[security-announce] SSL/TLS: CVE-2016-0800: Security Update

Sona Sarmadi sona.sarmadi at enea.com
Wed Mar 9 07:19:21 CET 2016


Enea Linux Security Advisory

=========================================================
Product/package: OpenSSL 1.0.1p / Enea Linux 4.0
Severity: High
CVE Name: CVE-2016-0800
Layer: meta
=========================================================

This security update is mitigation for CVE-2016-0800, cross-protocol
attack on TLS using SSLv2 (DROWN).

Description:
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and other products,
requires a server to send a ServerVerify message before establishing
that a client possesses certain plaintext RSA data, which makes it
easier for remote attackers to decrypt TLS ciphertext data by leveraging
a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800
https://openssl.org/news/secadv/20160301.txt

Upstream patch:
https://git.openssl.org/?p=openssl.git;a=patch;h=56f1acf5ef8a432992497a04792ff4b3b2c6f286

Correction for Enea Linux 4.0:
http://git.enea.com/cgit/linux/poky.git/patch/?id=c916152b1fa7806a32f1e9b35d89fae9d29894d0

How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-4.0/poky
git pull

- If you have not yet cloned needed repositories, do it as described
below. (All patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-4.0
git -C Enea-Linux-4.0 clone -b daisy git://git.enea.com/linux/poky.git
POKY=Enea-Linux-4.0/poky
git -C $POKY clone -b daisy git://git.enea.com/linux/meta-enea.git
git -C $POKY clone -b daisy git://git.enea.com/linux/meta-
openembedded.git
git -C $POKY clone -b daisy git://git.enea.com/linux/meta-virtualization.git
git -C $POKY clone -b daisy git://git.enea.com/linux/meta-ti.git
git -C $POKY clone -b daisy git://git.enea.com/linux/meta-selftest.git
git -C $POKY clone -b daisy git://git.enea.com/linux/meta-eca.git
git -C $POKY clone -b daisy git://git.enea.com/linux/meta-intel.git
git -C $POKY clone -b daisy git://git.enea.com/linux/meta-fsl-ppc.git
git -C $POKY clone -b daisy git://git.enea.com/linux/meta-xilinx.git

If you have any questions regarding the security patches and security
updates please contact security at enea.com.


Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20160309/2c46b955/attachment-0002.sig>


More information about the security-announce mailing list