Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:
Category:Debian Local Security Checks
Title:Debian LTS: Security Advisory for openssl (DLA-1932-1)
Summary:The remote host is missing an update for the 'openssl'; package(s) announced via the DLA-1932-1 advisory.
The remote host is missing an update for the 'openssl'
package(s) announced via the DLA-1932-1 advisory.

Vulnerability Insight:
Two security vulnerabilities were found in OpenSSL, the Secure Sockets
Layer toolkit.


Normally in OpenSSL EC groups always have a co-factor present and
this is used in side channel resistant code paths. However, in some
cases, it is possible to construct a group using explicit parameters
(instead of using a named curve). In those cases it is possible that
such a group does not have the cofactor present. This can occur even
where all the parameters match a known named curve. If such a curve
is used then OpenSSL falls back to non-side channel resistant code
paths which may result in full key recovery during an ECDSA
signature operation. In order to be vulnerable an attacker
would have to have the ability to time the creation of a large
number of signatures where explicit parameters with no co-factor
present are in use by an application using libcrypto. For the
avoidance of doubt libssl is not vulnerable because explicit
parameters are never used.


In situations where an attacker receives automated notification of
the success or failure of a decryption attempt an attacker, after
sending a very large number of messages to be decrypted, can recover
a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted
message that was encrypted with the public RSA key, using a
Bleichenbacher padding oracle attack. Applications are not affected
if they use a certificate together with the private RSA key to the
CMS_decrypt or PKCS7_decrypt functions to select the correct
recipient info to decrypt.

Affected Software/OS:
'openssl' package(s) on Debian Linux.

For Debian 8 'Jessie', these problems have been fixed in version

We recommend that you upgrade your openssl packages.

CVSS Score:

CVSS Vector:

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2019-1547
Bugtraq: 20190912 [slackware-security] openssl (SSA:2019-254-03) (Google Search)
Bugtraq: 20191001 [SECURITY] [DSA 4539-1] openssl security update (Google Search)
Bugtraq: 20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update (Google Search);a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
Debian Security Information: DSA-4539 (Google Search)
Debian Security Information: DSA-4540 (Google Search)
SuSE Security Announcement: openSUSE-SU-2019:2158 (Google Search)
SuSE Security Announcement: openSUSE-SU-2019:2189 (Google Search)
SuSE Security Announcement: openSUSE-SU-2019:2268 (Google Search)
SuSE Security Announcement: openSUSE-SU-2019:2269 (Google Search)
Common Vulnerability Exposure (CVE) ID: CVE-2019-1563;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
CopyrightCopyright (C) 2019 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

© 1998-2022 E-Soft Inc. All rights reserved.