openssl: CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308

[tianon]

CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308

https://www.openssl.org/news/secadv/20160922.txt

• alpine: OpenSSL 1.0.2i for Alpine CVEs #2174
  • http://git.alpinelinux.org/cgit/aports/log/main/openssl?h=3.4-stable
  • http://git.alpinelinux.org/cgit/aports/log/main/openssl?h=3.3-stable
  • http://git.alpinelinux.org/cgit/aports/log/main/openssl?h=3.2-stable
  • http://git.alpinelinux.org/cgit/aports/log/main/openssl?h=3.1-stable
  • http://git.alpinelinux.org/cgit/aports/log/main/openssl
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-2177
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-2178
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-2179
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-2180
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-2181
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-2182
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-2183
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-6302
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-6303
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-6304
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-6305
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-6306
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-6307
  • http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2016-6308
• busybox: not affected
• centos (RHEL derivative):
  • https://access.redhat.com/security/cve/CVE-2016-2177
  • https://access.redhat.com/security/cve/CVE-2016-2178
  • https://access.redhat.com/security/cve/CVE-2016-2179
  • https://access.redhat.com/security/cve/CVE-2016-2180
  • https://access.redhat.com/security/cve/CVE-2016-2181
  • https://access.redhat.com/security/cve/CVE-2016-2182
  • https://access.redhat.com/security/cve/CVE-2016-2183
  • https://access.redhat.com/security/cve/CVE-2016-6302
  • https://access.redhat.com/security/cve/CVE-2016-6303
  • https://access.redhat.com/security/cve/CVE-2016-6304
  • https://access.redhat.com/security/cve/CVE-2016-6305
  • https://access.redhat.com/security/cve/CVE-2016-6306
  • https://access.redhat.com/security/cve/CVE-2016-6307
  • https://access.redhat.com/security/cve/CVE-2016-6308
• clearlinux: Update Clear Linux Project #2180
  • internal bug tracker
• crux: ???
  • https://crux.nu/gitweb/?p=ports/core.git;a=history;f=openssl;hb=HEAD
• debian: Update Debian, especially for DSA-3673-1 #2179
  • https://security-tracker.debian.org/tracker/CVE-2016-2177
  • https://security-tracker.debian.org/tracker/CVE-2016-2178
  • https://security-tracker.debian.org/tracker/CVE-2016-2179
  • https://security-tracker.debian.org/tracker/CVE-2016-2180
  • https://security-tracker.debian.org/tracker/CVE-2016-2181
  • https://security-tracker.debian.org/tracker/CVE-2016-2182
  • https://security-tracker.debian.org/tracker/CVE-2016-2183
  • https://security-tracker.debian.org/tracker/CVE-2016-6302
  • https://security-tracker.debian.org/tracker/CVE-2016-6303
  • https://security-tracker.debian.org/tracker/CVE-2016-6304
  • https://security-tracker.debian.org/tracker/CVE-2016-6305
  • https://security-tracker.debian.org/tracker/CVE-2016-6306
  • https://security-tracker.debian.org/tracker/CVE-2016-6307
  • https://security-tracker.debian.org/tracker/CVE-2016-6308
• fedora:
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2177
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2178
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2179
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2180
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2181
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2182
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2183
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6302
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6303
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6304
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6305
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6306
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6307
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6308
• mageia:
  • https://advisories.mageia.org/CVE-2016-2177
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-2177
  • https://advisories.mageia.org/CVE-2016-2178
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-2178
  • https://advisories.mageia.org/CVE-2016-2179
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-2179
  • https://advisories.mageia.org/CVE-2016-2180
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-2180
  • https://advisories.mageia.org/CVE-2016-2181
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-2181
  • https://advisories.mageia.org/CVE-2016-2182
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-2182
  • https://advisories.mageia.org/CVE-2016-2183
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-2183
  • https://advisories.mageia.org/CVE-2016-6302
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-6302
  • https://advisories.mageia.org/CVE-2016-6303
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-6303
  • https://advisories.mageia.org/CVE-2016-6304
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-6304
  • https://advisories.mageia.org/CVE-2016-6305
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-6305
  • https://advisories.mageia.org/CVE-2016-6306
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-6306
  • https://advisories.mageia.org/CVE-2016-6307
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-6307
  • https://advisories.mageia.org/CVE-2016-6308
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2016-6308
• opensuse:
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-2177
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-2178
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-2179
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-2180
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-2181
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-2182
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-2183
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-6302
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-6303
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-6304
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-6305
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-6306
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-6307
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-6308
• oraclelinux: Updated Oracle Linux for OpenSSL CVEs #2203
  • http://linux.oracle.com/cve/CVE-2016-2177
  • http://linux.oracle.com/cve/CVE-2016-2178
  • http://linux.oracle.com/cve/CVE-2016-2179
  • http://linux.oracle.com/cve/CVE-2016-2180
  • http://linux.oracle.com/cve/CVE-2016-2181
  • http://linux.oracle.com/cve/CVE-2016-2182
  • http://linux.oracle.com/cve/CVE-2016-2183
  • http://linux.oracle.com/cve/CVE-2016-6302
  • http://linux.oracle.com/cve/CVE-2016-6303
  • http://linux.oracle.com/cve/CVE-2016-6304
  • http://linux.oracle.com/cve/CVE-2016-6305
  • http://linux.oracle.com/cve/CVE-2016-6306
  • http://linux.oracle.com/cve/CVE-2016-6307
  • http://linux.oracle.com/cve/CVE-2016-6308
• photon:
  • https://github.com/vmware/photon/tree/master/SPECS/openssl
  • https://github.com/vmware/photon/tree/dev/SPECS/openssl
• sourcemage:
  • http://scmweb.sourcemage.org/?p=smgl/grimoire.git;a=history;f=crypto/openssl
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-2177
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-2178
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-2179
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-2180
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-2181
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-2182
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-2183
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-6302
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-6303
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-6304
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-6305
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-6306
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-6307
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2016-6308
• ubuntu: Update Ubuntu, especially for USN-3087-1 and USN-3087-2 #2182
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2177
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2178
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2179
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2180
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2181
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2182
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2183
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-6302
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-6303
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-6304
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-6305
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-6306
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-6307
  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-6308
    • http://people.canonical.com/~ubuntu-security/cve/priority.html (for reference)
  • https://partner-images.canonical.com/core/

