This is the official release announcement of IPFire 2.17 – Core Update 88 which brings fixes for several security issues in OpenSSL only hours after they have been made public.
The individual security issues fixed in this release are as follows:
- CVE-2015-0204 RSA silently downgrades to EXPORT_RSA
- CVE-2015-0286 Segmentation fault in ASN1_TYPE_cmp
- CVE-2015-0287 ASN.1 structure reuse memory corruption
- CVE-2015-0289 PKCS7 NULL pointer dereferences
- CVE-2015-0292 Base64 decode
- CVE-2015-0293 DoS via reachable assert in SSLv2 servers
- CVE-2015-0209 Use After Free following d2i_ECPrivatekey error
- CVE-2015-0288 X509_to_X509_REQ NULL pointer deref
More information about all these vulnerabilities can be found at http://openssl.org/news/secadv_20150319.txt.
We recommend installing this update as soon as possible and to reboot the system afterwards.
In addition to openssl, the openssh package has been updated to version 6.8p1 as well.
We appreciate any kind of your support for our IPFire project. Please donate, help us testing, write documentation or contribute yourself in other ways.