This is the official release announcement for IPFire 2.17 – Core Update 99. Another OpenSSL security fix has been released, so that we created this Core Update that fixes that among some other security vulnerabilities.
OpenSSL security fixes – 1.0.2g
Please check out the original security advisory for more details.
- Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
- Double-free in DSA code (CVE-2016-0705)
- Memory leak in SRP database lookups (CVE-2016-0798)
- BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
- Fix memory issues in BIO_*printf functions (CVE-2016-0799)
- Side channel attack on modular exponentiation (CVE-2016-0702)
- Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
- Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
IPFire is most likely not vulnerable by the most famous of all these vulnerabilities known as DROWN. However we recommend updating as soon as possible and we also recommend to reboot the system afterwards.
The SSH daemon will be restarted during the update in case it is enabled.
We are currently crowdfunding a Captive Portal for IPFire and would like you to ask to check it out and support us!
Please help us to sustain the work on IPFire Project with your donation.