1
Candidate: CVE-2016-0800
2
CRD: 2016-03-01 13:00:00 UTC
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
6
https://www.openssl.org/news/secadv/20160301.txt
7
https://www.drownattack.com/
9
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before
10
1.0.2g and other products, requires a server to send a ServerVerify message
11
before establishing that a client possesses certain plaintext RSA data,
12
which makes it easier for remote attackers to decrypt TLS ciphertext data
13
by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
16
mdeslaur> openssl in Ubuntu is compiled with no-ssl2
19
Discovered-by: Nimrod Aviram and Sebastian Schinzel
23
upstream_openssl: needs-triage
24
precise_openssl: not-affected
25
trusty_openssl: not-affected
26
vivid_openssl: not-affected
27
vivid/ubuntu-core_openssl: not-affected
28
vivid/stable-phone-overlay_openssl: not-affected
29
wily_openssl: not-affected
30
devel_openssl: not-affected
33
upstream_openssl098: needs-triage
34
precise_openssl098: not-affected
35
trusty_openssl098: not-affected
36
vivid_openssl098: not-affected
37
vivid/ubuntu-core_openssl098: DNE
38
vivid/stable-phone-overlay_openssl098: DNE