[arch-general] Heads up: If you are using SSLv2 turn it off immediately
If you are have a web server facing the public internet, turn off SSLv2 immediately. OpenSSL 1.0.2g has the fix but it will take a while to drip down to the repos as it brings with it an ABI change. The vulnerability is so bad[1], it doesn't only have a CVE number, CVE-2016-0800[4], but a name and its own website: HTTPS DROWN[1][2][3]. One third of all public web servers are open to attack[2][3] and OpenSSL may not be the only crypto library affected[1][4]. [1] http://www.theregister.co.uk/2016/03/01/drown_tls_protocol_flaw/ [2] http://www.theregister.co.uk/2016/03/01/drown_crypto_flaw_analysis/ [3] https://drownattack.com/#paper [4] https://access.redhat.com/security/cve/cve-2016-0800 -- Pedro A. López-Valencia http://about.me/palopezv/ Recession is when a neighbor loses his job. Depression is when you lose yours. -Ronald Reagan
On 01/03/16 23:23, P. A. López-Valencia wrote:
The vulnerability is so bad[1], it doesn't only have a CVE number, CVE-2016-0800[4], but a name and its own website: HTTPS DROWN[1][2][3].
Just as many other vulnerabilities these days, there is a marketing campaign behind them, probably to sell consultancy services. Anybody who's security-minded hasn't been using SSLv2 anyway.
On jue, 2016-03-03 at 08:37 +0100, Nicolas F. wrote:
On 01/03/16 23:23, P. A. López-Valencia wrote:
The vulnerability is so bad[1], it doesn't only have a CVE number, CVE-2016-0800[4], but a name and its own website: HTTPS DROWN[1][2][3].
Just as many other vulnerabilities these days, there is a marketing campaign behind them, probably to sell consultancy services.
Anybody who's security-minded hasn't been using SSLv2 anyway.
In a perfect world, yes. But your assumption is not realistic. Not everyone is following the latest news on infosec and it is not that easy to disable on the server side. A reminder is always in order. -- Pedro A. López-Valencia http://about.me/palopezv Recession is when your neighbor loses his job. Depression is when you lose yours. -Ronald Reagan
participants (2)
-
Nicolas F.
-
P. A. López-Valencia