1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
Candidate: CVE-2016-0800
CRD: 2016-03-01 13:00:00 UTC
PublicDate: 2016-03-01
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
https://www.openssl.org/news/secadv/20160301.txt
https://www.drownattack.com/
Description:
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before
1.0.2g and other products, requires a server to send a ServerVerify message
before establishing that a client possesses certain plaintext RSA data,
which makes it easier for remote attackers to decrypt TLS ciphertext data
by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
Ubuntu-Description:
Notes:
mdeslaur> openssl in Ubuntu is compiled with no-ssl2
Bugs:
Priority: medium
Discovered-by: Nimrod Aviram and Sebastian Schinzel
Assigned-to:
Patches_openssl:
upstream_openssl: needs-triage
precise_openssl: not-affected
trusty_openssl: not-affected
vivid_openssl: not-affected
vivid/ubuntu-core_openssl: not-affected
vivid/stable-phone-overlay_openssl: not-affected
wily_openssl: not-affected
devel_openssl: not-affected
Patches_openssl098:
upstream_openssl098: needs-triage
precise_openssl098: not-affected
trusty_openssl098: not-affected
vivid_openssl098: not-affected
vivid/ubuntu-core_openssl098: DNE
vivid/stable-phone-overlay_openssl098: DNE
wily_openssl098: DNE
devel_openssl098: DNE
|