An openssl security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address an issue that can result in the execution of arbitrary commands.

ELA-688-1 openssl security update

Package openssl
Version 1.0.1t-1+deb8u19 (jessie), 1.1.0l-1~deb9u7 (stretch)
Related CVEs CVE-2022-2068 CVE-2022-2097

It was discovered that the c_rehash script included in OpenSSL did not sanitise shell meta characters which could result in the execution of arbitrary commands.

In addition, the stretch package addresses CVE-2022-2097, an information disclosure issue in the AES OCB assembly implementation for the x86 architecture.

For Debian 8 jessie, these problems have been fixed in version 1.0.1t-1+deb8u19.

For Debian 9 stretch, these problems have been fixed in version 1.1.0l-1~deb9u7.

We recommend that you upgrade your openssl packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-688-1 openssl security update