Updating openssl due to security scan
While 11% of HTTPS servers with browser-trusted certificates are directly vulnerable to DROWN, another whopping 11% fall victim through some other service (most commonly SMTP on port 25).
Second, in the Open SSL security releases of March 2015, we rewrote a section of code, which coincidentally fixed a security bug (CVE-2016-0703).
The attack works against every known SSL/TLS implementation supporting SSLv2.
It is, however, particularly dangerous against Open SSL versions predating March 2015 (more on that below).
Some third party distributions have a policy of only backporting selected security updates without changing to a newer version, to provide stability.
Each distribution varies; you should install the updates provided by your vendor and contact them for questions about this or any other security issues.
This bug, if present in the server, makes the DROWN attack run in just a few minutes on, well, our laptops.
This reduced complexity could lead to successful real-time man-in-the-middle attacks, hijacking a session even if the client and the server would otherwise negotiate a forward-secure Diffie-Hellman ciphersuite.
All issues affecting Open SSL can be found in the search by source package and information about DROWN will appear under the tracker for CVE-2016-0800. Even if there has been a successful DROWN attack against you, there is no need to regenerate your private key, so long as you can confidently identify all services that share this key, and disable SSLv2 for them.Today, an international group of researchers unveiled DROWN (Decrypting RSA with Obsolete and Weakened e Ncryption), aka CVE-2016-0800, a novel cross-protocol attack that uses SSLv2 handshakes to decrypt TLS sessions.Over the past weeks, the Open SSL team worked closely with the researchers to determine the exact impact of DROWN on Open SSL and devise countermeasures to protect our users.Nevertheless, in addition to ensuring that your Postfix configuration disables SSLv2 and weak or obsolete ciphers, you should also deploy the appropriate Open SSL upgrade.
Note that if you’re running anything but the latest Open SSL releases from January 2016 (1.0.2f and 1.0.1r), a subtle bug (CVE-2015-3197) allows the server to accept SSLv2 EXPORT handshakes even if EXPORT ciphers are not configured.Bottom line: if you are running Open SSL 1.0.2 (the first, no-letter release) or Open SSL 1.0.1l or earlier, you should upgrade immediately.