In the continuing line of security vulnerabilities with cute names like Heartbleed or Shellshock, today we have “DROWN.”


DROWN comes complete with its own fancy website and, of course, logo. Officially, it’s been designated as CVE-2016-0800.

Red Hat’s security team has rated this as “Important,” on a scale of Low, Moderate, Important, and Critical. If you’re curious — and especially if you run Red Hat Enterprise Linux or CentOS — read Red Hat’s vulnerability article.

Why Fedora isn’t affected

If you run Fedora, we have good news. The attack requires SSLv2, and we disabled that for Fedora 21 back in July, 2014. Hopefully keeping us at least half a step ahead, we’ve also already disabled SSLv3 as of Fedora 23. We’re also not using SSLv2 anywhere in Fedora Infrastructure.

So, if you’re on a current, supported release of Fedora, or even Fedora 21 which was retired last December, you don’t need to worry about DROWNing. There are a few other security fixes for OpenSSL released today as well. While these are all classified with low severity, you can expect to see an update from Fedora shortly.

If you have an older Fedora release, now is a great (and important) time to upgrade.