an other OpenSSL security fix has released, so that we created this Core Update that fixes that among some other security vulnerabilities. As this is a rather urgent update, we would like to ask as many people to test this. If all works out well, we would like to release this update tomorrow (on Friday).

OpenSSL security fixes – 1.0.2g

Please check out the original security advisory for more details.

  • Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
  • Double-free in DSA code (CVE-2016-0705)
  • Memory leak in SRP database lookups (CVE-2016-0798)
  • BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
  • Fix memory issues in BIO_*printf functions (CVE-2016-0799)
  • Side channel attack on modular exponentiation (CVE-2016-0702)
  • Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
  • Bleichenbacher oracle in SSLv2 (CVE-2016-0704)

OpenSSH 7.2p1

This is primarily a bugfix release.

The SSH daemon will be restarted during the update in case it is enabled.

It is recommended to reboot the system after the update has been completed.

As mentioned above, please help us testing and don’t forget sending a bug report in case you find any new issues after this Core Update.

The ARM version is still being built and is not available as of writing this announcement. Please stay tuned for that being published soon.