Updating openssl due to security scan
First, it is surprisingly common for services to share keys.
DROWN can target your HTTPS server even if only your email server supports SSLv2, so long as the two share the same private key.
This is where the research truly shines: beautiful mathematical techniques reduce the number of connections to the ten thousands, bringing the attack down to a practical level.
The researchers spent a mere US0 on the EC2 cloud platform to decrypt a victim client session in a matter of hours.
Some third party distributions have a policy of only backporting selected security updates without changing to a newer version, to provide stability.
Each distribution varies; you should install the updates provided by your vendor and contact them for questions about this or any other security issues.
Debian users can also track the security status of Debian releases, using Debian’s security tracker. DROWN attacks can only target individual sessions, not the server’s key.
This reduced complexity could lead to successful real-time man-in-the-middle attacks, hijacking a session even if the client and the server would otherwise negotiate a forward-secure Diffie-Hellman ciphersuite.The attack works against every known SSL/TLS implementation supporting SSLv2.It is, however, particularly dangerous against Open SSL versions predating March 2015 (more on that below).But today’s release fixes a number of other vulnerabilities, and we cannot emphasize the importance of timely upgrades enough.If you obtained Open SSL directly from us (from https:// or from https://github.com/openssl/openssl), run the following command to find out: If you are using the system Open SSL provided with your Linux distribution, or obtained Open SSL from another vendor, the version number is not a reliable indicator of the security status.