Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] RedHat CVE for SSL "DROWN" vulnerability

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] RedHat CVE for SSL "DROWN" vulnerability


Chronological Thread 
  • From: Jason Zurawski <>
  • To: perfsonar-user <>,
  • Cc: "" <>
  • Subject: Re: [perfsonar-user] RedHat CVE for SSL "DROWN" vulnerability
  • Date: Wed, 09 Mar 2016 08:17:16 -0500

Greetings All;

As a followup to this, note an additional related CVE:

https://rhn.redhat.com/errata/RHSA-2016-0372.html

And the info on packages now available in the repos:

i386:
e87cdaa0c6d6528e4395026ed75dd8c06d1d9cd20cbfc2b88b0d6046482aaa82  openssl098e-0.9.8e-20.el6.centos.1.i686.rpm

x86_64:
e87cdaa0c6d6528e4395026ed75dd8c06d1d9cd20cbfc2b88b0d6046482aaa82  openssl098e-0.9.8e-20.el6.centos.1.i686.rpm
5c8881e272b9b1415d175bc1f4eecce80ea15b4090aac9725dfe67c19db53f70  openssl098e-0.9.8e-20.el6.centos.1.x86_64.rpm

Source:
7fea74c0623b0c425d9ff03e2412731c99a75e86eaa87d67a66b9903bb4aca2b  openssl098e-0.9.8e-20.el6.centos.1.src.rpm

Thanks;

-jason

Daniel Doyle wrote:
Hello all,

Red Hat has released a new CVE today for a vulnerability called "DROWN":


Our read of this CVE is that it only impacts the SSLv2 protocol, which has been turned off by default in the toolkit for some time now. If you are running a current instance of the perfSONAR toolkit and have not made changes to the apache configuration, you should be fine. 

If you have made changes to the apache configuration, you should review the CVE and make sure that you either disable SSLv2 or upgrade the openssl package, and either reboot the machine or restart any processes such as apache that use openssl to ensure all processes have the updates applied.

Thank you,
The perfSONAR Team




Archive powered by MHonArc 2.6.16.

Top of Page