-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512



- -------------------------------------------------------------------------

Debian Security Advisory DSA-4065-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

December 17, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------



Package : openssl1.0

CVE ID : CVE-2017-3737 CVE-2017-3738



Multiple vulnerabilities have been discovered in OpenSSL, a Secure

Sockets Layer toolkit. The Common Vulnerabilities and Exposures project

identifies the following issues:



CVE-2017-3737



David Benjamin of Google reported that OpenSSL does not properly

handle SSL_read() and SSL_write() while being invoked in an error

state, causing data to be passed without being decrypted or

encrypted directly from the SSL/TLS record layer.



CVE-2017-3738



It was discovered that OpenSSL contains an overflow bug in the AVX2

Montgomery multiplication procedure used in exponentiation with

1024-bit moduli.



Details can be found in the upstream advisory:

https://www.openssl.org/news/secadv/20171207.txt



For the stable distribution (stretch), these problems have been fixed in

version 1.0.2l-2+deb9u2.



We recommend that you upgrade your openssl1.0 packages.



For the detailed security status of openssl1.0 please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/openssl1.0



Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/



Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----



iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlo2d9VfFIAAAAAALgAo

aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2

NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND

z0QSrg/9FMen2+LCJ6Gia5XeB+RmZ1JqC1eFBYfpgqVwRik1VOZ9bGP3py5saKDZ

JuTwloUXYWPDJu79DZG4M9tWkFt7rcy4jqf5x7UfGXKO0VWvtoGABo4rshYe6Y/3

9qPTkJh3I2A67pMk7UQ+4Cu6MxYIcvBKcmiRnqzUbDxrK0CKn798iWTemUyXxdiC

iNXM6+mdy8tReWX3IWUR1sg6QqwU/wlkKHYXHpe6z1GxR3GYrFgzikFbn4czy6Yu

3H7a+CPfVE8lRwO8zh8VJf6gKkU5DT22GPtR87dvgIi0O8qNvZryXau4aDRgI+io

IzeWo+VFWX6vVQhQXFP1ZT+BQffTOYAEwExvfiAZppEn+0YeuyTresoxBwQodLDz

mpFANGkGvG95294gwaORZxmT/r6drYLOtb0q2ZN0SI4VRly0Jqbg/+jHAUjQSd+y

XcPiEPIRnttJX6UR0kJL2lhn998uJfdiU2gyQ/m6d9Y953I1a0N8HnErTXvUQYty

eEWIKiZ02g0J89P0dPlIDtEHZJ9FBJffkWUuk4Z1UVpb2Ogs5hZ4yPC4oiiqxnxO

DH5u/7z+srm97SNmz+fntoae3LgrOtKjZq3yiyjE3UjNJZdI2yCKPFGd45CCTqRV

bD1Sb0KJCrIlbtPsJiEHKmPXKLoUxICVmAq1n8KdgMnd/jNmMnM=

=y++r

-----END PGP SIGNATURE-----

