The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Blowfish, Triple-DES: algorithms too weak, SWEET32

Synthesis of the vulnerability

An attacker can create a TLS/VPN session with a Blowfish/Triple-DES algorithm, and perform a two days attack, in order to decrypt data.
Severity of this announce: 1/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 25/08/2016.
Références of this computer vulnerability: 1610582, 1991866, 1991867, 1991870, 1991871, 1991875, 1991876, 1991878, 1991880, 1991882, 1991884, 1991885, 1991886, 1991887, 1991889, 1991892, 1991894, 1991896, 1991902, 1991903, 1991951, 1991955, 1991959, 1991960, 1991961, 1992681, 1993777, 1994375, 1995099, 1995922, 1998797, 1999054, 1999421, 2000209, 2000212, 2000370, 2000544, 2001608, 2002021, 2002335, 2002336, 2002479, 2002537, 2002870, 2002897, 2002991, 2003145, 2003480, 2003620, 2003673, 2004036, 2008828, 523628, 9010102, bulletinapr2017, c05349499, c05369403, c05369415, c05390849, CERTFR-2017-AVI-012, CERTFR-2019-AVI-049, CERTFR-2019-AVI-311, cisco-sa-20160927-openssl, cpuapr2017, cpujan2018, cpujul2017, cpujul2019, cpuoct2017, CVE-2016-2183, CVE-2016-6329, DSA-2018-124, DSA-2019-131, DSA-3673-1, DSA-3673-2, FEDORA-2016-7810e24465, FEDORA-2016-dc2cb4ad6b, FG-IR-16-047, FG-IR-16-048, FG-IR-17-127, FG-IR-17-173, HPESBGN03697, HPESBGN03765, HPESBUX03725, HPSBGN03690, HPSBGN03694, HPSBHF03674, ibm10718843, java_jan2017_advisory, JSA10770, KM03060544, NTAP-20160915-0001, openSUSE-SU-2016:2199-1, openSUSE-SU-2016:2391-1, openSUSE-SU-2016:2407-1, openSUSE-SU-2016:2496-1, openSUSE-SU-2016:2537-1, openSUSE-SU-2017:1638-1, openSUSE-SU-2018:0458-1, RHSA-2017:0336-01, RHSA-2017:0337-01, RHSA-2017:0338-01, RHSA-2017:3113-01, RHSA-2017:3114-01, RHSA-2017:3239-01, RHSA-2017:3240-01, RHSA-2018:2123-01, SA133, SA40312, SB10171, SB10186, SB10197, SB10215, SOL13167034, SP-CAAAPUE, SPL-129207, SSA:2016-266-01, SSA:2016-363-01, SSA-556833, SUSE-SU-2016:2387-1, SUSE-SU-2016:2394-1, SUSE-SU-2016:2458-1, SUSE-SU-2016:2468-1, SUSE-SU-2016:2469-1, SUSE-SU-2016:2470-1, SUSE-SU-2016:2470-2, SUSE-SU-2017:1444-1, SUSE-SU-2017:2838-1, SUSE-SU-2017:3177-1, SUSE-SU-2019:14246-1, SWEET32, TNS-2016-16, USN-3087-1, USN-3087-2, USN-3270-1, USN-3339-1, USN-3339-2, USN-3372-1, VIGILANCE-VUL-20473.

Description of the vulnerability

The Blowfish and Triple-DES symetric encryption algorithms use 64 bit blocks.

However, if they are used in CBC mode, a collision occurs after 785 GB transferred, and it is then possible to decrypt blocks with an attack lasting two days.

An attacker can therefore create a TLS/VPN session with a Blowfish/Triple-DES algorithm, and perform a two days attack, in order to decrypt data.
Full Vigil@nce bulletin... (Free trial)

This cybersecurity alert impacts software or systems such as Avaya Ethernet Routing Switch, Blue Coat CAS, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, Debian, Avamar, VNX Operating Environment, VNX Series, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeRADIUS, hMailServer, HPE BSM, LoadRunner, HP Operations, Performance Center, Real User Monitoring, SiteScope, HP Switch, HP-UX, AIX, DB2 UDB, Informix Server, IRAD, Security Directory Server, Tivoli Directory Server, Tivoli Storage Manager, Tivoli System Automation, WebSphere MQ, Junos Space, McAfee Email Gateway, ePO, Data ONTAP 7-Mode, Snap Creator Framework, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle DB, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, SSL protocol, Pulse Connect Secure, Pulse Secure Client, Pulse Secure SBR, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, SIMATIC, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, WinSCP.

