[Bug 1895294] Re: Fix Raccoon vulnerability (CVE-2020-1968)
Seth Arnold
1895294 at bugs.launchpad.net
Tue Sep 15 17:39:40 UTC 2020
Alternatively, you could use one of the recommended TLS configurations
from Mozilla, https://wiki.mozilla.org/Security/Server_Side_TLS which do
not enable the unsafe cryptography suites.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1895294
Title:
Fix Raccoon vulnerability (CVE-2020-1968)
Status in openssl package in Ubuntu:
Fix Released
Status in openssl source package in Xenial:
Confirmed
Bug description:
Xenial's current OpenSSL (1.0.2g-1ubuntu4.16) seems to not have been
patched yet against the Raccoon Attack (CVE-2020-1968):
- https://www.openssl.org/news/secadv/20200909.txt
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1968
- https://raccoon-attack.com/
Ubuntu's CVE tracker still lists this as NEEDED for Xenial:
- https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1968.html
- https://people.canonical.com/~ubuntu-security/cve/pkg/openssl.html
Other supported Ubuntu releases use versions of OpenSSL that are not
affected.
Indeed:
$ apt-cache policy openssl
openssl:
Installed: 1.0.2g-1ubuntu4.16
$ apt-get changelog openssl | grep CVE-2020-1968 || echo "Not patched"
Not patched
What is the status?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions
More information about the foundations-bugs
mailing list