The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of TLS, DTLS: information disclosure in CBC mode, Lucky 13

Synthesis of the vulnerability 

An attacker can inject wrongly encrypted messages in a TLS/DTLS session in mode CBC, and measure the delay before the error message reception, in order to progressively guess the clear content of the session.
Vulnerable systems: Bouncy Castle JCE, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, Db2 UDB, Tivoli Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, Juniper SBR, Mandriva Linux, McAfee Email and Web Security, ePO, MySQL Enterprise, NetScreen Firewall, ScreenOS, Java OpenJDK, OpenSSL, openSUSE, openSUSE Leap, Opera, Java Oracle, Solaris, pfSense, SSL protocol, RHEL, JBoss EAP by Red Hat, SIMATIC, Slackware, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.
Severity of this threat: 1/4.
Number of vulnerabilities in this bulletin: 7.
Creation date: 05/02/2013.
Références of this weakness: 1639354, 1643316, 1672363, BID-57736, BID-57774, BID-57776, BID-57777, BID-57778, BID-57780, BID-57781, c03710522, c03883001, CERTA-2013-AVI-099, CERTA-2013-AVI-109, CERTA-2013-AVI-339, CERTA-2013-AVI-454, CERTA-2013-AVI-543, CERTA-2013-AVI-657, CERTFR-2014-AVI-112, CERTFR-2014-AVI-244, CERTFR-2014-AVI-286, CERTFR-2019-AVI-311, CERTFR-2019-AVI-325, CVE-2013-0169, CVE-2013-1619, CVE-2013-1620, CVE-2013-1621, CVE-2013-1622-REJECT, CVE-2013-1623, CVE-2013-1624, DLA-1518-1, DSA-2621-1, DSA-2622-1, ESX400-201310001, ESX400-201310401-SG, ESX400-201310402-SG, ESX410-201307001, ESX410-201307401-SG, ESX410-201307403-SG, ESX410-201307404-SG, ESX410-201307405-SG, ESX410-201312001, ESX410-201312401-SG, ESX410-201312403-SG, ESXi410-201307001, ESXi410-201307401-SG, ESXi510-201401101-SG, FEDORA-2013-2110, FEDORA-2013-2128, FEDORA-2013-2764, FEDORA-2013-2793, FEDORA-2013-2813, FEDORA-2013-2834, FEDORA-2013-2892, FEDORA-2013-2929, FEDORA-2013-2984, FEDORA-2013-3079, FEDORA-2013-4403, FreeBSD-SA-13:03.openssl, GNUTLS-SA-2013-1, HPSBUX02856, HPSBUX02909, IC90385, IC90395, IC90396, IC90397, IC90660, IC93077, JSA10575, JSA10580, JSA10759, JSA10939, JSA11023, Lucky 13, MDVSA-2013:014, MDVSA-2013:018, MDVSA-2013:019, MDVSA-2013:040, MDVSA-2013:050, MDVSA-2013:052, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, openSUSE-SU-2013:0807-1, openSUSE-SU-2016:0640-1, RHSA-2013:0273-01, RHSA-2013:0274-01, RHSA-2013:0275-01, RHSA-2013:0531-01, RHSA-2013:0532-01, RHSA-2013:0587-01, RHSA-2013:0588-01, RHSA-2013:0636-01, RHSA-2013:0782-01, RHSA-2013:0783-01, RHSA-2013:0833-01, RHSA-2013:0834-02, RHSA-2013:0839-02, RHSA-2013:1135-01, RHSA-2013:1144-01, RHSA-2013:1181-01, RHSA-2013:1455-01, RHSA-2013:1456-01, RHSA-2014:0371-01, RHSA-2014:0372-01, RHSA-2014:0896-01, RHSA-2015:1009, SOL14190, SOL15630, SSA:2013-040-01, SSA:2013-042-01, SSA:2013-242-01, SSA:2013-242-03, SSA:2013-287-03, SSA-556833, SSRT101104, SSRT101289, SUSE-SU-2013:0328-1, SUSE-SU-2014:0320-1, SUSE-SU-2014:0322-1, swg21633669, swg21638270, swg21639354, swg21640169, VIGILANCE-VUL-12374, VMSA-2013-0006.1, VMSA-2013-0007.1, VMSA-2013-0009, VMSA-2013-0009.1, VMSA-2013-0009.2, VMSA-2013-0009.3, VMSA-2013-0015.

