Fedora’s not DROWNing

Posted by on March 1, 2016

Recent Posts

20th edition of Jesień Linuksowa

Reimagining the Fedora Linux installer: Anaconda's new Web UI

Unlocking the Future of User Management

In the continuing line of security vulnerabilities with cute names like Heartbleed or Shellshock, today we have “DROWN.”

About DROWN

DROWN comes complete with its own fancy website and, of course, logo. Officially, it’s been designated as CVE-2016-0800.

Red Hat’s security team has rated this as “Important,” on a scale of Low, Moderate, Important, and Critical. If you’re curious — and especially if you run Red Hat Enterprise Linux or CentOS — read Red Hat’s vulnerability article.

Why Fedora isn’t affected

If you run Fedora, we have good news. The attack requires SSLv2, and we disabled that for Fedora 21 back in July, 2014. Hopefully keeping us at least half a step ahead, we’ve also already disabled SSLv3 as of Fedora 23. We’re also not using SSLv2 anywhere in Fedora Infrastructure.

So, if you’re on a current, supported release of Fedora, or even Fedora 21 which was retired last December, you don’t need to worry about DROWNing. There are a few other security fixes for OpenSSL released today as well. While these are all classified with low severity, you can expect to see an update from Fedora shortly.

If you have an older Fedora release, now is a great (and important) time to upgrade.

Fedora Project community Using Software

Matthew Miller

Matthew is the Fedora Project Leader. You can find him on the Fedora mailing lists or Fedora Chat as "mattdm", or @mattdm@hachyderm.io on Mastodon. Matthew's content on this site is made available under the Creative Commons Attribution-ShareAlike 4.0 International license (or an earlier CC-BY-SA license if you need that for compatibility) — share all you like, give credit, and let others share as well.

6 Comments

  1. Mclong

    Thanks for the information and good news.

    March 1, 2016

  2. Jorge

    thanks buddy

    March 2, 2016

  3. Andy Mender

    Thank you for sharing, Mr Miller.Truly good news! However, I am starting to get worried that openSSL is getting so much attention from ‘the dark side’…

    March 2, 2016

  4. bsdtard

    “And then there’s the special case of OpenSSL, which helpfully provides a configuration option that’s intended to disable SSLv2 ciphersuites — but which, unfortunately, does no such thing. In the course of their work, the DROWN researchers discovered that even when this option is set, clients may still request arbitrary SSLv2 ciphersuites. (This issue was quietly patched in January. Upgrade.)” – Matthew Green

    Double check please

    March 2, 2016

  5. u976415

    What about the security issues with GNOME Web/Epiphany?

    March 9, 2016

  6. Emeka Bethel

    Nice to see Fedora is safe from such attacks. Will really love to see a Fedora Spin for Pen Testing. I know Fedora can be more powerful than Kali Linux if all the tools in Kali are updated in Fedora.

    April 4, 2016

Comments are Closed

Fedora Linux 41 is available now. Read the release announcement for all the details.

Subscribe to Fedora Magazine via Email

Join 10K other subscribers

Contribute to the Magazine

Fedora Magazine is looking for contributors!

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions