-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2015.0680.2
                          openssl security update
                               25 March 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openssl
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-0292 CVE-2015-0289 CVE-2015-0288
                   CVE-2015-0287 CVE-2015-0286 CVE-2015-0209

Reference:         ESB-2015.0678

Original Bulletin: 
   http://www.debian.org/security/2015/dsa-3197

Revision History:  March 25 2015: The openssl update issued as DSA 
                                  3197-1 caused regressions.
                   March 20 2015: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3197-2                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
March 24, 2015                         http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 
                 CVE-2015-0289 CVE-2015-0292
Debian Bug     : 781081

The openssl update issued as DSA 3197-1 caused regressions. This update
reverts the defective patch applied in that update causing these
problems. Additionally a follow-up fix for CVE-2015-0209 is applied.
For reference the original advisory text follows.

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2015-0286

    Stephen Henson discovered that the ASN1_TYPE_cmp() function
    can be crashed, resulting in denial of service.

CVE-2015-0287

    Emilia Kaesper discovered a memory corruption in ASN.1 parsing.

CVE-2015-0289

    Michal Zalewski discovered a NULL pointer dereference in the
    PKCS#7 parsing code, resulting in denial of service.

CVE-2015-0292

    It was discovered that missing input sanitising in base64 decoding
    might result in memory corruption.

CVE-2015-0209

    It was discovered that a malformed EC private key might result in
    memory corruption.

CVE-2015-0288

    It was discovered that missing input sanitising in the
    X509_to_X509_REQ() function might result in denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 1.0.1e-2+deb7u16.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVEdXzAAoJEAVMuPMTQ89E2dcP/R2oP1KlVfpYq8Ep8BxoAa5h
wGQE9J86uxtThX6mdL/CmLtTN69b3bHbcZ/grfXQqvEGSyY/zbSXyb9k54pfGc+o
K+U2nIENN81yWaGhxOafIXB6ODOZ+eLAjBCLcAxsDL7d0epuyp3hcLiSq7JdeTr+
/cz12vFbVGcbqrPt4TB6j9GVdSuHKnDrs5tc7t9L+i5yJ/uYhXwL6cO+ChBM8b/2
gJiK7NOwfUhsoOvHO9yyXl6ptQ86rbymYIS9kIQ3K05YZIon1DTAc0wNjD1qr0vn
u2BDsauNuBwc5IH+52iWCA/yr4QW+9unPtwOZhxurTmO+R0EQopSH01Ay8GcHytv
oo8BmEUpLn8t68/fUGzbh1ynjpkUJrceHL8RmytCbJDDEtrV6KHCoHGbrWcda21n
oVYU3axZhuj11No6iK0RYMvcqfOX+g40IYat7P0Rhp2P4VauGc6lZBje2q3fLQwJ
SB2IkmClFaDuLZXd7BMdXHa8zIwhLjW7hGYcKaLGCulLiQFOaZD/AKEOPUaHb+9I
W8Kvr+7wEwr9Bl1Tnn0N0SmRkrpBjbXqbhYElAfEWjIcMiZ4lsGIQ+iqkyx5R1HT
uVGwD5CY7dSjb6vStSgm5IO0/+h6UEa02uFm61Zv41WtER7aXtOwSWxPKre4gRV+
3LPBue6eb2uGngYInaUQ
=8XMK
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVRH7ZRLndAQH1ShLAQLTBQ//fvAZuP0/ziHca8XmhM4fAhnI3Wbldstm
zunko9dWJfJFDleE57kV6STEb5Gv4paYPHUrcpqzOkmvRkh9B9dvqioKqsq31jhm
/j+Q0lp4mD4BD+1pjmCPTSLX7CUQqFv9g7Bsk/zsbc0tU4WOYiH/3Ntz9bsEimLw
pohGRoYEIPp785iDoahl11joZ+ru/oD1nvYVnXjy/NPFOveBw919pQPq5HsYnDPL
RapFnYUcw4LXytGxWZFFV/v1fNG0R/D6c8SU+tyANFzS4rxaILwEq2q2F8sF/NNe
RZxSXAi5YcA7HPf14TQ3clkgC89ZZAZt3FP/pJVX6Gc6FDX/fQzYRYJ0ZzN+a2oj
x9ZS62Ay8dFIP97a+Upa4YpeyFmDHdcpa/+Ku5Mt7l1dNuVq4aOTYptNiID1Yfrh
nCCKlCoTd7gPDlUjpS1ruT4+4j7/hYK11rsQODSiEcjt02uM8gwK8lk1Y4fJLdzM
nxr9cVHDg11SVARY2aATFp/p1Tv17P9CJdJzaxey+ZZj6LYt8/Q45brLpMijX120
EtxcY2FnFv8Vo6HtLuokgJfJXTUMwm86nd5p52iJuhMyUQ1X3Wi/O8I4tSqVaNJ+
NANvC9hkdkr7elbyuQ+QuJLEdaercjwMEKhYmzQqS7WSbclOz4WD4YrCyGegSG9v
5E1qcHHLvIQ=
=s4Kq
-----END PGP SIGNATURE-----