Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl: CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0702, CVE-2016-0703, CVE-2016-0799, CVE-2016-0704 #1490

Closed
9 of 12 tasks
tianon opened this issue Feb 29, 2016 · 10 comments · Fixed by #1508
Closed
9 of 12 tasks

openssl: CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0702, CVE-2016-0703, CVE-2016-0799, CVE-2016-0704 #1490

tianon opened this issue Feb 29, 2016 · 10 comments · Fixed by #1508
Labels
cve-tracker

Comments

@tianon
Copy link
Member

tianon commented Feb 29, 2016

CVE-2016-0800 ("DROWN"), CVE-2016-0799, CVE-2016-0798, CVE-2016-0797, CVE-2016-0705, CVE-2016-0704, CVE-2016-0703, CVE-2016-0702 ("Cache Bleed")

https://mta.openssl.org/pipermail/openssl-announce/2016-March/000066.html

  • https://www.openssl.org/news/vulnerabilities.html#2016-0800
    • https://drownattack.com
    • Fixed in OpenSSL 1.0.1s (Affected 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
    • Fixed in OpenSSL 1.0.2g (Affected 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
  • https://www.openssl.org/news/vulnerabilities.html#2016-0799
  • https://www.openssl.org/news/vulnerabilities.html#2016-0798
    • Fixed in OpenSSL 1.0.1s (Affected 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
    • Fixed in OpenSSL 1.0.2g (Affected 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
  • https://www.openssl.org/news/vulnerabilities.html#2016-0797
    • Fixed in OpenSSL 1.0.1s (Affected 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
    • Fixed in OpenSSL 1.0.2g (Affected 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
  • https://www.openssl.org/news/vulnerabilities.html#2016-0705
    • Fixed in OpenSSL 1.0.1s (Affected 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
    • Fixed in OpenSSL 1.0.2g (Affected 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
  • https://www.openssl.org/news/vulnerabilities.html#2016-0704
    • Fixed in OpenSSL 0.9.8zf (Affected 0.9.8ze, 0.9.8zd, 0.9.8zc, 0.9.8zb, 0.9.8za, 0.9.8y, 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8e, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8)
    • Fixed in OpenSSL 1.0.0r (Affected 1.0.0q, 1.0.0p, 1.0.0o, 1.0.0n, 1.0.0m, 1.0.0l, 1.0.0k, 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)
    • Fixed in OpenSSL 1.0.1m (Affected 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
    • Fixed in OpenSSL 1.0.2a (Affected 1.0.2)
  • https://www.openssl.org/news/vulnerabilities.html#2016-0703
    • Fixed in OpenSSL 0.9.8zf (Affected 0.9.8ze, 0.9.8zd, 0.9.8zc, 0.9.8zb, 0.9.8za, 0.9.8y, 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8e, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8)
    • Fixed in OpenSSL 1.0.0r (Affected 1.0.0q, 1.0.0p, 1.0.0o, 1.0.0n, 1.0.0m, 1.0.0l, 1.0.0k, 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)
    • Fixed in OpenSSL 1.0.1m (Affected 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
    • Fixed in OpenSSL 1.0.2a (Affected 1.0.2)
  • https://www.openssl.org/news/vulnerabilities.html#2016-0702
    • https://cachebleed.info
    • Fixed in OpenSSL 1.0.1s (Affected 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
    • Fixed in OpenSSL 1.0.2g (Affected 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
@tianon tianon changed the title openssl: CVE-2016-0799 openssl: CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0702, CVE-2016-0703, CVE-2016-0799, CVE-2016-0704 Mar 1, 2016
@tianon tianon mentioned this issue Mar 1, 2016
Merged
@tianon
Copy link
Member Author

tianon commented Mar 1, 2016

@andyshinn looks like Alpine is ready 😄

@prologic Crux appears to be ready

@maxamillion openssl-1.0.2g-1.fc23 has been submitted as an update to Fedora 23.

@flavio https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-0800 am I reading correctly that updates are available here?

@Djelibeybi Oracle Linux has the fix available now, correct? (am I reading the status pages correctly there?)

@vaygr looks like SourceMage has the update available too 👍

@andyshinn andyshinn mentioned this issue Mar 1, 2016
Merged
@Djelibeybi
Copy link
Contributor

Yes, we pushed the RPMs out just over an hour ago. Our Docker images have been built and are currently in QA for sanity and regression testing.

flavio added a commit to flavio/official-images that referenced this issue Mar 2, 2016
@flavio
Update opensuse images to include ssl fixes
bca46a1 
See issue docker-library#1490

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
@flavio flavio mentioned this issue Mar 2, 2016
Merged
This was referenced Mar 3, 2016
Closed
Merged
@tianon tianon reopened this Mar 3, 2016
@tianon
Copy link
Member Author

tianon commented Mar 3, 2016

@jperrin am I reading correctly that CentOS should be fixed for all except CVE-2016-0799 now?

@tianon
Copy link
Member Author

tianon commented Mar 3, 2016

@juanluisbaptiste looks like Mageia is fixed and ready for a rebuild now 😄

@tianon
Copy link
Member Author

tianon commented Mar 3, 2016

@frapposelli any idea what's up with Photon WRT this vuln? 😄

@tianon tianon mentioned this issue Mar 3, 2016
Merged
@jperrin
Copy link
Contributor

jperrin commented Mar 4, 2016

@tianon updates are in #1513

@juanluisbaptiste
Copy link
Contributor

@tianon working on it...

@juanluisbaptiste juanluisbaptiste mentioned this issue Mar 4, 2016
Merged
@juanluisbaptiste
Copy link
Contributor

@tianon done, please check my PR.

@maxamillion
Copy link
Contributor

@tianon Fedora updated here: #1517

@macropin macropin mentioned this issue Mar 15, 2016
Closed
RichardScothern pushed a commit to RichardScothern/official-images that referenced this issue Jun 14, 2016
@rscothern
bump alpine for the OpenSSL CVEs
d61f828 
related to docker-library#1490
RichardScothern pushed a commit to RichardScothern/official-images that referenced this issue Jun 14, 2016
@flavio @rscothern
Update opensuse images to include ssl fixes
65a7753 
See issue docker-library#1490

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
RichardScothern pushed a commit to RichardScothern/official-images that referenced this issue Jun 14, 2016
@juanluisbaptiste @rscothern
Updated for openssl: CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE…
d682608 
…-2016-0797, CVE-2016-0702, CVE-2016-0703, CVE-2016-0799, CVE-2016-0704 docker-library#1490
@tianon
Copy link
Member Author

tianon commented Aug 29, 2016

I think this is likely as good as it's going to get at this point. 👍

@tianon tianon closed this as completed Aug 29, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cve-tracker
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Updated Oracle Linux to address OpenSSL CVEs
5 participants
@Djelibeybi @tianon @maxamillion @juanluisbaptiste @jperrin