Note

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

News:OpenSSL Update

From Funtoo
Jump to navigation Jump to search

OpenSSL Update

OpenSSL Update

By Oleg / March 4, 2016

A security update to openssl available. This fixes following security problems: CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0800.

Update to openssl require rebuilding of all openssl dependent packages installed on your box. To perform this, run following command:

root # revdep-rebuild.sh -i -L "libssl\.so.*" -- --exclude=openssl

More details

Important change in openssl-1.0.2g is that vulnerable SSLv2 support is disabled by default:

  • Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will not provide any "EXPORT" or "LOW" strength ciphers.
  • Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 is by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of:

SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client and server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available.

This result in ABI change in OpenSSL (without changing its name and number), and this consequently, if update to openssl happened on your box, require rebuilding of all openssl dependent packages installed. Currently, this can be achieved by using revdep-rebuild tool as shown above. Another automated way of rebuilding all packages, which is in progress, using sub-slot feature of portage, but this also need changing of all ebuilds dependent on openssl, which has no ETA.