[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 637-1] openssl security update

Package        : openssl
Version        : 1.0.1t-1+deb7u1
CVE ID         : CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180 
                 CVE-2016-2181 CVE-2016-2182 CVE-2016-6302 CVE-2016-6303
                 CVE-2016-6304 CVE-2016-6306

Several vulnerabilities were discovered in OpenSSL:


    Guido Vranken discovered that OpenSSL uses undefined pointer
    arithmetic. Additional information can be found at


    Cesar Pereida, Billy Brumley and Yuval Yarom discovered a timing
    leak in the DSA code.

CVE-2016-2179 / CVE-2016-2181

    Quan Luo and the OCAP audit team discovered denial of service
    vulnerabilities in DTLS.

CVE-2016-2180 / CVE-2016-2182 / CVE-2016-6303

    Shi Lei discovered an out-of-bounds memory read in
    TS_OBJ_print_bio() and an out-of-bounds write in BN_bn2dec()
    and MDC2_Update().


    DES-based cipher suites are demoted from the HIGH group to MEDIUM
    as a mitigation for the SWEET32 attack.


    Shi Lei discovered that the use of SHA512 in TLS session tickets
    is susceptible to denial of service.


    Shi Lei discovered that excessively large OCSP status request may
    result in denial of service via memory exhaustion.


    Shi Lei discovered that missing message length validation when parsing
    certificates may potentially result in denial of service.

For Debian 7 "Wheezy", these problems have been fixed in version

We recommend that you upgrade your openssl and libssl1.0.0 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to: