DROWN - Cross-protocol attack on TLS using SSLv2 - CVE-2016-080
Hi,
Is there anything specific to be done for cPanel servers for the DROWN attack vulnerability fix other than openssl package update ?
DROWN - Cross-protocol attack on TLS using SSLv2 - CVE-2016-0800 - Red Hat Customer Portal
An OpenSSL User"s Guide to DROWN - OpenSSL Blog
-
Normal yum update for openssl should be the most important, but you should also ensure you have disabled sslv2 for any services you can configure (apache, ftp, email, etc.) 0 -
Checking yum info openssl, I see that I still have 1.0.1e from the Heartbleed update, yet I saw a push from WHM to update openssl. There, can cPanel confirm that a hot fix was applied to 1.0.1e as the openSSL advisory note states to update to 1.0.1s 0 -
Checking yum info openssl, I see that I still have 1.0.1e from the Heartbleed update, yet I saw a push from WHM to update openssl. There, can cPanel confirm that a hot fix was applied to 1.0.1e as the openSSL advisory note states to update to 1.0.1s
Hello :) The "openssl" package is not provided or patched by cPanel, but cPanel will automatically update your system packages through YUM if you have configured it to do so via "WHM >> Update Preferences". You can use the following command to see which patches have been backported to the version of openssl installed on your system:rpm -q --changelog openssl
Thank you.0 -
The following is from a cPanel server which was updated (11.54.0.18 - RELEASE): root@server1 [~]# rpm -q --changelog openssl|grep CVE - fix CVE-2016-0702 - side channel attack on modular exponentiation - fix CVE-2016-0705 - double-free in DSA private key parsing - fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn - fix CVE-2015-3197 - SSLv2 ciphersuite enforcement - fix CVE-2015-7575 - disallow use of MD5 in TLS1.2 - fix CVE-2015-3194 - certificate verify crash with missing PSS parameter - fix CVE-2015-3195 - X509_ATTRIBUTE memory leak - fix CVE-2015-3196 - race condition when handling PSK identity hint - fix the CVE-2015-1791 fix (broken server side renegotiation) - improved fix for CVE-2015-1791 - add missing parts of CVE-2015-0209 fix for corectness although unexploitable - fix CVE-2014-8176 - invalid free in DTLS buffering code - fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time - fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent - fix CVE-2015-1791 - race condition handling NewSessionTicket - fix CVE-2015-1792 - CMS verify infinite loop with unknown hash function - fix CVE-2015-3216 - regression in RAND locking that can cause segfaults on - fix CVE-2015-4000 - prevent the logjam attack on client - restrict - update fix for CVE-2015-0287 to what was released upstream - fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey() - fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison - fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption - fix CVE-2015-0288 - X509_to_X509_REQ NULL pointer dereference - fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data - fix CVE-2015-0292 - integer underflow in base64 decoder - fix CVE-2015-0293 - triggerable assert in SSLv2 server - fix CVE-2014-3570 - incorrect computation in BN_sqr() - fix CVE-2014-3571 - possible crash in dtls1_get_record() - fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state - fix CVE-2014-8275 - various certificate fingerprint issues - fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export - fix CVE-2015-0205 - do not allow unauthenticated client DH certificate - fix CVE-2015-0206 - possible memory leak when buffering DTLS records - fix CVE-2014-3567 - memory leak when handling session tickets - fix CVE-2014-3513 - memory leak in srtp support - add support for fallback SCSV to partially mitigate CVE-2014-3566 - fix CVE-2014-0224 fix that broke EAP-FAST session resumption support - fix CVE-2014-3505 - doublefree in DTLS packet processing - fix CVE-2014-3506 - avoid memory exhaustion in DTLS - fix CVE-2014-3507 - avoid memory leak in DTLS - fix CVE-2014-3508 - fix OID handling to avoid information leak - fix CVE-2014-3509 - fix race condition when parsing server hello - fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS - fix CVE-2014-3511 - disallow protocol downgrade via fragmentation - fix CVE-2010-5298 - possible use of memory after free - fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment - fix CVE-2014-0198 - possible NULL pointer dereference - fix CVE-2014-0221 - DoS from invalid DTLS handshake packet - fix CVE-2014-0224 - SSL/TLS MITM vulnerability - fix CVE-2014-3470 - client-side DoS when using anonymous ECDH - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension - fix CVE-2013-4353 - Invalid TLS handshake crash - fix CVE-2013-6450 - possible MiTM attack on DTLS1 - fix CVE-2013-6449 - crash when version in SSL structure is incorrect - new upstream version fixing CVE-2012-2110 - new upstream release fixing CVE-2012-0050 - DoS regression in - new upstream release fixing multiple CVEs - new upstream release fixing CVE-2011-3207 (#736088) - new upstream release fixing CVE-2011-0014 (OCSP stapling vulnerability) - new upstream version fixing CVE-2010-4180 - new upstream version fixing CVE-2010-3864 (#649304) - new upstream patch release, fixes CVE-2010-0742 (#598738) and CVE-2010-1633 (#598732) - fix CVE-2009-4355 - leak in applications incorrectly calling - fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used - fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 - fix CVE-2008-0891 - server name extension crash (#448492) - fix CVE-2008-1672 - server key exchange message omit crash (#448495) - fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801) - fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191) - CVE-2007-3108 - fix side channel attack on private keys (#250577) - CVE-2006-2940 fix was incorrect (#208744) - fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276) - fix CVE-2006-2940 - parasitic public keys DoS (#207274) - fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940) - fix CVE-2006-4343 - sslv2 client DoS (#206940) - fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)
Shouldn't it be showing "CVE-2016-0800" also if it is patched?0
Please sign in to leave a comment.
Comments
5 comments