www.cendio.com
Bug 5854 - Upgrade OpenSSL to the latest version
: Upgrade OpenSSL to the latest version
Status: CLOSED FIXED
: ThinLinc
Build system
: pre-1.0
: PC Unknown
: P2 Normal
: 4.7.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-04-22 17:04 by
Modified: 2016-09-23 10:08 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2016-04-22 17:04:39
We're on 1.0.2e and 1.0.2g is out. There has been a couple of CVEs:

CVE-2016-0800
CVE-2016-0798
CVE-2016-0701
CVE-2015-3197

Servers, so doesn't affect us.

CVE-2016-0705

DSA keys, which we no longer use.

CVE-2016-0797
CVE-2016-0799

Exotic use of OpenSSL. May be affected.

CVE-2016-0702

Could affect our ssh client, but not likely to be exploitable.
------- Comment #1 From cendio 2016-06-17 15:53:04 -------
1.0.2h is also out, with a few more CVEs:

CVE-2016-2108:

Not sure if it covers us. Doesn't sound like it. It was however already fixed
back in 1.0.2c.

CVE-2016-2107:

Sounds like it affects both OpenSSH and rdesktop. It is however a MITM, which
rdesktop doesn't have protection for. Could be severe problems for OpenSSH
though.

CVE-2016-2105:
CVE-2016-2106:
CVE-2016-2109:

Not clear when this can hit. May be affected. Low severity.

CVE-2016-2176:

Only EBCDIC systems.
------- Comment #2 From cendio 2016-06-23 16:01:57 -------
Fixed in r31494.
------- Comment #3 From cendio 2016-06-28 13:02:47 -------
Verified that it is included in the build (5162)
Verified that rdesktop still works.
Verified client connects on CentOS 7, and MacOSX.