5854 – Upgrade OpenSSL to the latest version

Bug 5854 - Upgrade OpenSSL to the latest version

Summary: Upgrade OpenSSL to the latest version

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Build system (show other bugs)
Version:	pre-1.0
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.7.0
Assignee:	Pierre Ossman

URL:
Keywords:	hean01_tester, relnotes, thomas_tester

Depends on:
Blocks:

Reported:	2016-04-22 17:04 CEST by Pierre Ossman
Modified:	2016-09-23 10:08 CEST (History)
CC List:	3 users (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio

2016-04-22 17:04:39 CEST

We're on 1.0.2e and 1.0.2g is out. There has been a couple of CVEs:

CVE-2016-0800
CVE-2016-0798
CVE-2016-0701
CVE-2015-3197

Servers, so doesn't affect us.

CVE-2016-0705

DSA keys, which we no longer use.

CVE-2016-0797
CVE-2016-0799

Exotic use of OpenSSL. May be affected.

CVE-2016-0702

Could affect our ssh client, but not likely to be exploitable.

Comment 1 Pierre Ossman cendio

2016-06-17 15:53:04 CEST

1.0.2h is also out, with a few more CVEs:

CVE-2016-2108:

Not sure if it covers us. Doesn't sound like it. It was however already fixed back in 1.0.2c.

CVE-2016-2107:

Sounds like it affects both OpenSSH and rdesktop. It is however a MITM, which rdesktop doesn't have protection for. Could be severe problems for OpenSSH though.

CVE-2016-2105:
CVE-2016-2106:
CVE-2016-2109:

Not clear when this can hit. May be affected. Low severity.

CVE-2016-2176:

Only EBCDIC systems.

Comment 2 Pierre Ossman cendio

2016-06-23 16:01:57 CEST

Fixed in r31494.

Comment 3 Thomas Nilefalk cendio

2016-06-28 13:02:47 CEST

Verified that it is included in the build (5162)
Verified that rdesktop still works.
Verified client connects on CentOS 7, and MacOSX.

Note You need to log in before you can comment on or make changes to this bug.