Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0007
openssl security update
2 January 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openssl
Publisher: Debian
Operating System: Debian GNU/Linux 7
Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-6450 CVE-2013-6449
Original Bulletin:
http://www.debian.org/security/2013/dsa-2833
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running openssl check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2833-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
January 01, 2014 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : openssl
Vulnerability : several
Problem type : local
Debian-specific: no
CVE ID : CVE-2013-6449 CVE-2013-6450
Debian Bug : 732754 732710
Multiple security issues have been fixed in OpenSSL: The TLS 1.2 support
was susceptible to denial of service and retransmission of DTLS messages
was fixed. In addition this updates disables the insecure Dual_EC_DRBG
algorithm (which was unused anyway, see
http://marc.info/?l=openssl-announce&m=138747119822324&w=2 for further
information) and no longer uses the RdRand feature available on some
Intel CPUs as a sole source of entropy unless explicitly requested.
For the stable distribution (wheezy), these problems have been fixed in
version 1.0.1e-2+deb7u1.
For the unstable distribution (sid), these problems have been fixed in
version 1.0.1e-5.
We recommend that you upgrade your openssl packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iEYEARECAAYFAlLEBDMACgkQXm3vHE4uylpEbACg55hvNWUo8hTUtqMNoOeP986v
dG0AoJXsQoWloicwYo4fM8EwkbWxjun+
=KlR6
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUsTRmRLndAQH1ShLAQLtYA/9EbNdYEQJCb0KydIvwdY8CHZejdxEO3md
5cjZDK47rrp7lpJJI2NL0Q4zew2NhONI7xdl9aBCwvEBEoZuA7WSwDhkJJlp2TIr
GFj76vEBR0E10NFiBVI6a7a1yUxrVfO5dHd/OkorWrpabjgt3oVUfhJHM9yxAWhY
vlHzIJbqq7ZmxGdFk7r8tGH1JH0hPQlfLFJPj6YqJRqA8nl49O9m5qRzDGKdO4Ga
DtNHUleQhSGrs1WYNtidRc3aSjKD68LoyCtqWSAtU+eyrdge4vkwd+nkBfGdvRx1
aoqXzPYB2GyAFC194dKU9k4+zEWQxuGmP8t8PDbRG1mvH7RE4twOGd3AtMSJur64
cwwcmQXodLanJE5xo66pADGJXOtAI3mZcBEG2Y2Y5jYGrCygZvkbVtwqevvIPyB2
0sbIc13SuixBw6aCtqageFYbT/HuW22O51OFZj0IuY6FT4VXdgLZWjpWd8V6YKTi
OBY7iO79N+lFJE5WTYc5NKTyJ0VWHf8KsgP58+d34VfL7fCs+1ssVEZ32coDvmJR
KaJzT7Wi14NKwkeROe86LG/nN6hUX9zgvhSCvfmKTErfYI1ln0os6txwzV4vzpnP
salOJZftyD6cwgYvDL5xoF1BmdamuxAyNpZXSgka/3er/MRONzrQbvqHZWZWx4dD
4XE6qTJ8+LE=
=NngD
-----END PGP SIGNATURE-----