Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1336 pyopenssl security update 25 September 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pyopenssl Publisher: Debian Operating System: Debian GNU/Linux 6 Debian GNU/Linux 7 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-4314 Original Bulletin: http://www.debian.org/security/2013/dsa-2763 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running pyopenssl check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2763-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso September 24, 2013 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : pyopenssl Vulnerability : hostname check bypassing Problem type : remote Debian-specific: no CVE ID : CVE-2013-4314 Debian Bug : 722055 It was discovered that PyOpenSSL, a Python wrapper around the OpenSSL library, does not properly handle certificates with NULL characters in the Subject Alternative Name field. A remote attacker in the position to obtain a certificate for 'www.foo.org\0.example.com' from a CA that a SSL client trusts, could use this to spoof 'www.foo.org' and conduct man-in-the-middle attacks between the PyOpenSSL-using client and the SSL server. For the oldstable distribution (squeeze), this problem has been fixed in version 0.10-1+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 0.13-2+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 0.13-2.1. We recommend that you upgrade your pyopenssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCgAGBQJSQcLoAAoJEHidbwV/2GP+BxUQAIVJbtpOvqPJlYxuBPdYSzRI 53N4nTbCZC9hTmDWCbmwH6yL1I2Iev7E6MHAuRZKJ2rRjrctF7r3cDNCPpCkLtNK 517MzzSPe7nmmhFHYNiDQIQeIb3bdKGiSGd5eTgvYzWtVFKqRQ8FHDkYYZjc5+y3 360CZAo3lRbkv5i2oKNPMvTQjXitQxAJjzTM4FKAsY5b1QHwsbtShaQHLza7QjUE AFWC5lW8aMFSK05IrBKs9vfEWsoiVkJjr/BjVEGR1KipI24eb4Yq3tOTlY6fWIyP vq6u5zSbg3N3hU1LFL3pg7ghH7dLovPCLxUycVfZjUy9tD8pRRj+rKbnqyok9ITk gKxhQORQXBw7f2cC9Yk7eFF4a0nNxUxYlfCNIEm+9Bvf3oRn37bfelJyiElGG/HM RpdjZRAsp81Sup+Rk0uEvDsLxb0Pl/4EfQNO7p2/pIXSqe5cDHy8NoIJPWEpJN9o hdKn3kaSuZPv4Z/KAMa2pyW8+bCkh4BwMZ/NloHkYZ9XodhFWFPGjd3vS+1PW3Mg +PKapJZNN563dosK+kqXrUaa2oU4fl4xxXPZPolETEuYxRV7+FKKwS2jlISTTpvF toFjeXUEUssjTcFOgYdg/tYODv1nLiOO1OyQkEhIGAJkvFWaVocgst1z9J8RxEMr YyEEGT5b+gT9Cvj1REjx =fCjj - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUkKH1hLndAQH1ShLAQKhSBAApQDxouKMokfzCg48msTfcPpz8gPCiPEp BGdIcqBxz94Lr301juEnnZSU5Lfx8Q4zj21pV1U10gQvXXKI7vE3x/LJPD2sqJY8 iiVmPuGSUUfd0ruUl/hi1+cUw+Ke+hfMMvzoVpZCFavgnP1VBJDAQwVAU9Bi/bqN wHtx23BbD59odCG9353Ee4TUF5Rx7ZqDKitp9wtgscCroKQWmrKe8s5AKywRUQ/l TgdpCVpzFpJ5eusRf+q/+3tZecq3/WLH8eDdW/mMUlnWZEsttZkpdOnIrm/BapRN Jp7Ogq4S85r7yt8PdSBjuoz5brvnN3hS+KYje1l9xIO5PA4mj5z0lQ5+mo/bzNCn 6DUWZGPm+fOfEzH3uhP1STpbORmLLpXlSPB3JIObMHEsUPw7mcysVoNnraaKmmbj aMI7UuU+Zaf/WL+9UZ3610rxCGF9s7c4wghd++Zxb3xgn+PACFYCrMLPxmJxccFq oGr6Uv2B+EPLxSoFj4Y2SHH5aK4eV++2lazLfblS5PAvPA9C78HaOCJOI0FndVwB 0eguPKZCetUmPMTa8YkzNYNSRI0gl8I7KxPBZLi7Pv757/asBlW0G6kn2TUe7mO3 PKO+Ytu3FvzFsbGg022Z3sn0YWvpKmZigRuGxwCwQeYyD7XIdtveNYuW3my12RmC N5tEfeBY4Qc= =GvZC -----END PGP SIGNATURE-----