Qualys SSL Labs has announced that starting June 1, they will grade with an
F any servers vulnerable to CVE-2016-2107.
https://blog.qualys.com/ssllabs/2016/05/09/openssl-cve-2016-2107-grading-update
The fix is to upgrade OpenSSL. Qualys is giving it an F for good reason:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h
does not consider memory allocation during a certain padding check, which
allows remote attackers to obtain sensitive cleartext information via a
padding-oracle attack against an AES CBC session, NOTE: this vulnerability
exists because of an incorrect fix for CVE-2013-0169.
My cached Alaskan scan results have been updated to include this
information.
http://www.techsolvency.com/tls/
For your convenience, I have also extracted just the vulnerable
hosts/domains. They are listed here (only reachable from Alaskan IP space):
http://www.techsolvency.com/scans/cve-2016-2107/
About 1300 unique hosts in Alaskan domains are affected (that I can tell so
far).
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon May 23 07:58:32 2016
This archive was generated by hypermail 2.1.8 : Mon May 23 2016 - 07:58:32 AKDT