP7FSaLbBHze2cUUCNkeXEXEc1ikvp mHrLcDCe9p8RlxcJ66+/MRp5ab4KeFcy1rvE50lcXXPFoA8wdK1qc05ZLSwWrunI QekcHigxW2R8xsgJ3tYy+Tmj05LcD8PXovdHRfDls90dc5uaA4HkyIuT9oGmj00E FMyJtuNyIGw= =eltl -----END PGP SIGNATURE-----