Security Update OpenSSL crypto Library Vulnerabilities: FREAK Fix


OpenSSL issued a security advisory on 19th March, 2015.

The advisory lists two high severity bugs. Cumulus Linux 2.y.z is based on Debian Wheezy, so it runs OpenSSL 1.0.1e; some of the vulnerabilities in this alert do not apply, including one of the two high severity issues, CVE-2015-0291, which is a denial-of-service condition that only affects version 1.0.2 of the crypto library.

The second high severity issue, CVE-2015-0204 does impact OpenSSL 1.0.1e, and a patch is available. Cumulus Networks recommends you upgrade OpenSSL to version 1.0.1e-2+deb7u15, the Debian version of OpenSSL with the fixes backported from OpenSSL 1.0.1m.

To update OpenSSL, run apt-get on your switches:

apt-get update 
apt-get upgrade

There are also 12 other vulnerabilities (9 moderate and 3 low) in various versions of OpenSSL that were also patched, listed here in order of severity:

Moderate severity:

Low severity:

Have more questions? Submit a request


Powered by Zendesk