-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.0254
                          openssl security update
                              30 January 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openssl
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Access Privileged Data -- Existing Account      
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-3731 CVE-2016-8610 CVE-2016-7056

Reference:         ESB-2017.0207
                   ESB-2017.0187
                   ESB-2017.0142
                   ESB-2017.0134
                   ESB-2017.0086

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3773

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3773-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 27, 2017                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2016-7056 CVE-2016-8610 CVE-2017-3731

Several vulnerabilities were discovered in OpenSSL:
	    
CVE-2016-7056

    A local timing attack was discovered against ECDSA P-256.

CVE-2016-8610

    It was discovered that no limit was imposed on alert packets during
    an SSL handshake.

CVE-2017-3731

    Robert Swiecki discovered that the RC4-MD5 cipher when running on
    32 bit systems could be forced into an out-of-bounds read, resulting
    in denial of service.

For the stable distribution (jessie), these problems have been fixed in
version 1.0.1t-1+deb8u6.

For the unstable distribution (sid), these problems have been fixed in
version 1.1.0d-1 of the openssl source package and in version 1.0.2k-1
of the openssl1.0 source package.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAliLo/kACgkQEMKTtsN8
TjZTrA/+OyKEr6KnRgToU5LzrXyOQRTW9UgAD9jl0gjDbLiWQRb4SqsBUGHAqHWY
K2Hmo6HgN+gr0rLQnk09ivv7ND8FmdxuONbaHvllNKa8JnD9AByusAODhkI4bJLV
FWy5uGS2L/vrs79g1GtZiCyXdwBFGLZArf4rzRNmbBJfMhm8Wll+rMVEiRNXV67U
xvi3sVBcrNO9PfD/c+BTaVwvMNMkHb9hnTNUbeVSCSPlnik3uSS2UNtwUdBNZzKb
vnVVMWK7mj6+OuDT5rksYsBKhsyzRoY+ehxHiWCV2PvYoXpeHxDgezkT/6LWFb+o
R7jyjsrB8cglSnIn/7dpCJePIhY9k+Lpx9WmsQ3XROp1BMpDVqepb82cWy1PCDdu
1AL2lHbv6A2ST1tw1rli08napxXSjEebKvFzg8/Hd5yuBEUPe92wQWAjzjYcpPtJ
vlseoNIB5YvVS8+UKr5bhYYp43nNFgP47b+z16xrAbxrDrWl+DnYAzCFyuoypLU9
rFUnPyWfF9dcI5LsAMXgbnozw5PlxPjMc6vs305SwGlTVw6+o81obM4YEGRjU7gS
8jcGERUFBW62RyulmAhp8TAFgqcUpKWbvPAkbe/rQvNK1JEy4xT/xt9Z+AVu8y2s
Xz2Xd4ZN9pdvBvvXZqw3MZfV0e4KhMd0eFyVcAgBgLAbu8kTJjI=
=7Jwc
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWI68T4x+lLeg9Ub1AQiC+w//S3fsXAOvCbdoZVkulGzxGZiyBuY3lf9a
9Umqu2FWBk156utu52+LkuooiUHuiX2IFuyxvftT7AqO8LiFF7dYvjeQDxuhrGfv
wL60viNj7vaTVynJAqzhm7CY8VO/92bhpg9g1WS4+brevgF6DFOufrm7nrGc1Wek
XMz6nJxYbmNrhcGdItaMxAopJ0iaopq6g81XFY31ceShNqrUW1lRay2dDle492GL
w3jnEQu2yl0eVdAyufZIH+K9jCP03TzZMd0mpLgcVbGhWs8gzrbndlrV/6ZpCHj2
Oa5/zg/8HXuH5hR/iY7DuCe/ogYEGHDYLvigogb/3CLU25njWmJKIuYlpirDcbQX
E3ECS959Cc69N5+F3AwFvoSQHoC3ckCCZLkKXTfCRXM1aYkQ+Ob1hwnjrKY4ylkc
ecSMVOwHfBX+FhAKvQMEboZP/BdvCBKJW7sp1gM+HeTS+qkainjfOcgAdGFhy5mf
oP/D8XNQJyuYez78hybLsmW34ET6/WHW/gkmWZFfJhZpuhUy2T8NbZChXancjwim
3U1WgrUL/CVZ4E5q3Dy53pwuvtOudTu4qgqgryAuPkB81XbmSNMSNqZ1MBoiigYD
u7YgA1Sb4epeIr1AncWN8u0OHbtbuB6Scnv9+Fn5TIsNOwOj2HOZZiZ43MOAoH6U
y7wEOHccC6M=
=H4jT
-----END PGP SIGNATURE-----