Closed testkit closed 7 years ago
Ostro OS itself does not provide any vulnerable servers. Therefore there is no need for immediate action. Instead, we submitted a version update to OE-core and will get a fix through the regular inclusion of the updated OE-core into Ostro OS. See https://patchwork.openembedded.org/patch/132231/
Update: there has been another issue found, the latest versions of openssl are now 1.1.0b and 1.0.2j OpenSSL Blog: https://www.openssl.org/news/secadv/20160926.txt
Talked to our resident crypto expert. His advice as follows:
"If the OS supports running applications that may expose a TLS protected service – e.g. a web based control interface – then it will be affected by this notice unless the shipping library is built with the “no-ocsp” option.
If the library is built with “no-ocsp” I recommend updating to 1.0.2j, but it is not critical (MUST be filed as a high for next release). If the library is built with defaults, the library MUST be updated to 1.0.2j."
He also notes that the update includes another update that could improve device reliability by avoiding a failure case where the service thread could go unresponsive, so this is an update we will want soon regardless.
ostro-os #506 has this fixed.
OCSP Status Request extension unbounded memory growth (CVE-2016-6304)