Debian Security Advisory
DLA-1449-1 openssl -- LTS security update
- Date Reported:
- 28 Jul 2018
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 895844.
In Mitre's CVE dictionary: CVE-2018-0732, CVE-2018-0737.
- More information:
Two issues were discovered in OpenSSL, the Secure Sockets Layer toolkit.
Denial of service by a malicious server that sends a very large prime value to the client during TLS handshake.
Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia discovered that the OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.
For Debian 8
Jessie, these problems have been fixed in version 1.0.1t-1+deb8u9.
We recommend that you upgrade your openssl packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS