In the continuing line of security vulnerabilities with cute names like Heartbleed or Shellshock, today we have “DROWN.”
DROWN comes complete with its own fancy website and, of course, logo. Officially, it’s been designated as CVE-2016-0800.
Red Hat’s security team has rated this as “Important,” on a scale of Low, Moderate, Important, and Critical. If you’re curious — and especially if you run Red Hat Enterprise Linux or CentOS — read Red Hat’s vulnerability article.
Why Fedora isn’t affected
If you run Fedora, we have good news. The attack requires SSLv2, and we disabled that for Fedora 21 back in July, 2014. Hopefully keeping us at least half a step ahead, we’ve also already disabled SSLv3 as of Fedora 23. We’re also not using SSLv2 anywhere in Fedora Infrastructure.
So, if you’re on a current, supported release of Fedora, or even Fedora 21 which was retired last December, you don’t need to worry about DROWNing. There are a few other security fixes for OpenSSL released today as well. While these are all classified with low severity, you can expect to see an update from Fedora shortly.
If you have an older Fedora release, now is a great (and important) time to upgrade.
Thanks for the information and good news.
Thank you for sharing, Mr Miller.Truly good news! However, I am starting to get worried that openSSL is getting so much attention from ‘the dark side’…
“And then there’s the special case of OpenSSL, which helpfully provides a configuration option that’s intended to disable SSLv2 ciphersuites — but which, unfortunately, does no such thing. In the course of their work, the DROWN researchers discovered that even when this option is set, clients may still request arbitrary SSLv2 ciphersuites. (This issue was quietly patched in January. Upgrade.)” – Matthew Green
Double check please
What about the security issues with GNOME Web/Epiphany?
Nice to see Fedora is safe from such attacks. Will really love to see a Fedora Spin for Pen Testing. I know Fedora can be more powerful than Kali Linux if all the tools in Kali are updated in Fedora.