Description of the vulnerability 

The TLS protocol uses a block encryption algorithm. In CBC (Cipher Block Chaining) mode, the encryption depends on the previous block.

When an incorrect encrypted message is received, a fatal error message is sent to the sender. However, the duration of the generation of this error message depends on the number of valid bytes, used by a MAC hash.

An attacker can therefore inject wrongly encrypted messages in a TLS/DTLS session in mode CBC, and measure the delay before the error message reception, in order to progressively guess the clear content of the session.

In order to guess a clear block, 2^23 TLS sessions are required. So, to exploit this vulnerability, the TLS client has to permanently open a new session, as soon as the previous one ended with a fatal error.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat announce impacts software or systems such as Bouncy Castle JCE, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, Db2 UDB, Tivoli Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, Juniper SBR, Mandriva Linux, McAfee Email and Web Security, ePO, MySQL Enterprise, NetScreen Firewall, ScreenOS, Java OpenJDK, OpenSSL, openSUSE, openSUSE Leap, Opera, Java Oracle, Solaris, pfSense, SSL protocol, RHEL, JBoss EAP by Red Hat, SIMATIC, Slackware, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.

Our Vigil@nce team determined that the severity of this cybersecurity alert is low.

The trust level is of type confirmed by the editor, with an origin of LAN.

This bulletin is about 7 vulnerabilities.

An attacker with a expert ability can exploit this security alert.

Solutions for this threat 

TLS, DTLS: workaround for Lucky 13.
A workaround is to not choose CBC. Choose ARCFOUR/RC4 or GCM (Galois/Counter Mode).

Bouncy Castle: version 1.48.
The version 1.48 is fixed:
  http://www.bouncycastle.org/

GnuTLS: version 3.1.7.
The version 3.1.7 is fixed:
  http://www.gnutls.org/download.html

GnuTLS: version 3.0.28.
The version 3.0.28 is fixed:
  http://www.gnutls.org/download.html

GnuTLS: version 2.12.23.
The version 2.12.23 is fixed:
  http://www.gnutls.org/download.html

OpenSSL: version 1.0.1e.
The version 1.0.1e is fixed:
  http://www.openssl.org/

OpenSSL: version 1.0.1d.
The version 1.0.1d is fixed:
  http://www.openssl.org/
The version 1.0.1e is more recent: VIGILANCE-SOL-28736.

OpenSSL: version 1.0.0k.
The version 1.0.0k is fixed:
  http://www.openssl.org/

OpenSSL: version 0.9.8y.
The version 0.9.8y is fixed:
  http://www.openssl.org/

Opera: version 12.13.
The version 12.13 is fixed:
  http://www.opera.com/

Oracle JRE, JDK: version 7u15.
The version 7u15 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle JRE, JDK: version 6 Update 41.
The version 6 Update 41 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle JRE, JDK: version 1.5.0_40.
The version 1.5.0_40 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-137139.html

Oracle JRE, JDK: version 1.4.2_42.
The version 1.4.2_42 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-142120.html

IcedTea7: versions 2.1.6, 2.2.6 and 2.3.7.
Versions 2.1.6, 2.2.6 and 2.3.7 are fixed:
  http://icedtea.classpath.org/download/source/icedtea-2.1.6.tar.gz
  http://icedtea.classpath.org/download/source/icedtea-2.2.6.tar.gz
  http://icedtea.classpath.org/download/source/icedtea-2.3.7.tar.gz

IcedTea6: versions 1.11.8 and 1.12.3.
Versions 1.11.8 and 1.12.3 are fixed:
  http://icedtea.classpath.org/download/source/icedtea6-1.11.8.tar.gz
  http://icedtea.classpath.org/download/source/icedtea6-1.12.3.tar.gz

F5 BIG-IP: fixed versions for Lucky 13.
Fixed versions are indicated in information sources.

MySQL: version 5.6.11.
The version 5.6.11 is fixed.

