-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL CVE-2015-1793 - Alternative chains certificate forgery #878
Comments
Does not affect Red Hat, CentOS or Ubuntu (released versions). Vulnerable versions of OpenSSL have appeared only since June 2015, so we can rule out any images generated earlier. |
According to https://bugzilla.redhat.com/show_bug.cgi?id=1238619#c12, F21 and F22 are confirmed affected. |
|
That Oracle link is definitely bad, and I can't find a good replacement source -- @Djelibeybi got a better source? 😄 |
Ubuntu fix is released, but Debian sid/stretch don't have the fix yet. |
@juanluisbaptiste if I'm reading https://bugs.mageia.org/show_bug.cgi?id=16333 correctly, a fix for Mageia is released? How soon does that propagate to where it would be pulled in by a rebuild of the base image tarball? |
@tianon After the updated package is pushed to our build system it should take a couple hours at most to mirrors to sync. According to the bug report the fix hasn't been pushed yet but QA is on it right now. I think it will be available later today and I'll update the images. |
@juanluisbaptiste 👍 ❤️ |
@tianon no Oracle link because we're not affected, therefore we haven't published a CVE note for resolution. |
@Djelibeybi ok, thanks for confirming! 👍 For future reference though (and to let us avoid poking you for future issues that may not even affect Oracle Linux), is there a bug tracker or security tracker we can look up that status in? |
@tianon that's a work-in-progress. :) I'm trying to get a negative-CVE-confirmation system, i.e. to list all CVEs and to state we're unaffected, but I'm still chugging along with that. Actual security trackers are heavily controlled by Oracle Security and even I can't see them, given that the majority of security bugs are related to our non-Open Source code. |
@Djelibeybi awwww ok, that's fair enough I suppose 👍 |
ping @lsm5; you're going to update F21 and F22 once the updates are properly available, right? |
The fix for this is finally in sid, but IMO we might as well wait to regenerate |
@tianon yup, will check with rel-eng and get back with updates |
@tianon update for mageia pushed, working on new image right now. |
This can be closed as of #1050. |
🤘 thanks @andyshinn |
Affected official images need updates:
Confirmed affected:
Not affected:
The text was updated successfully, but these errors were encountered: