IPFire 2.17 - Core Update 97 released

The IPFire Project ipfire-announce at lists.ipfire.org
Fri Jan 29 18:50:12 CET 2016


http://www.ipfire.org/news/ipfire-2-17-core-update-97-released

This is the official release announcement for IPFire 2.17 – Core Update
97. An other OpenSSL security fix has been released, which is shipped
in this Core Update among some other security vulnerabilities. As this
is a rather urgent update, we recommend to install it as soon as
possible. We also recommend rebooting after the update has been
installed.


OpenSSL security fixes – 1.0.2f

It is possible to exploit the Diffie-Hellman key exchange (CVE-2016-
0701, [1])and get hold of the server’s private exponent. With that any
future connections can be decrypted. Please check out the original
security advisory for more details.

A second fix (CVE-2015-3197) in the OpenSSL library fixes the
deactivation of some SSLv2 ciphers.

An other change will strengthen SSL connections against being taken
over by a man-in-the-middle attack that tries to downgrade the length
of the Diffie-Hellman key that is being used.


OpenSSH 7.1p2

An information leak (CVE-2016-0777) flaw was found in the way the
OpenSSH client roaming feature was implemented. A malicious server
could potentially use this flaw to leak portions of memory (possibly
including private SSH keys) of a successfully authenticated OpenSSH
client.

The SSH daemon will be restarted during the update in case it is
enabled.



  Please help us to sustain the work on IPFire Project
    with your donation [2].



[1] http://openssl.org/news/secadv/20160128.txt
[2] http://www.ipfire.org/donate
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.ipfire.org/pipermail/ipfire-announce/attachments/20160129/16aae77f/attachment.sig>


More information about the IPFire-Announce mailing list