MySQL: version 5.5.31.
The version 5.5.31 is fixed.

MySQL: version 5.1.69.
The version 5.1.69 is fixed.

pfSense: version 2.0.3.
The version 2.0.3 is fixed:
  http://www.pfsense.org/mirror.php?section=downloads

AIX: patch for OpenSSL.
A patch is available in information sources.

Debian 8: new polarssl packages.
New packages are available:
  Debian 8: polarssl 1.3.9-2.1+deb8u4

Debian: new openssl packages.
New packages are available:
  openssl 0.9.8o-4squeeze14

Debian: new polarssl packages.
New packages are available:
  polarssl 0.12.1-1squeeze1

Fedora 17: new gnutls packages.
New packages are available:
  gnutls-2.12.23-1.fc17

Fedora 17: new libtasn1 packages.
New packages are available:
  libtasn1-2.14-1.fc17

Fedora 18: new gnutls packages.
New packages are available:
  gnutls-2.12.23-1.fc18

Fedora 18: new mingw-openssl packages.
New packages are available:
  mingw-openssl-1.0.1e-1.fc18

Fedora: new java-1.7.0-openjdk packages.
New packages are available:
  java-1.7.0-openjdk-1.7.0.9-2.3.7.0.fc17
  java-1.7.0-openjdk-1.7.0.9-2.3.7.0.fc18

Fedora: new mingw-gnutls packages.
New packages are available:
  mingw-gnutls-2.12.20-1.fc17
  mingw-gnutls-2.12.22-1.fc18

Fedora: new nss/nspr packages.
New packages are available, as indicated in information sources.

Fedora: new openssl packages.
New packages are available:
  openssl-1.0.0k-1.fc17
  openssl-1.0.1e-3.fc18

FreeBSD: patch for openssl.
A patch is available:
  FreeBSD 8.3, 9.0 :
    http://security.FreeBSD.org/patches/SA-13:03/openssl.patch
  FreeBSD 9.1 :
    http://security.FreeBSD.org/patches/SA-13:03/openssl-9.1.patch

HP-UX: Apache version B.2.0.64.05.
The version B.2.0.64.05 is fixed:
  http://software.hp.com

HP-UX: version for OpenSSL.
The following version is fixed:
  B.11.11 : OpenSSL_A.00.09.08y.001_HP-UX_B.11.11_32_64.depot
  B.11.23 : OpenSSL_A.00.09.08y.002_HP-UX_B.11.23_IA_PA.depot
  B.11.31 : OpenSSL_A.00.09.08y.003_HP-UX_B.11.31_IA_PA.depot
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I

IBM DB2: APAR for GSKit.
A APAR is available:
  V9.5 : IC90385
  V9.7 FP9 : IC90395 http://www.ibm.com/support/docview.wss?uid=swg24036646
  V9.8 : IC90396
  V10.1 : IC90397

IBM Tivoli Directory Server: fixed versions for GSKit.
The following versions are fixed:
  6.3.0.22
  6.2.0.30
  6.1.0.55
  6.0.0.72

IBM Tivoli Storage Manager: solution for Lucky 13.
The solution is indicated in information sources.

IBM Tivoli Workload Scheduler: solution for OpenSSL.
The solution is indicated in information sources.

IBM WebSphere MQ Telemetry 7.0.1: patch for TLS.
A patch is available:
  IBM WebSphere MQ Telemetry 7.0.1 :
    Request IC93077 from IBM Support.
  IBM WebSphere MQ 7.1, 7.5 :
    http://www.ibm.com/support/docview.wss?uid=swg21633669

IBM WebSphere MQ: version 7.1.0.3.
The version 7.1.0.3 is fixed:
  http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg24035405

JBoss Enterprise Application Platform: version 6.1.0.
The version 6.1.0 is fixed.

JBoss Enterprise: update for OpenSSL.
A update is available:
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=enterpriseweb.platform&version=5.2.0
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=5.2.0

Juniper Junos: version 12.1R6.
The version 12.1R6 is fixed:
  http://www.juniper.net/

Juniper Junos: version 12.2R4.
The version 12.2R4 is fixed:
  http://www.juniper.net/

Juniper Junos: version 12.3R3.
The version 12.3R3 is fixed:
  http://www.juniper.net/

Juniper JUNOS: version 13.1R2.
The version 13.1R2 is fixed:
  http://www.juniper.net/

Juniper: solution for OpenSSL.
The solution is indicated in information sources.

Junos Space: version 20.1R1.
The version 20.1R1 is fixed:
  https://www.juniper.net/support/downloads/

Mandriva Business Server: new gnutls packages.
New packages are available:
  gnutls-3.0.28-1.mbs1

Mandriva Business Server: new nss/nspr packages.
New packages are available:
  nss-3.14.3-1.mbs1
  nspr-4.9.5-1.mbs1

Mandriva Business Server: new openssl packages.
New packages are available:
  openssl-1.0.0k-1.mbs1

Mandriva: new gnutls packages.
New packages are available:
  gnutls-2.4.1-2.8mdvmes5.2

Mandriva: new java-1.6.0-openjdk packages.
New packages are available:
  java-1.6.0-openjdk-1.6.0.0-35.b24.3-mdv2011.0
  java-1.6.0-openjdk-1.6.0.0-35.b24.3mdvmes5.2

Mandriva: new openssl packages.
New packages are available:
  openssl-0.9.8h-3.17mdvmes5.2

McAfee Email and Web Security: version 5.6p6.
The version 5.6p6 is fixed:
  http://www.mcafee.com/

McAfee ePO: version 4.6.9.
The version 4.6.9 is fixed.

openSUSE: new gnutls packages.
New packages are available:
  openSUSE 12.1: gnutls 3.0.3-5.15.1
  openSUSE 12.2: gnutls 3.0.20-1.4.1

openSUSE: new libopenssl0_9_8 packages.
New packages are available:
  openSUSE 13.2: libopenssl0_9_8 0.9.8zh-9.3.1
  openSUSE Leap 42.1: libopenssl0_9_8 0.9.8zh-14.1

openSUSE: new openssl packages (25/02/2013).
New packages are available:
  openSUSE 11.4 : openssl-1.0.0k-18.45.1
  openSUSE 12.1 : openssl-1.0.0k-34.20.1
  openSUSE 12.2 : openssl-1.0.1e-2.8.1

Red Hat JBoss BPM Suite: version 6.0.1.
The version 6.0.1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.1

Red Hat JBoss BRMS: version 6.0.1.
The version 6.0.1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.1

Red Hat JBoss Portal: version 6.2.0.
The version 6.2.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions

Red Hat JBoss Web Framework Kit: version 2.6.0.
The version 2.6.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=distributions

Red Hat Satellite: new java-1.6.0-ibm packages.
New packages are available:
Red Hat Satellite (RHEL v.5):
  java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9
Red Hat Satellite (RHEL v.6):
  java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4

RHEL 5: new nss/nspr packages.
New packages are available:
  nspr-4.9.5-1.el5_9
  nss-3.14.3-6.el5_9

RHEL 6.4: new nss packages.
New packages are available:
  nss-3.14.3-4.el6_4
  nspr-4.9.5-2.el6_4

RHEL 6 EV: new rhev-hypervisor6 packages.
New packages are available:
  rhev-hypervisor6-6.4-20130815.0.el6_4

RHEL 6 RHEV: new rhev-hypervisor6 packages.
New packages are available:
  rhev-hypervisor6-6.4-20130306.2.el6_4

RHEL: new gnutls packages.
New packages are available:
  gnutls-1.4.1-10.el5_9.1
  gnutls-2.8.5-10.el6_4.1

RHEL: new java-1.6.0-sun packages.
New packages are available:
  java-1.6.0-sun-1.6.0.41-1jpp.1.el5_9
  java-1.6.0-sun-1.6.0.41-1jpp.1.el6_3

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  java-1.7.0-oracle-1.7.0.15-1jpp.1.el5_9
  java-1.7.0-oracle-1.7.0.15-1jpp.1.el6_3

RHEL: new java-1.x.0-openjdk packages.
New packages are available:
  java-1.6.0-openjdk-1.6.0.0-1.35.1.11.8.el5_9
  java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3
  java-1.7.0-openjdk-1.7.0.9-2.3.7.1.el5_9
  java-1.7.0-openjdk-1.7.0.9-2.3.7.1.el6_3

RHEL: new openssl packages.
New packages are available:
  openssl-0.9.8e-26.el5_9.1
  openssl-1.0.0-27.el6_4.2

Siemens SIMATIC RF6XXR: solution for TLS.
The solution is indicated in information sources.

Slackware: new gnutls packages (02/09/2013 ).
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/gnutls-3.0.31-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/gnutls-3.0.31-x86_64-1_slack14.0.txz

Slackware: new gnutls packages (15/10/2013).
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/gnutls-2.8.4-i486-2_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/gnutls-2.8.4-i486-2_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/gnutls-2.8.4-i486-2_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/gnutls-2.8.4-x86_64-2_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/gnutls-2.8.6-i486-2_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/gnutls-2.8.6-x86_64-2_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/gnutls-2.10.5-i486-2_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/gnutls-2.10.5-x86_64-2_slack13.37.txz

Slackware: new openssl packages (11/02/2013).
New packages are available:
  
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/openssl-0.9.8y-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/openssl-solibs-0.9.8y-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/openssl-0.9.8y-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/openssl-solibs-0.9.8y-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-0.9.8y-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-solibs-0.9.8y-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-0.9.8y-x86_64-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-solibs-0.9.8y-x86_64-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-0.9.8y-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-solibs-0.9.8y-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-0.9.8y-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-solibs-0.9.8y-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-0.9.8y-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-solibs-0.9.8y-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-0.9.8y-x86_64-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-solibs-0.9.8y-x86_64-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1d-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1d-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1d-x86_64-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1d-x86_64-1_slack14.0.txz

Slackware: new openssl packages (12/02/2013).
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1e-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1e-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1e-x86_64-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1e-x86_64-1_slack14.0.txz

Solaris 11.1: version 11.1.11.4.0.
The version 11.1.11.4.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1584262.1

Solaris 9, 10: patch for OpenSSL.
A patch is available:
  Solaris 9 :
    SPARC: 117123-11
  Solaris 10 :
    SPARC: 148071-12, 150383-02
    X86: 148072-12

Solaris: patch for NSS.
A patch is available:
  Solaris 8
    SPARC: 119209-30 125358-19
    X86: 125359-19
  Solaris 9
    SPARC: 119211-30 125358-19
    X86: 119212-30 125359-19
  Solaris 10
    SPARC: 119213-30 125358-19
    X86: 119214-30 125359-19

Solaris: version 11.1.20.5.0.
The version 11.1.20.5.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1683966.1

Steel Belted Radius Carrier Edition: versions 8.4R14 and 8.5R5.
Versions 8.4R14 and 8.5R5 are fixed.

SUSE LE 10 SP3: new gnutls packages.
New packages are available:
  SUSE LE 10: gnutls 1.2.10-13.38.1

SUSE LE 11: new java-1_6_0-openjdk packages.
New packages are available:
  java-1_6_0-openjdk-1.6.0.0_b27.1.12.3-0.2.1

SUSE LE 11 SP1: new gnutls packages.
New packages are available:
  SUSE LE 11: gnutls 2.4.1-24.39.49.1

VMware ESX 4.0: patch ESX400-201310001.
A patch is available:
  ESX400-201310001.zip
  http://kb.vmware.com/kb/2059490

VMware ESX 4.1: patch ESX410-201307001.
A patch is available:
  http://kb.vmware.com/kb/2053393

VMware ESX 4.1: patch ESX410-201312001.
A patch is available:
  ESX410-201312001.zip
  http://kb.vmware.com/kb/2061209

VMware ESXi 4.1: patch ESXi410-201307001.
A patch is available:
  http://kb.vmware.com/kb/2053396

VMware ESXi: version 5.1 Update 2.
The version 5.1 Update 2 is fixed:
  http://kb.vmware.com/kb/2062314

VMware vCenter Server: version 5.0 Update 3.
The version 5.0 Update 3 is fixed:
  https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_0
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computers vulnerabilities workaround. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.