Thank you very much for fixing swiftly! Please forgive me for pointing this out though:
I note that rather than stopping the affected cipher suites from re- using secrets across connections, you chose to declare the suites as weak and disabled them altogether. I appreciate that this is an elegant way to close this vulnerability, in particular in the absence of an upstream patch. However, this solution introduces the risk that when trying to establish a connection with some legacy client or server, they can no longer agree on a shared cipher, and the TLS handshake fails. That is not in the spirit of a LTS, which is often elected and used precisely because it makes it easier to to support legacy products reliably. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1895294 Title: Fix Raccoon vulnerability (CVE-2020-1968) Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Xenial: Fix Released Bug description: Xenial's current OpenSSL (1.0.2g-1ubuntu4.16) seems to not have been patched yet against the Raccoon Attack (CVE-2020-1968): - https://www.openssl.org/news/secadv/20200909.txt - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1968 - https://raccoon-attack.com/ Ubuntu's CVE tracker still lists this as NEEDED for Xenial: - https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1968.html - https://people.canonical.com/~ubuntu-security/cve/pkg/openssl.html Other supported Ubuntu releases use versions of OpenSSL that are not affected. Indeed: $ apt-cache policy openssl openssl: Installed: 1.0.2g-1ubuntu4.16 $ apt-get changelog openssl | grep CVE-2020-1968 || echo "Not patched" Not patched What is the status? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
