Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0916
OpenSSL Security Advisory [6 September 2011]
8 September 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSL
Publisher: OpenSSL
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-3210 CVE-2011-3207
Original Bulletin:
http://www.openssl.org/news/secadv_20110906.txt
- --------------------------BEGIN INCLUDED TEXT--------------------
OpenSSL Security Advisory [6 September 2011]
Two security flaws have been fixed in OpenSSL 1.0.0e
CRL verification vulnerability in OpenSSL
=========================================
Under certain circumstances OpenSSL's internal certificate verification
routines can incorrectly accept a CRL whose nextUpdate field is in the past.
(CVE-2011-3207)
This issue applies to OpenSSL versions 1.0.0 through 1.0.0d. Versions of
OpenSSL before 1.0.0 are not affected.
Users of affected versions of OpenSSL should update to the OpenSSL 1.0.0e
release, which contains a patch to correct this issue.
Thanks to Kaspar Brand <ossl@velox.ch> for identifying this bug and
suggesting a fix.
TLS ephemeral ECDH crashes in OpenSSL
=====================================
OpenSSL server code for ephemeral ECDH ciphersuites is not thread-safe, and
furthermore can crash if a client violates the protocol by sending handshake
messages in incorrect order. (CVE-2011-3210)
This issue applies to OpenSSL 0.9.8 through 0.9.8s (experimental "ECCdraft"
ciphersuites) and to OpenSSL 1.0.0 through 1.0.0d.
Affected users of OpenSSL should update to the OpenSSL 1.0.0e release, which
contains a patch to correct this issue. If you cannot immediately upgrade,
we recommend that you disable ephemeral ECDH ciphersuites if you have enabled
them.
Thanks to Adam Langley <agl@chromium.org> for identifying and fixing this
issue.
Which applications are affected
===============================
Applications are only affected by the CRL checking vulnerability if they enable
OpenSSL's internal CRL checking which is off by default. For example by setting
the verification flag X509_V_FLAG_CRL_CHECK or X509_V_FLAG_CRL_CHECK_ALL.
Applications which use their own custom CRL checking (such as Apache) are not
affected.
Only server-side applications that specifically support ephemeral ECDH
ciphersuites are affected by the ephemeral ECDH crash bug and only if
ephemeral ECDH ciphersuites are enabled in the configuration. You can check
to see if application supports ephemeral ECDH ciphersuites by looking for
SSL_CTX_set_tmp_ecdh, SSL_set_tmp_ecdh, SSL_CTRL_SET_TMP_ECDH,
SSL_CTX_set_tmp_ecdh_callback, SSL_set_tmp_ecdh_callback,
SSL_CTRL_SET_TMP_ECDH_CB in the source code.
References
==========
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20110906.txt
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTmhSxu4yVqjM2NGpAQLi0g/9HfVb/dibR9V3tInT0bttVx22fkMy/8ep
7r9kyqLs+4J5MPBTjNZgQXJVf+ZY2m9r9EhnzClkqxuVFh5Vng3ThfhfoZRJt4P2
iugQrmOeceCw0HVzZ19faGpASwha1zVWpkyPRzNvSuBNZ3JXkxE9O1BKJac6xtxr
TIPdctmLV74caetyrQdz4XIHNgggDS2TMV/gUbLSCVbFGLNwjJaknzCszZLVvqIW
ngnhLevhdDkTlpENUG+RiRnu7oKheA3cfb0Ctx+BxkeA2TKqmmYM+3l1hBytxoaZ
zWFJrOZTT9U3VFr9lLH3RmYvyn83HU6cT/BUGamLQostMJ0xIhui1/ys1HxK1FS6
0hL5ptKxp6NrSGzQ8j/Tz+lD0D1kVUq+UwTlqLpBg3QUNhIGf8aJmZYNA8ynMl1o
tjuSry6ckIr1s18JxzmYqwlvwLoXnFjb5G3cedXLpOql3In1diUY01Eav2++TlVr
abPSFmdOdyAqhIOJFwtdEGQlzUDinUgipbVP7FSaLbBHze2cUUCNkeXEXEc1ikvp
mHrLcDCe9p8RlxcJ66+/MRp5ab4KeFcy1rvE50lcXXPFoA8wdK1qc05ZLSwWrunI
QekcHigxW2R8xsgJ3tYy+Tmj05LcD8PXovdHRfDls90dc5uaA4HkyIuT9oGmj00E
FMyJtuNyIGw=
=eltl
-----END PGP SIGNATURE-----