This knowledge base has moved to the documentation site. Please visit the knowledge base here for the most up to date content. This site is no longer maintained.

Security Update OpenSSL crypto Library Vulnerabilities: FREAK Fix

Follow

OpenSSL issued a security advisory on 19th March, 2015.

The advisory lists two high severity bugs. Cumulus Linux 2.y.z is based on Debian Wheezy, so it runs OpenSSL 1.0.1e; some of the vulnerabilities in this alert do not apply, including one of the two high severity issues, CVE-2015-0291, which is a denial-of-service condition that only affects version 1.0.2 of the crypto library.

The second high severity issue, CVE-2015-0204 does impact OpenSSL 1.0.1e, and a patch is available. Cumulus Networks recommends you upgrade OpenSSL to version 1.0.1e-2+deb7u15, the Debian version of OpenSSL with the fixes backported from OpenSSL 1.0.1m.

To update OpenSSL, run apt-get on your switches:

apt-get update 
apt-get upgrade

There are also 12 other vulnerabilities (9 moderate and 3 low) in various versions of OpenSSL that were also patched, listed here in order of severity:

Moderate severity:

Low severity:

Comments

This support portal has moved

Cumulus Networks is now part of the NVIDIA Networking Business Unit! The NVIDIA Cumulus Global Support Services (GSS) team has merged its operations with the NVIDIA Mellanox support services team.

You can access NVIDIA Cumulus support content from the Mellanox support portal.

You open and update new cases on the Mellanox support portal. Any previous cases that have been closed have been migrated to the Mellanox support portal.

Cases that are still open on the Cumulus portal will continue to be managed on the Cumulus portal. Once these cases close, they will be moved to the Mellanox support portal.

Powered by Zendesk