Author Topic: openSSL DROWN vulnerability/ exploit (Read 1717 times)

acer · « **on:** March 01, 2016, 11:33:31 am »

Hi all, it's been a while since I last posted, so much so, I had to reactivate my forum account

Does this DROWN affect peppermint in any way or is it website servers only?
Will this be updated soon?
Seems to be critical along the same lines as Heartbleed a few years ago.

SSL TLS1.2 data can be intercepted whilst encrypted en-route to server/s from my understanding.

GNULINUX · « **Reply #1 on:** March 01, 2016, 12:27:28 pm »

Found this article: DROWN Attack

Quote

However, the good news is that academic researchers uncovered the DROWN security hole and a patch for the vulnerability has already been made available with an OpenSSL update today.

Tuesday, March 01, 2016

PCNetSpec · « **Reply #2 on:** March 01, 2016, 01:14:44 pm »

Nothing the client/webrowser can do (so not really a Peppermint problem unless you use it as a webserver) .. only server administrators who's servers allow SSL v2 connections can fix this.

there was an openssl securityupdate this morning .. but currently I can find nothing on whether CVE-2016-0800 was specifically addressed by it
http://www.ubuntu.com/usn/usn-2914-1/

If you're asking if your Peppermint PC is at risk .. no more (or less) than any other PC that connects to a webserver that has SSL v2 enabled.

Before anyone asks, the Peppermint webservers do not currently have SSL enabled

[EDIT]

According to the Debian tracker:
https://security-tracker.debian.org/tracker/CVE-2016-0800

SSLv2 was dropped in openssl 1.0.1.c
and disabled in ns 3.13

Peppermint 5/6 is running
openssl 1.0.1f
ns 3.21
so even if you're running Peppermint 5 or 6 as a webserver I don't think it's affected in the first place

acer · « **Reply #3 on:** March 02, 2016, 02:39:11 am »

Thanks PCNETSPEC, that's re-assuring to know, as well as the facts for the additional info.

PCNetSpec · « **Reply #4 on:** March 02, 2016, 04:40:42 am »

No problem acer

Further info - Ubuntu have released an advisory confirming 12.04 and 14.04 (so therefore Peppermint 3/5/6) are "not-affected" by CVE-2016-0800 (DROWN) as their versions of openssl are "compiled with no-ssl2"
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0800.html

GNULINUX · « **Reply #5 on:** March 02, 2016, 07:10:12 am »

^^ PCNetSpec, thanks for that link!

So it seems that the openSSL updates of today included other patches!

Spoiler (click here to view / hide)

[close]

I hope that the servers/sites that are affected do update their openSSL as fast as possible or at least disable SSLv2...

PCNetSpec · « **Reply #6 on:** March 02, 2016, 07:31:28 am »

Yep, you can find info on Ubuntu security updates here:
http://www.ubuntu.com/usn/
and on the Ubuntu CVE (Common Vulnerabilities and Exposure) Tracker Report here:
http://people.canonical.com/~ubuntu-security/cve/main.html

GNULINUX · « **Reply #7 on:** March 02, 2016, 08:01:20 am »

Going to save your links for future reference, really good stuff!

PCNetSpec · « **Reply #8 on:** March 02, 2016, 08:13:48 am »

Or the ones for 2016 listed in reverse date order here:
http://people.canonical.com/~ubuntu-security/cve/2016/?C=M;O=D

acer · « **Reply #9 on:** March 02, 2016, 11:42:44 am »

Quote from: GNULINUX on March 02, 2016, 08:01:20 am

Going to save your links for future reference, really good stuff!

Ditto

Author Topic: openSSL DROWN vulnerability/ exploit (Read 1717 times)

acer

openSSL DROWN vulnerability/ exploit

GNULINUX

Re: openSSL DROWN vulnerability/ exploit

PCNetSpec

Re: openSSL DROWN vulnerability/ exploit

acer

Re: openSSL DROWN vulnerability/ exploit

PCNetSpec

Re: openSSL DROWN vulnerability/ exploit

GNULINUX

Re: openSSL DROWN vulnerability/ exploit

PCNetSpec

Re: openSSL DROWN vulnerability/ exploit

GNULINUX

Re: openSSL DROWN vulnerability/ exploit

PCNetSpec

Re: openSSL DROWN vulnerability/ exploit

acer

Re: openSSL DROWN vulnerability/ exploit