---

CVE-2016-2177: https://www.openssl.org/news/vulnerabilities.html#2016-2177

• Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
• Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

CVE-2016-2178: https://www.openssl.org/news/vulnerabilities.html#2016-2178

• Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
• Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

CVE-2016-2179: https://www.openssl.org/news/vulnerabilities.html#2016-2179

• Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
• Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

CVE-2016-2180: https://www.openssl.org/news/vulnerabilities.html#2016-2180

• Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
• Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

CVE-2016-2181: https://www.openssl.org/news/vulnerabilities.html#2016-2181

• Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
• Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

CVE-2016-2182: https://www.openssl.org/news/vulnerabilities.html#2016-2182

• Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
• Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

CVE-2016-2183: https://www.openssl.org/news/vulnerabilities.html#2016-2183 (does not appear to be listed on "vulnerabilities.html"); https://sweet32.info/

• OpenSSL 1.0.2 users should upgrade to 1.0.2i
• OpenSSL 1.0.1 users should upgrade to 1.0.1u

CVE-2016-6302: https://www.openssl.org/news/vulnerabilities.html#2016-6302

• Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
• Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

CVE-2016-6303: https://www.openssl.org/news/vulnerabilities.html#2016-6303

• Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
• Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

CVE-2016-6304: https://www.openssl.org/news/vulnerabilities.html#2016-6304

• Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
• Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
• Fixed in OpenSSL 1.1.0a (Affected 1.1.0)

CVE-2016-6305: https://www.openssl.org/news/vulnerabilities.html#2016-6305

• Fixed in OpenSSL 1.1.0a (Affected 1.1.0)

CVE-2016-6306: https://www.openssl.org/news/vulnerabilities.html#2016-6306

• Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
• Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

CVE-2016-6307: https://www.openssl.org/news/vulnerabilities.html#2016-6306

• Fixed in OpenSSL 1.1.0a (Affected 1.1.0)

CVE-2016-6308: https://www.openssl.org/news/vulnerabilities.html#2016-6306

• Fixed in OpenSSL 1.1.0a (Affected 1.1.0)

[tianon]

@bryteise are there any good links for CVE-tracking WRT Clear Linux? 🙏

[bryteise]

@tianon I'm sorry we do not have anything externally facing that can be linked to for the issue. It is something that is being looked at but I do not have any timeline for availability =(.

This is something that is definitely being tracked and we are looking to make a release as soon as possible for these.

[tianon]

@bryteise ok, that's good enough; thanks! 👍

[tianon]

Looks like we've a few fixes available upstream. 😄

@andyshinn alpine looks updated!

• http://git.alpinelinux.org/cgit/aports/commit/main/openssl?h=3.4-stable&id=a38f0ddf93adc4fd2f8255cbd1c94ab704b007ac
• http://git.alpinelinux.org/cgit/aports/commit/main/openssl?h=3.3-stable&id=3cd2cd34c2859d94c7cfa8bfd46c5ac71b26893e
• http://git.alpinelinux.org/cgit/aports/commit/main/openssl?h=3.2-stable&id=7cfa29eeb94474b3bf44e4be19b4e2263ac6b479
• http://git.alpinelinux.org/cgit/aports/commit/main/openssl?h=3.1-stable&id=3e8e66af8eb57c1dc45545c6ad7ad09d2ad1bc8c

@prologic crux looks updated! (https://crux.nu/gitweb/?p=ports/core.git;a=commit;h=5f0151ef41df86a94eb7ef5baab7d0c988515439)

@frapposelli photon looks updated! (vmware/photon@5d2fa23; not sure what it takes for it to move from dev to master 😇)

@vaygr sourcemage looks updated! (http://scmweb.sourcemage.org/?p=smgl/grimoire.git;a=commit;h=c4937fa93fc0d46ff07e3d31f10e9824faadb89f)

🙏

[tianon]

(Ubuntu is in progress, as is Debian)

[tianon]

ARRRRG https://www.openssl.org/news/secadv/20160926.txt

[tianon]

At least Debian and Ubuntu appear to be unaffected by this new advisory (https://security-tracker.debian.org/tracker/CVE-2016-7052, <not-affected> (Introduced in 1.0.2i)).

[tianon]

I think this is likely as good as it's going to get at this point. 👍