| Description: | Summary:
The remote host is missing an update for the Debian 'openssl' package(s) announced via the DSA-4157-1 advisory.
Vulnerability Insight:
Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:
CVE-2017-3738
David Benjamin of Google reported an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli.
CVE-2018-0739
It was discovered that constructed ASN.1 types with a recursive definition could exceed the stack, potentially leading to a denial of service.
Details can be found in the upstream advisory: [link moved to references]
For the oldstable distribution (jessie), these problems have been fixed in version 1.0.1t-1+deb8u8. The oldstable distribution is not affected by CVE-2017-3738.
For the stable distribution (stretch), these problems have been fixed in version 1.1.0f-3+deb9u2.
We recommend that you upgrade your openssl packages.
For the detailed security status of openssl please refer to its security tracker page at: [link moved to references]
Affected Software/OS:
'openssl' package(s) on Debian 8, Debian 9.
Solution:
Please install the updated package(s).
CVSS Score:
4.3
CVSS Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
|
