an other OpenSSL security fix has released, so that we created this Core Update that fixes that among some other security vulnerabilities. As this is a rather urgent update, we would like to ask as many people to test this. If all works out well, we would like to release this update tomorrow (on Friday).
OpenSSL security fixes – 1.0.2f
It is possible to exploit the Diffie-Hellman key exchange (CVE-2016-0701)and get hold of the server’s private exponent. With that any future connections can be decrypted. Please check out the original security advisory for more details.
A second fix (CVE-2015-3197) in the OpenSSL library fixes the deactivation of some SSLv2 ciphers.
An other change will strengthen SSL connections against being taken over by a man-in-the-middle attack that tries to downgrade the length of the Diffie-Hellman key that is being used.
An information leak (CVE-2016-0777) flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client.
The SSH daemon will be restarted during the update in case it is enabled.
It is recommended to reboot the system after the update has been completed.
As mentioned above, please help us testing and don’t forget sending a bug report in case you find any new issues after this Core Update.
The ARM version is still being built and is not available as of writing this announcement. Please stay tuned for that being published soon.