Mailinglist Archive: opensuse-security-announce (97 mails)

< Previous Next >
[security-announce] Todays openssl release - "DROWN" CVE-2016-0800 and "Cachebleed"
Hi,

The openssl team is just releasing security updates fixing various issues in
openssl.

The most relevant issue is called "DROWN", http://drownattack.com/ ,
CVE-2016-0800

Basically the SSLv2 protocol, especially when used with weak (EXPORT) ciphers
is vulnerable to
technically feasible Man-in-the-Middle Attacks.

There is no choice but to switch SSLv2 and also EXPORT ciphers now off by
default.

For SLES (and also Leap 42.1) we are taking this step, but you can override
this for very old
legacy software using environment variables.

Set the environment variables:
OPENSSL_ALLOW_SSL2 for allowing sslv2 again
OPENSSL_ALLOW_EXPORT for allowing EXPORT ciphers again

Online updates for SUSE Linux Enterprise are currently being
released and a TID for SUSE Linux Enterprise will be published at
https://www.suse.com/support/kb/doc.php?id=7017297


openSUSE 13.2 and openSUSE Tumbleweed already ship built with "no-ssl2"
configure option, so do not feature SSLv2 anymore at all.

openSUSE Leap 42.1 will get an update imported from SLES 12 SP1 today.

There is a secondary issue called "CacheBleed", which however requires
attackers to operate on the same CPU in the same HyperThread making this
attack less likely. ( http://ssrg.nicta.com.au/projects/TS/cachebleed// )

Other security issues with lesser impact are also fixed in this update
round, but not specifically mentioned in this email.

Ciao, Marcus
< Previous Next >
List Navigation
This Thread
  • No further messages