The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DROWN - Cross-protocol attack on TLS using SSLv2 - CVE-2016-080

Discussion in 'Security' started by majoosh, Mar 1, 2016.

  1. majoosh

    majoosh Well-Known Member

    Joined:
    Feb 18, 2006
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    #1 majoosh, Mar 1, 2016
    Last edited by a moderator: Mar 1, 2016
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Normal yum update for openssl should be the most important, but you should also ensure you have disabled sslv2 for any services you can configure (apache, ftp, email, etc.)
     
  3. Al2k

    Al2k Registered

    Joined:
    Mar 2, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Checking yum info openssl, I see that I still have 1.0.1e from the Heartbleed update, yet I saw a push from WHM to update openssl. There, can cPanel confirm that a hot fix was applied to 1.0.1e as the openSSL advisory note states to update to 1.0.1s
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The "openssl" package is not provided or patched by cPanel, but cPanel will automatically update your system packages through YUM if you have configured it to do so via "WHM >> Update Preferences". You can use the following command to see which patches have been backported to the version of openssl installed on your system:

    Code:
    rpm -q --changelog openssl
    Thank you.
     
  5. Arun

    Arun Active Member

    Joined:
    Jan 28, 2006
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    The following is from a cPanel server which was updated (11.54.0.18 - RELEASE):

    Shouldn't it be showing "CVE-2016-0800" also if it is patched?
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider

Share This Page