Oh, indeed!
> 1.0.2w moves the affected ciphersuites into the "weak-ssl-ciphers" list. [...]
> This is unlikely to cause interoperability problems in most cases since use
> of these ciphersuites is rare.
Fair enough. Thank you for clarifying.
(And apologies for this noise)
--
You received
It's not feasible to stop the affected ciphers from re-using secrets,
it's in the specification.
Removing the ciphers is what was done in later releases of openssl,
including the 1.0.2w version that was released specifically to address
this issue:
https://www.openssl.org/news/secadv/20200909.txt
Thank you very much for fixing swiftly!
Please forgive me for pointing this out though:
I note that rather than stopping the affected cipher suites from re-
using secrets across connections, you chose to declare the suites as
weak and disabled them altogether.
I appreciate that this is an
This has now been fixed:
https://ubuntu.com/security/notices/USN-4504-1
** Changed in: openssl (Ubuntu Xenial)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
Alternatively, you could use one of the recommended TLS configurations
from Mozilla, https://wiki.mozilla.org/Security/Server_Side_TLS which do
not enable the unsafe cryptography suites.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which
> "Please upgrade to bionic or focal?"
Is this an official recommendation from Ubuntu, that users shall migrate
off Xenial now, because of a security issue in a core library?
And there I was, thinking we have until April 2021 ...
--
You received this bug notification because you are a member
It is true that said vulnerability is not patched in xenial; but also it
is low; and no public patches for it exist.
Please upgrade to bionic or focal? which are unaffected / fixes
released?
** Information type changed from Public to Public Security
** Also affects: openssl (Ubuntu Xenial)
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1968
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1895294
Title:
Fix Raccoon vulnerability
** Description changed:
Xenial's current OpenSSL (1.0.2g-1ubuntu4.16) seems to not have been
- patched yet against the Racoon Attack (CVE-2020-1968):
+ patched yet against the Raccoon Attack (CVE-2020-1968):
- https://www.openssl.org/news/secadv/20200909.txt
-
9 matches
Mail list logo
