Apple Security Advisory 2016-12-13-1 - macOS 10.12.2 is now available and addresses arbitrary code execution, denial of service, and various other vulnerabilities.
68bf50743be919151d9547b2351d633298a9bfe57d7160fac7541f89315f5b98
Ubuntu Security Notice 3087-2 - USN-3087-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2016-2182 was incomplete and caused a regression when parsing certificates. This update fixes the problem. Shi Lei discovered that OpenSSL incorrectly handled the OCSP Status Request extension. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. Guido Vranken discovered that OpenSSL used undefined behaviour when performing pointer arithmetic. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue has only been addressed in Ubuntu 16.04 LTS in this update. CAsar Pereida, Billy Brumley, and Yuval Yarom discovered that OpenSSL did not properly use constant-time operations when performing DSA signing. A remote attacker could possibly use this issue to perform a cache-timing attack and recover private DSA keys. Quan Luo discovered that OpenSSL did not properly restrict the lifetime of queue entries in the DTLS implementation. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. Shi Lei discovered that OpenSSL incorrectly handled memory in the TS_OBJ_print_bio function. A remote attacker could possibly use this issue to cause a denial of service. It was discovered that the OpenSSL incorrectly handled the DTLS anti-replay feature. A remote attacker could possibly use this issue to cause a denial of service. Various other issues were also addressed.
866a666b9c95f3a131d4f84a0275b8f76cab02d1c331b6dda84b16932f9b0d80
Ubuntu Security Notice 3087-1 - Shi Lei discovered that OpenSSL incorrectly handled the OCSP Status Request extension. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. Guido Vranken discovered that OpenSSL used undefined behaviour when performing pointer arithmetic. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue has only been addressed in Ubuntu 16.04 LTS in this update. Various other issues were also addressed.
36a754a10b5e01cc0dee6ee9fc630a143ff6e890a747d866691c58d6bc39ec95
Debian Linux Security Advisory 3673-1 - Several vulnerabilities were discovered in OpenSSL.
097e35417672fd244d49ec1b5ad7ea3269ba4b14b613ec4f5f3f90843c6baef7
OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.
9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f
OpenSSL Security Advisory 20160922 - A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the "no-ocsp" build time option are not affected. Other issues were also addressed.
a53149075294f036c481adb55b177d02ac0016e0b66f800b8c0c0007205c8169