Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4035
python-ecdsa security update
31 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-ecdsa
Publisher: Debian
Operating System: Debian GNU/Linux 8
Linux variants
Windows
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-14859 CVE-2019-14853
Original Bulletin:
https://security-tracker.debian.org/tracker/DLA-1978-1
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running python-ecdsa check for an updated version of the software
for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : python-ecdsa
Version : 0.11-1+deb8u1
CVE ID : CVE-2019-14853 CVE-2019-14859
It was discovered that python-ecdsa, a cryptographic signature library
for Python, did not correctly verify DER encoded signatures. Malformed
signatures could lead to unexpected exceptions and in some cases did
not raise any exception.
For Debian 8 "Jessie", these problems have been fixed in version
0.11-1+deb8u1.
We recommend that you upgrade your python-ecdsa packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl25yt5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRabQ//fruNHEk3owXUlCWrv1F9jsCknzhOXu4y0rSzz6VnPFctLWp920ykuhUB
UduwGAlkWTSG/4xe5KZyWNvxBFW1+YARe8P+Ed92zAanXUnijxic0v4mbtbAVZG+
LWyVC96f3YxAS/+a1Xfy7kJekRIQyL288V3uCp34QEgMNVJjFK1AUkJXn4ld2Uy2
iVLaur4ZUH0Ghakv9cuHJWaIK4M0HKyHgoJAE8QFbbzvbTgqvtrP3N8qP+RaWZNM
hBGslCn09g6/2iYbxC4d4o7Av7LvyUVAm/4v/JgfM4DcBBuR4eOd8U6QLp3hqqJ3
A/oYhE0aitlsNIe8b6fcEe/vWFlXaAzxphGGUdPnuqnh/H31zO8gg0M1h5tZ9JrH
uTIe1JIgWsJRnuoe7V9tIBMWGpdmQbQYMjRiuefpqKk76MP4qUbILiLh/O0iCxi6
grFFA2b0CFZpDjUrfUeX4jr2qkHHVO6tCqqMYHmAERXcsbSR95w0ykS8dXYQn0uI
hOtMngNAKx7gLbkFIvh5utWjqLcDtzRJr8mAyAPMJG1sv0hxNaYXiHu53XhYhM7G
/g1JGkJuq8aqN2PZeIj00TVikNBVs9ywlW4QW8L5KcuPfT95xAESq6xeGh59zrPJ
wL8OeJDuNpkeiWBg9aVsJjkZKwUyggD3IQjiV7NYi1mtSTchyxM=
=FQQ2
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXbpcA2aOgq3Tt24GAQgL9A//SotTkRTLV5NpH7X823BH6Xax5EIOerCm
eAbGxODLzcMLUzIgS7hax3Uqv1QZr4oTOQp1vVcRJKo8IHu28Os7j/FJxEiu8RFY
0ytDokMX/xp99zKsUczyJbvldq4oUUvp1VNBChL1FbaM8+JyCKJVKF+T/X0WWwf6
LcuoURgg+M5LlHOa64VikbZWZi9Kxor912kACxZIWeXv7BojCyzKQSbJZcFEez/W
OIJeVInVjOf34Ei/GPjbOZmq10E9p+8xYbslhFDkKK4g3RhkanoUYiBN+b6RZYFB
GVrf8DOYDUM1dHM2g9lL4bv/WBLQWcQAEcVOC6lojJXzDxHS7wBasrUKIHSJmsaF
pDrpdgfe9Mzkxn0gm2ZjynvHi68m/PhFtnEn8TJFoYhAdAJf9jnlkmt/5oyB85IK
O7leMlzLdK48zH3WLUGu710Gn7t5j9OawlyOeRZkw/qSr0lwkk7PLBKm3dgBxwFY
qmtXFZaJKo7TC6R//xq5q544H/PvlazqQCpS+PuCntAJOjmiaZu6KuGfGHTvWq39
M/FjZPObiOzY9jrMaX8AG0Cv2qOogQmkFnUu+eaxGeQ8/D7UMwpI+QrsNfAm53gD
6PMPQXEQy77ocAxF516ornyAbSObv+dERlCtVytB6zxLSGJ1o4Xio3sWgcK0g+dc
yAIyUcVXkoo=
=2Vck
-----END PGP SIGNATURE-----