OpenSSL Vulnerability CVE-2015-0291 and Chef
// Chef Blog
Recommendation to usersBecause OpenSSL 1.0.2. is the only version of OpenSSL vulnerable to the exploit described in CVE-2015-0291, Chef users do not need to take immediate action in response to this discolsure, because Chef products do not include OpenSSL 1.0.2.
OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)There are no Chef products that include OpenSSL 1.0.2. As a result, Chef products are not affected by the vulnerability disclosed in high severity bulletin CVE-2015-0291 (OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291).
"Freak," RSA silently downgrades to EXPORT_RSA ClientNo Chef products are configured to support export ciphers. As a result, Chef products are not affected by the vulnerability disclosed in high severity bulletin CVE-2015-0204 (RSA silently downgrades to EXPORT_RSA[Client]). OpenSSL high severity security advisory. Chef products are not vulnerable to CVE-2015-0291, or CVE-2015-0204. Chef will include the newly-released patches to OpenSSL in future releases on the previously planned product release schedule.
Shared via my feedly reader
Sent from my iPhone