
OpenSSL security advisory 2016-03-01 - kpcyrd
https://mta.openssl.org/pipermail/openssl-announce/2016-March/000066.html
======
geggam
Bob Beck ‏@bob_beck

So of 8 #openssl things forthcoming, all but two low severity ones were
already fixed in #libressl - You won't need to patch #libressl today

[https://twitter.com/bob_beck/status/704693297583788032](https://twitter.com/bob_beck/status/704693297583788032)

~~~
asddubs
I'm still a little bitter
[http://opensslrampage.org/](http://opensslrampage.org/) stopped updating, it
was always good for a chuckle

------
jlgaddis
Permanent link to the original advisory (not the mailing list announcement),
which "may be updated with additional details over time":

[https://www.openssl.org/news/secadv/20160301.txt](https://www.openssl.org/news/secadv/20160301.txt)

------
ck2
CentOS "no packages marked for update"

hmm, still at openssl-1.0.1e-51.el7_2.2.x86_64

~~~
darkr
I just got a notification that new builds for CentOS 6 and 7 were being pushed
out to the mirrors now..

~~~
ck2
ah finally

    
    
         ---> Package openssl.x86_64 1:1.0.1e-51.el7_2.2 will be updated
         ---> Package openssl.x86_64 1:1.0.1e-51.el7_2.4 will be an update
         ---> Package openssl-devel.x86_64 1:1.0.1e-51.el7_2.2 will be updated
         ---> Package openssl-devel.x86_64 1:1.0.1e-51.el7_2.4 will be an update
         ---> Package openssl-libs.x86_64 1:1.0.1e-51.el7_2.2 will be updated
         ---> Package openssl-libs.x86_64 1:1.0.1e-51.el7_2.4 will be an update

------
antx
Mostly fixed in debian... damn these guys are fast!

[https://security-tracker.debian.org/tracker/source-
package/o...](https://security-tracker.debian.org/tracker/source-
package/openssl)

------
ultramancool
This is in Ubuntu LTS as 1.0.1f-1ubuntu2.18

[http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/...](http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.0.1f-1ubuntu2.18/changelog)

Deployed it in all of 2 minutes this morning. Ansible rocks.

------
yuhong
There used to be an OpenSSL worm that took advantage of a bug in the SSLv2
support: [http://tech.slashdot.org/story/02/09/25/1210247/new-linux-
wo...](http://tech.slashdot.org/story/02/09/25/1210247/new-linux-worm-found-
in-the-wild)

------
Mojah
Mirrored here, in case the official source goes down:
[https://marc.ttias.be/openssl-
announce/2016-03/msg00002.php](https://marc.ttias.be/openssl-
announce/2016-03/msg00002.php)

------
walrus01
I am enjoying an environment configured to only allow TLSv1.2 and deny
everything else. It may not be a realistic option for everyone, but for
anything new built in 2015 and later is the only sensible choice.

