IPFire 2.19 - Core Update 105 released

The IPFire Project ipfire-announce at lists.ipfire.org
Fri Sep 23 18:35:54 CEST 2016


This is the official release announcement for IPFire 2.19 – Core Update 105
which patches a number of security issues in two cryptographic libaries: openssl
and libgcrypt. We recommend installing this update as soon as possible and
reboot the IPFire system to complete the update.

OpenSSL Security Fixes

* OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
* SWEET32 Mitigation (CVE-2016-2183)
* OOB write in MDC2_Update() (CVE-2016-6303)
* Malformed SHA512 ticket DoS (CVE-2016-6302)
* OOB write in BN_bn2dec() (CVE-2016-2182)
* OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
* Pointer arithmetic undefined behaviour (CVE-2016-2177)
* Constant time flag not preserved in DSA signing (CVE-2016-2178)
* DTLS buffered message DoS (CVE-2016-2179)
* DTLS replay protection DoS (CVE-2016-2181)
* Certificate message OOB reads (CVE-2016-6306)

IPFire is now shipping openssl in version 1.0.2i which patches all of the above
security vulnerabilities.

libgcrypt Security Flaws

Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology
found a bug in the mixing functions of Libgcrypt’s random number generator: An
attacker who obtains 4640 bits from the RNG can trivially predict the next 160
bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions
and is filed under CVE-2016-6316.

We are currently crowdfunding a Captive Portal for IPFire and would like you to
ask to check it out and support us [1]!

Please help us to support the work on IPFire Project with your donation [2].

[1] http://wishlist.ipfire.org/wish/the-ipfire-captive-portal
[2] http://www.ipfire.org/donate

More information about the IPFire-Announce mailing list