August 12, 2015
In my last blog
, I wrote about keeping OpenSSL current via the webpacks. In part, that's because OpenSSL is something to blog about. Please note that there are really important CVEs to be patched - but if you look at the recent Java patches - patches are also needed to fix the following OpenSSL related CVEs:
(Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect AIX (CVE-2015-2638 CVE-2015-4733 CVE-2015-4732 CVE-2015-2590 CVE-2015-4731 CVE-2015-4760 CVE-2015-4736 CVE-2015-4748 CVE-2015-2664 CVE-2015-2632 CVE-2015-2637 CVE-2015-2619 CVE-2015-2621 CVE-2015-2613 CVE-2015-2601 CVE-2015-4749 CVE-2015-4729 CVE-2015-2625 CVE-2015-1931)
More to the point, until today I was beginning to think that only AIX's packaging of openssh used the openssl.base library. But there is something else! So is sendmail, or more specifically the sendmail binary that supports STARTTLS depends on /usr/lib/libssl.a - which, normally, is supplied as one of the
files in openssl.base.
The full advisory link is coming, but basically, this is about fixing sendmail so that it's not exposed to the so-called LOGJAM - or Vulnerability in Diffie-Hellman ciphers.
This is fixed in openssl but only if the application is linked to the libssl.so.1.0.0 (or later) rather than against openssl.so.0.9.8 BECAUSE openssl will never be able to support TLSv1.2.
Quick check for vunerability
If you see libssl.so.0.9.8 and libcrypto.so.0.9.8, you are at risk IF you have configured your system to use STARTTLS feature. If you have not configured STARTTLS, you're not at risk for LOGJAM, or any other crypto related attack - because all your mail is "in the clear" anyway.
So, if you're wondering about your security of sendmail and TLS then check out the security advisory at:
Posted August 12, 2015 | Permalink