This is the official release announcement for IPFire 2.17 – Core Update 97. An other OpenSSL security fix has been released, which is shipped in this Core Update among some other security vulnerabilities. As this is a rather urgent update, we recommend to install it as soon as possible. We also recommend rebooting after the update has been installed.
It is possible to exploit the Diffie-Hellman key exchange (CVE-2016-0701)and get hold of the server’s private exponent. With that any future connections can be decrypted. Please check out the original security advisory for more details.
A second fix (CVE-2015-3197) in the OpenSSL library fixes the deactivation of some SSLv2 ciphers.
An other change will strengthen SSL connections against being taken over by a man-in-the-middle attack that tries to downgrade the length of the Diffie-Hellman key that is being used.
An information leak (CVE-2016-0777) flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client.
The SSH daemon will be restarted during the update in case it is enabled.
Please help us to sustain the work on IPFire Project with your donation.
Published by Michael Tremer, January 29, 2016 at 5:45 pm