Our Vigil@nce team determined that the severity of this weakness is low.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this security weakness.

Solutions for this threat

OpenSSL: version 1.0.2i.
The version 1.0.2i is fixed:
  https://www.openssl.org/source/openssl-1.0.2i.tar.gz

OpenSSL: version 1.0.1u.
The version 1.0.1u is fixed:
  https://www.openssl.org/source/openssl-1.0.1u.tar.gz

OpenSSL: version 1.1.0a.
The version 1.1.0a is fixed:
  https://www.openssl.org/source/openssl-1.1.0a.tar.gz

AIX: fixed versions for IBM Tivoli Directory Server.
Fixed versions are indicated in information sources.

AIX: patch for OpenSSL.
A patch is available:
  https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp
  openssl-1.0.1.517.tar.Z
  openssl-1.0.2.1000.tar.Z
  openssl-20.13.101.500.tar.Z
  openssl-20.13.102.1000.tar.Z

Avaya Ethernet Routing Switch 4800: version 5.10.1.
The version 5.10.1 is fixed:
  http://support.avaya.com/

Blue Coat: solution for SWEET32.
The solution is indicated in information sources.

Cisco: solution for OpenSSL.
The solution is indicated in information sources.

Cloud Foundry: fixed versions for TLS Birthday Attacks.
Fixed versions are indicated in information sources.

Debian: new openssl packages.
New packages are available:
  Debian 8: openssl 1.0.1t-1+deb8u5

Dell EMC Avamar Proxy: solution for Jetty.
The solution is indicated in information sources.

Dell EMC VNXe3200: version 3.1.10.9946299.
The version 3.1.10.9946299 is fixed:
  https://www.dell.com/

ExtremeXOS: solution for SWEET32.
The solution is indicated in information sources.

F5 BIG-IP: solution for OpenSSL.
The solution is indicated in information sources.

Fedora: new openvpn packages.
New packages are available:
  Fedora 23: openvpn 2.3.12-1.fc23
  Fedora 24: openvpn 2.3.12-1.fc24

FileZilla Server: version 0.9.59.
The version 0.9.59 is fixed:
  http://sourceforge.net/projects/filezilla/files/FileZilla%20Server/0.9.59/FileZilla_Server-0_9_59.exe/download

Fortinet FortiAnalyzer: version 5.4.2.
The version 5.4.2 is fixed.

Fortinet FortiOS: version 5.6.0.
The version 5.6.0 is fixed.

Fortinet: solution for SWEET32.
The solution is indicated in information sources.

FreeRADIUS: version 3.0.12.
The version 3.0.12 is fixed:
  ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.12.tar.bz2

FreeRADIUS: version 3.0.13.
The version 3.0.13 is fixed:
  ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.13.tar.bz2

hMailServer: version 5.6.6.
The version 5.6.6 is fixed:
  https://www.hmailserver.com/download

HPE Business Service Management: workaround for SWEET32.
A workaround is indicated in the information source:
  https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facetsearch/document/KM02681808

HPE Comware: solution for SWEET32.
The solution is indicated in information sources.

HPE LoadRunner, Performance Center: patch for OpenSSL.
A patch is available:
  https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facetsearch/document/KM02853399?lang=en&cc=us&hpappid=202392_SSO_PRO_HPE

HPE Operations: version Agent 12.02.
The version 12.02 of the Agent is fixed.

HPE Real User Monitor: solution for SWEET32.
The solution is indicated in information sources.

HP SiteScope: solution for SWEET32.
Countermeasures are proposed:
  https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facetsearch/document/KM02693208

HP-UX Apache: version 2.4.18.02.
The version 2.4.18.02 is fixed:
  https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW503

IBM AIX: patch for Java.
A patch location is provided in information sources, One patch for each version of the JDK and for each architecture (32 or 64 bits).

IBM BigFix Compliance Analytics: version 1.9.79.
The version 1.9.79 is fixed.

IBM BigFix Platform: solution for OpenSSL (02/05/2017).
The solution is indicated in information sources.

IBM BigFix Remote Control: solution.
The solution is indicated in information sources.
See also the bulletin VIGILANCE-SOL-52145.

IBM Cognos Business Intelligence: fixed versions.
The following versions are fixed:
  Version 10.2.x: http://www.ibm.com/support/docview.wss?uid=swg24043664
  Version 10.1.1: http://www.ibm.com/support/docview.wss?uid=swg24043663

IBM DB2: solution for FCM.
The solution is indicated in information sources.

IBM DB2 UDB: workaround for SWEET32.
A workaround for SWEET32 is to forbid the following algorithms set:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA.

IBM DB2: version 10.1 Fix Pack 6.
The version 10.1 Fix Pack 6 is fixed.

IBM Informix Dynamic Server: fixed versions.
Fixed versions are indicated in information sources.

IBM Rational Application Developer for WebSphere: patch for Java.
A patch is available:
  version 9.x: https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Rational&product=ibm/Rational/IBM+Rational+Application+Developer+for+WebSphere+Software&release=9.5.0&platform=All&function=fixId&fixids=Rational-RAD-Java8SR4FP1-ifix&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp
  version 8.x: https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Rational&product=ibm/Rational/IBM+Rational+Application+Developer+for+WebSphere+Software&release=9.1.0&platform=All&function=fixId&fixids=Rational-RAD-Java7SR10FP1-ifix&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp

IBM Rational Application Developer for WebSphere: solution for Node.js.
The solution is indicated in information sources.

IBM Security Directory Server: solution for Java.
The solution is indicated in information sources.

IBM Spectrum Protect Snapshot: patch for Java.
A patch is available:
  Version 4.1.x: http://www.ibm.com/support/docview.wss?uid=swg24043426
  Version 3.2.x: http://www.ibm.com/support/docview.wss?uid=swg24043440

IBM Spectrum Protect: versions 7.1.6.5 and 8.1.0.2.
Versions 7.1.6.5 and 8.1.0.2 are fixed:
  Version 7.1.6.5 : http://www-01.ibm.com/support/docview.wss?uid=swg24042496
  Version 8.1.0.2: http://www.ibm.com/support/docview.wss?uid=swg24043351

IBM Tivoli/Security Directory Server: solution for GSKit.
The solution is indicated in information sources.

IBM Tivoli Storage Manager: patch for Java.
A patch is indicated in information sources for branches 6.4, 7.1 and 8.1

IBM Tivoli Storage Manager: solution for Sweet32.
The solution is indicated in information sources.

IBM Tivoli System Automation for Multiplatforms: solution for Java.
The solution is indicated in information sources.

IBM WebSphere MQ: patch for SWEET32.
A patch is available:
  http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=All&platform=All&function=aparId&apars=IT18095&source=fc

IBM WebSphere MQ: version 5.3.1.13.
The version 5.3.1.13 is fixed:
  https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/WebSphere+MQ&release=All&platform=HP+NonStop&function=fixId&fixids=5.3.1.13-WS-MQ-HPNSS-FP013&source=fc

IBM WebSphere MQ: version 8.0.0.6.
The version 8.0.0.6 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg21995100

Junos Space: version 16.1R1.
The version 16.1R1 is fixed:
  https://www.juniper.net/

McAfee Email Gateway: patch for OpenSSL.
A patch is indicated in information sources.

McAfee ePolicy Orchestrator: patch for Sweet32.
A patch is indicated in information sources.
It is an addition to VIGILANCE-SOL-48779 and VIGILANCE-SOL-50787.

McAfee ePolicy Orchestrator: patch for TLS and Oracle Java.
A patch is indicated in information sources for product versions 5.1.3 to 5.3.2.

McAfee ePO: patch for OpenSSL.
A patch is indicated in information sources.

NetApp: solution for SWEET32.
The solution is indicated in information sources.

Node.js: versions 6.7.0, 4.6.0, 0.12.16, 0.10.47.
Versions 6.7.0, 4.6.0, 0.12.16, 0.10.47 are fixed:
  https://nodejs.org/en/download/

OpenSSL: workaround for SWEET32.
A workaround is to forbid Blowfish and Triple-DES in applications. Symetric encryption algorithms must use blocks of 128 bits minimum.
For example, for Apache httpd:
  SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+
    SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+
    SHA256:EECDH:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL
    :!eNULL:!MD5:!RC4:!3DES:!EXP:!PSK:!SRP:!DSS

openSUSE Leap 42.1: new compat-openssl098 packages.
New packages are available:
  openSUSE Leap 42.1: compat-openssl098 0.9.8j-15.1

openSUSE Leap 42.1: new libqt4 packages.
New packages are available:
  openSUSE Leap 42.1: libqt4 4.8.6-13.1

openSUSE Leap 42.2: new openvpn packages.
New packages are available:
  openSUSE Leap 42.2: openvpn 2.3.8-8.6.1

openSUSE Leap: new openssl-steam packages.
New packages are available:
  openSUSE Leap 42.3: libopenssl1_0_0-steam 1.0.2k-4.3.1

openSUSE: new nodejs packages (12/10/2016).
New packages are available:
  openSUSE 13.2: nodejs 4.6.0-24.2
  openSUSE Leap 42.1: nodejs 4.6.0-33.1

openSUSE: new openssl packages.
New packages are available:
  openSUSE 13.2: openssl 1.0.1k-2.39.1
  openSUSE Leap 42.1: openssl 1.0.1i-18.1

Oracle Communications: CPU of October 2017.
A Critical Patch Update is available.

Oracle Database: CPU of July 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2261562.1

Oracle Database: CPU of July 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2534806.1

Oracle Fusion Middleware: CPU of April 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2228898.1

Oracle Fusion Middleware: CPU of January 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2325393.1

Oracle Fusion Middleware: CPU of July 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2534806.1

Oracle Fusion Middleware: CPU of October 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2296870.1

Oracle Solaris: patch for third party software of April 2017 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Pulse Secure: solution for OpenSSL.
The solution is indicated in information sources.

Red Hat JBoss EAP: patch.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4

Red Hat JBoss Web Server: patch.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.1.2

RHEL 5: new java-1.7.0-ibm packages.
New packages are available:
  RHEL 5: java-1.7.0-ibm 1.7.0.10.1-1jpp.1.el5_11

RHEL 7.5: new python packages.
New packages are available:
  RHEL 7: python 2.7.5-69.el7_5

RHEL: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.41-1jpp.1.el5_11
  RHEL 6: java-1.6.0-ibm 1.6.0.16.41-1jpp.1.el6_8

RHEL: new java-1.7.1-ibm packages.
New packages are available:
  RHEL 6: java-1.7.1-ibm 1.7.1.4.1-1jpp.1.el6_8
  RHEL 7: java-1.7.1-ibm 1.7.1.4.1-1jpp.2.el7

SAS 9.4: patch for OpenSSL, Apache.
A patch is available:
  http://support.sas.com/kb/59371.html

Siemens SIMATIC RF6XXR: solution for TLS.
The solution is indicated in information sources.

Slackware: new openssl packages.
New packages are available:
  Slackware 14.0: openssl 1.0.1u-*-1_slack14.0
  Slackware 14.1: openssl 1.0.1u-*-1_slack14.1
  Slackware 14.2: openssl 1.0.2i-*-1_slack14.2

Slackware: new python packages.
New packages are available:
  Slackware 14.0: python 2.7.13-*-1_slack14.0
  Slackware 14.1: python 2.7.13-*-1_slack14.1
  Slackware 14.2: python 2.7.13-*-1_slack14.2

Snare Enterprise Agent for MSSQL: version 1.4.9.
The version 1.4.9 is fixed:
  https://snaresupport.intersectalliance.com/

Snare Enterprise Agent for Windows: version 4.3.8.
The version 4.3.8 is fixed:
  https://snaresupport.intersectalliance.com/

