Fedora’s not DROWNing

In the continuing line of security vulnerabilities with cute names like Heartbleed or Shellshock, today we have “DROWN.”

About DROWN

DROWN comes complete with its own fancy website and, of course, logo. Officially, it’s been designated as CVE-2016-0800.

Red Hat’s security team has rated this as “Important,” on a scale of Low, Moderate, Important, and Critical. If you’re curious — and especially if you run Red Hat Enterprise Linux or CentOS — read Red Hat’s vulnerability article.

Why Fedora isn’t affected

If you run Fedora, we have good news. The attack requires SSLv2, and we disabled that for Fedora 21 back in July, 2014. Hopefully keeping us at least half a step ahead, we’ve also already disabled SSLv3 as of Fedora 23. We’re also not using SSLv2 anywhere in Fedora Infrastructure.

So, if you’re on a current, supported release of Fedora, or even Fedora 21 which was retired last December, you don’t need to worry about DROWNing. There are a few other security fixes for OpenSSL released today as well. While these are all classified with low severity, you can expect to see an update from Fedora shortly.

If you have an older Fedora release, now is a great (and important) time to upgrade.

Fedora Project community Using Software

6 Comments

  1. Mclong

    Thanks for the information and good news.

  2. Jorge

    thanks buddy

  3. Andy Mender

    Thank you for sharing, Mr Miller.Truly good news! However, I am starting to get worried that openSSL is getting so much attention from ‘the dark side’…

  4. “And then there’s the special case of OpenSSL, which helpfully provides a configuration option that’s intended to disable SSLv2 ciphersuites — but which, unfortunately, does no such thing. In the course of their work, the DROWN researchers discovered that even when this option is set, clients may still request arbitrary SSLv2 ciphersuites. (This issue was quietly patched in January. Upgrade.)” – Matthew Green

    Double check please

  5. u976415

    What about the security issues with GNOME Web/Epiphany?

  6. Nice to see Fedora is safe from such attacks. Will really love to see a Fedora Spin for Pen Testing. I know Fedora can be more powerful than Kali Linux if all the tools in Kali are updated in Fedora.

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions