Please note that RedHat WILL NOT release a patch for discontinued server versions such as RHEL 4. RedHat security team is still working on CVE-2016-2106 fix for RHEL7/6 openssl098e version.ĬentOS announced the availability of patched OpenSSL packages in its repositories.
Red Hat Enterprise Linux 5 openssl097a -> Will not fix Red Hat Enterprise Linux 5 openssl-0.9.8e-40.el5_11 -> Released Red Hat Enterprise Linux 6 openssl098e -> Will not fix Red Hat Enterprise Linux 6 openssl-1.0.1e-48.el6_8.1 -> Released Red Hat Enterprise Linux 7 openssl098e -> Will not fix Red Hat Enterprise Linux 7 openssl-1.0.1e-51.el7_2.5 -> Released You can verify if the OpenSSL vulnerabilities are patched by using the below command: # sudo apt-get install libssl1.0.0 (or) apt-get install –only-upgrade libssl1.0.0 You just need to install the latest patches for your operating system, and restart your server afterwards for the new patches to take effect. If you are running vulnerable OS, we strongly recommend you to install the latest patches for your operating system to fix the vulnerability issue on your server. These vulnerabilities affects most of the Linux operating systems such as Ubuntu, CentOS and Debian, since OpenSSL is included as a default package on the operating systems. On 3rd May 2016, OpenSSL released patches for two high severity bugs ( CVE-2016-2108 & CVE-2016-2107), and 4 low severity ones.ĬVE-2016-2107 is an OpenSSL bug which allows a man-in-the-middle (MITM) attacker to use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.ĬVE-2016-2108 is a bug on OpenSSL’s ASN.1 encoder which allows attackers to trigger an out-of-bounds write, causing memory corruption that is potentially exploitable with some malloc implementations.
0 kommentar(er)
