← Back to team overview

dhis2-devs team mailing list archive

New openssl vulnerability

 

Hi

In case anyone has noticed and started to panic, there are some new
openssl vulnerabilities, which might effect your nginx installations.

http://www.infoq.com/news/2016/03/two-new-openssl-flaws?utm_source=infoqWeeklyNewsletter&utm_medium=WeeklyNL_EditorialContent_development&utm_campaign=03082016news

The first one (DROWN) should not represent a problem so long as ssl is
not enabled.  So you should have a line in your nginx config which
restricts the ssl protocols in use.  As described in our manual ...

    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;

You should have this anyway, but do take a quick minute to check.

The second vulnerability mentioned has been classified as low
severity, but may particularly be a concern when using shared tenancy
cloud servers (amazon, linode, dediserve etc).

The fix is already released in ubuntu package system, so just make
sure your system is up to date (http://www.ubuntu.com/usn/usn-2914-1/)

So no real need to worry too much.