Bug 5854 - Upgrade OpenSSL to the latest version
Summary: Upgrade OpenSSL to the latest version
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Build system (show other bugs)
Version: pre-1.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.7.0
Assignee: Pierre Ossman
URL:
Keywords: hean01_tester, relnotes, thomas_tester
Depends on:
Blocks:
 
Reported: 2016-04-22 17:04 CEST by Pierre Ossman
Modified: 2016-09-23 10:08 CEST (History)
3 users (show)

See Also:
Acceptance Criteria:


Attachments

Description Pierre Ossman cendio 2016-04-22 17:04:39 CEST
We're on 1.0.2e and 1.0.2g is out. There has been a couple of CVEs:

CVE-2016-0800
CVE-2016-0798
CVE-2016-0701
CVE-2015-3197

Servers, so doesn't affect us.

CVE-2016-0705

DSA keys, which we no longer use.

CVE-2016-0797
CVE-2016-0799

Exotic use of OpenSSL. May be affected.

CVE-2016-0702

Could affect our ssh client, but not likely to be exploitable.
Comment 1 Pierre Ossman cendio 2016-06-17 15:53:04 CEST
1.0.2h is also out, with a few more CVEs:

CVE-2016-2108:

Not sure if it covers us. Doesn't sound like it. It was however already fixed back in 1.0.2c.

CVE-2016-2107:

Sounds like it affects both OpenSSH and rdesktop. It is however a MITM, which rdesktop doesn't have protection for. Could be severe problems for OpenSSH though.

CVE-2016-2105:
CVE-2016-2106:
CVE-2016-2109:

Not clear when this can hit. May be affected. Low severity.

CVE-2016-2176:

Only EBCDIC systems.
Comment 2 Pierre Ossman cendio 2016-06-23 16:01:57 CEST
Fixed in r31494.
Comment 3 Thomas Nilefalk cendio 2016-06-28 13:02:47 CEST
Verified that it is included in the build (5162)
Verified that rdesktop still works.
Verified client connects on CentOS 7, and MacOSX.

Note You need to log in before you can comment on or make changes to this bug.