-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1336
                         pyopenssl security update
                             25 September 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           pyopenssl
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
                   Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Provide Misleading Information -- Remote with User Interaction
                   Unauthorised Access            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-4314  

Original Bulletin: 
   http://www.debian.org/security/2013/dsa-2763

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running pyopenssl check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2763-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
September 24, 2013                     http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : pyopenssl
Vulnerability  : hostname check bypassing
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-4314
Debian Bug     : 722055

It was discovered that PyOpenSSL, a Python wrapper around the OpenSSL
library, does not properly handle certificates with NULL characters in
the Subject Alternative Name field.

A remote attacker in the position to obtain a certificate for
'www.foo.org\0.example.com' from a CA that a SSL client trusts, could
use this to spoof 'www.foo.org' and conduct man-in-the-middle attacks
between the PyOpenSSL-using client and the SSL server.

For the oldstable distribution (squeeze), this problem has been fixed in
version 0.10-1+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 0.13-2+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.13-2.1.

We recommend that you upgrade your pyopenssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJSQcLoAAoJEHidbwV/2GP+BxUQAIVJbtpOvqPJlYxuBPdYSzRI
53N4nTbCZC9hTmDWCbmwH6yL1I2Iev7E6MHAuRZKJ2rRjrctF7r3cDNCPpCkLtNK
517MzzSPe7nmmhFHYNiDQIQeIb3bdKGiSGd5eTgvYzWtVFKqRQ8FHDkYYZjc5+y3
360CZAo3lRbkv5i2oKNPMvTQjXitQxAJjzTM4FKAsY5b1QHwsbtShaQHLza7QjUE
AFWC5lW8aMFSK05IrBKs9vfEWsoiVkJjr/BjVEGR1KipI24eb4Yq3tOTlY6fWIyP
vq6u5zSbg3N3hU1LFL3pg7ghH7dLovPCLxUycVfZjUy9tD8pRRj+rKbnqyok9ITk
gKxhQORQXBw7f2cC9Yk7eFF4a0nNxUxYlfCNIEm+9Bvf3oRn37bfelJyiElGG/HM
RpdjZRAsp81Sup+Rk0uEvDsLxb0Pl/4EfQNO7p2/pIXSqe5cDHy8NoIJPWEpJN9o
hdKn3kaSuZPv4Z/KAMa2pyW8+bCkh4BwMZ/NloHkYZ9XodhFWFPGjd3vS+1PW3Mg
+PKapJZNN563dosK+kqXrUaa2oU4fl4xxXPZPolETEuYxRV7+FKKwS2jlISTTpvF
toFjeXUEUssjTcFOgYdg/tYODv1nLiOO1OyQkEhIGAJkvFWaVocgst1z9J8RxEMr
YyEEGT5b+gT9Cvj1REjx
=fCjj
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUkKH1hLndAQH1ShLAQKhSBAApQDxouKMokfzCg48msTfcPpz8gPCiPEp
BGdIcqBxz94Lr301juEnnZSU5Lfx8Q4zj21pV1U10gQvXXKI7vE3x/LJPD2sqJY8
iiVmPuGSUUfd0ruUl/hi1+cUw+Ke+hfMMvzoVpZCFavgnP1VBJDAQwVAU9Bi/bqN
wHtx23BbD59odCG9353Ee4TUF5Rx7ZqDKitp9wtgscCroKQWmrKe8s5AKywRUQ/l
TgdpCVpzFpJ5eusRf+q/+3tZecq3/WLH8eDdW/mMUlnWZEsttZkpdOnIrm/BapRN
Jp7Ogq4S85r7yt8PdSBjuoz5brvnN3hS+KYje1l9xIO5PA4mj5z0lQ5+mo/bzNCn
6DUWZGPm+fOfEzH3uhP1STpbORmLLpXlSPB3JIObMHEsUPw7mcysVoNnraaKmmbj
aMI7UuU+Zaf/WL+9UZ3610rxCGF9s7c4wghd++Zxb3xgn+PACFYCrMLPxmJxccFq
oGr6Uv2B+EPLxSoFj4Y2SHH5aK4eV++2lazLfblS5PAvPA9C78HaOCJOI0FndVwB
0eguPKZCetUmPMTa8YkzNYNSRI0gl8I7KxPBZLi7Pv757/asBlW0G6kn2TUe7mO3
PKO+Ytu3FvzFsbGg022Z3sn0YWvpKmZigRuGxwCwQeYyD7XIdtveNYuW3my12RmC
N5tEfeBY4Qc=
=GvZC
-----END PGP SIGNATURE-----