Splunk Enterprise: versions 6.0.13, 6.1.12, 6.2.12, 6.3.8, 6.4.5 and 6.5.1.
Versions 6.0.13, 6.1.12, 6.2.12, 6.3.8, 6.4.5 and 6.5.1 are fixed:
  http://www.splunk.com/

stunnel: version 5.36.
The version 5.36 is fixed:
  https://www.stunnel.org/downloads/stunnel-5.36-installer.exe
  https://www.stunnel.org/downloads/stunnel-5.36.tar.gz

SUSE LE 11: new openssl1 packages.
New packages are available:
  SUSE LE 11: openssl1 1.0.1g-0.52.1

SUSE LE 11: new openssl packages.
New packages are available:
  SUSE LE 11 SP2: openssl 0.9.8j-0.102.2
  SUSE LE 11 SP3: openssl 0.9.8j-0.102.2
  SUSE LE 11 SP4: openssl 0.9.8j-0.102.2

SUSE LE 11: new openvpn packages.
New packages are available:
  SUSE LE 11 RTM: openvpn-openssl1 2.3.2-0.10.3.1
  SUSE LE 11 SP1: openvpn-openssl1 2.3.2-0.10.3.1
  SUSE LE 11 SP2: openvpn-openssl1 2.3.2-0.10.3.1
  SUSE LE 11 SP3: openvpn 2.0.9-143.47.3.1
  SUSE LE 11 SP4: openvpn 2.0.9-143.47.3.1

SUSE LE 11 SP4: new MozillaFirefox packages (12/12/2019).
New packages are available:
  SUSE LE 11 SP4: MozillaFirefox 68.2.0-78.51.4

SUSE LE 12: new compat-openssl098 packages.
New packages are available:
  SUSE LE 12 RTM: compat-openssl098 0.9.8j-102.1
  SUSE LE 12 SP1: compat-openssl098 0.9.8j-102.1

SUSE LE 12: new nodejs4 packages.
New packages are available:
  SUSE LE 12 RTM/SP1: nodejs4 4.6.0-8.1

SUSE LE 12: new openssl packages.
New packages are available:
  SUSE LE 12 RTM: openssl 1.0.1i-27.21.1
  SUSE LE 12 SP1: openssl 1.0.1i-52.1

SUSE LE 12 SP2: new nodejs4 packages.
New packages are available:
  SUSE LE 12 SP2: nodejs4 4.6.0-8.1

SUSE LE: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 11 SP3: java-1_6_0-ibm 1.6.0_sr16.45-84.1

Synology RS/DS: version 6.0.2-8451-2.
The version 6.0.2-8451-2 is fixed:
  https://www.synology.com/

Tenable Nessus: version 6.9.0.
The version 6.9.0 is fixed:
  http://www.tenable.com/

Ubuntu 12.04: new libnss3 packages.
New packages are available:
  Ubuntu 12.04 ESM: libnss3 2:3.28.4-0ubuntu0.12.04.1

Ubuntu: new libnss3 packages.
New packages are available:
  Ubuntu 17.04: libnss3 2:3.28.4-0ubuntu0.17.04.1
  Ubuntu 16.10: libnss3 2:3.28.4-0ubuntu0.16.10.1
  Ubuntu 16.04 LTS: libnss3 2:3.28.4-0ubuntu0.16.04.1
  Ubuntu 14.04 LTS: libnss3 2:3.28.4-0ubuntu0.14.04.1

Ubuntu: new openssl packages.
New packages are available:
  Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.5
  Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.21
  Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.38

Ubuntu: new openvpn packages.
New packages are available:
  Ubuntu 17.04: openvpn 2.4.0-4ubuntu1.3
  Ubuntu 16.10: openvpn 2.3.11-1ubuntu2.1
  Ubuntu 16.04 LTS: openvpn 2.3.10-1ubuntu2.1
  Ubuntu 14.04 LTS: openvpn 2.3.2-7ubuntu3.2
  Ubuntu 12.04 ESM: openvpn 2.2.1-8ubuntu1.5

Wind River Linux: solution for OpenSSL.
The solution is indicated in information sources.

WinSCP: version 5.9.3.
The version 5.9.3 is fixed:
  https://winscp.net/
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides computer vulnerability analysis. The Vigil@nce vulnerability database contains several thousand vulnerabilities.