openssl: CVE-2016-7056 CVE-2016-8610 CVE-2017-3731

Question

openssl: CVE-2016-7056 CVE-2016-8610 CVE-2017-3731

Closed this issue 8 years ago · 1 comments

bacongobbler commented 8 years ago

https://lists.debian.org/debian-security-announce/2017/msg00024.html

Several vulnerabilities were discovered in OpenSSL:

CVE-2016-7056

A local timing attack was discovered against ECDSA P-256.

CVE-2016-8610

It was discovered that no limit was imposed on alert packets during
an SSL handshake.

CVE-2017-3731

Robert Swiecki discovered that the RC4-MD5 cipher when running on
32 bit systems could be forced into an out-of-bounds read, resulting
in denial of service.

Answer 1 · 2017-01-30T18:51:16.000Z

This doesn't seem to be an issue on Ubuntu; only Debian Jessie. quay.io also confirms that v0.3.6 is not affected by thes CVEs. Closing.