On 03/07/2016 10:14 AM, James Washington wrote:
Hey all,
Sorry to jump in here but out of curiosity, has the patch actually been back
ported to earlier versions of OpenSSL regarding the recent DROWN attack? I've
checked the RPM change log and nothing's been mentioned relating to
CVE-2016-0800 (I think that was the CVE number). Or is this thread not relating
to that vulnerability?
Kind regards
James Washington
Drown depends upon SSLv2
I'm not sure if this removed SSLv2 or not but I am not personally aware
of any public services that enabled SSLv2 by default in CentOS 7 anyway,
so unless you have a service supporting SSLv2 you are not vulnerable to
DROWN.
Reality is, you should not have either SSLv2 or SSLv3 enabled on any
service and disabling was best practice long before DROWN.
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
