Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0204 polarssl security update 14 February 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: polarssl Publisher: Debian Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-1622 CVE-2013-1621 CVE-2013-0169 Reference: ESB-2013.0183 ESB-2013.0177 ESB-2013.0161 Original Bulletin: http://www.debian.org/security/2013/dsa-2622 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running polarssl check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2622-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst February 13, 2013 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : polarssl Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-0169 CVE-2013-1621 CVE-2013-1622 Debian Bug : 699887 Multiple vulnerabilities have been found in OpenSSL. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2013-0169 A timing side channel attack has been found in CBC padding allowing an attacker to recover pieces of plaintext via statistical analysis of crafted packages, known as the "Lucky Thirteen" issue. CVE-2013-1621 An array index error might allow remote attackers to cause a denial of service via vectors involving a crafted padding-length value during validation of CBC padding in a TLS session CVE-2013-1622 Malformed CBC data in a TLS session could allow remote attackers to conduct distinguishing attacks via statistical analysis of timing side-channel data for crafted packets. For the stable distribution (squeeze), these problems have been fixed in version 0.12.1-1squeeze1. For the testing distribution (wheezy), and the unstable distribution (sid), these problems have been fixed in version 1.1.4-2. We recommend that you upgrade your polarssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRG/SIAAoJEFb2GnlAHawEgJ0IAJyDs83nzbQjJwiiqPwlTRo1 FsWTbc4t+sEnCs5bQyNzpeG4teMVPYfSffMp/6Y1+KooPrKJZFFg2NJmb2SXguKd vF5PQv5QynYkikRJZQhPm3ad3kH0lchngvr7jykezWq+T7uOhZ5eF7IciXZSpiYY ealFp00XB/ZMzoWHrGTi7q8coI+YN2Iwx+U5KVmj5PLfksVMSpIRo5S9jrk0OB/U 3xr9ys/yVifZhUDlPder/vOEogwBFnlfWdUriPKi0/1bhF+4smkviaqeXbDdjthN b3SbYWGqbyGODAx9TOV42hIg1QI87z4Ew0sGPGJihjSR3i2Rg5tEVsusnJu8eHE= =ItPV - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBURxc2u4yVqjM2NGpAQKxhRAArpiaXPRu27hJ59CXl15QG6wvplKe5FWe PKIFBSlAoBUWaa6JWdek7osMQvKFvdFmgu7SW+HjJqV7ZgrOQPNmY9eIk61PTszm Tte/szSo93XZSjJtuWa8mfAp1F4V6KLbUYHIfz0OsPgsfk0sjDi/BJyHJB3ELDqR 9MGVJcZXXCNHZC5wzoHyckgA3I8D0BStz5d5dr/058qK9fetZ1EWTcznCJL5oWoW i/8a2dlpmuxE9zQREFa7Hq7tplyEavXTJQbp1MSe0UEDiCen3lxgpBvxvEfnAyMl 58umltKsVf2B65sQQPDnMltycet7bTC1AfMvXUL7pr83NVMMDIOfl6r3+c5bXfFC 1/7saU9nKRYgnBY6StfZwOQY+qozS+823eyWcjsfYkHtTCnRMWpW3RPqgpN9dPeI N9isB8163a7XIPupSJjkRdVqSIWcfJDKQv0Y9zYHzxM0d5UcHUTAtigoC0oh9jKK PrmtlJbRj+AqhQd9IsoYvVykomi43OjmBmXVTdJquC4Obxo92Zx5ae1Hj8CuSO0n JNf/mKfhqAsaCy/o2nPEqB3PDY7e8Y04r7+xqYTwVVrc/OFt8pgNCnFNJz2kPxuS xKDiYRdA843HyaEOrr8ywkZY0wT9XqpVXgx6DAExRJunfGspxo81ZQ0IjXY9XSef UYdd977I4pU= =orYO -----END PGP SIGNATURE-----