DSA-3446-1 (SSH vulnerability)
This is a late update, and I’m definitely sorry for being late, but I promised to write it so I have to!
Category: VyOS Platform Blog | security (3)
CVE-2015-5366, 1.1.6 maintenance release, and the new public key
1.1.6 maintenance release is available for download from the primary server (mirrors are still syncing up).
OpenSSL vulnerabilities
Multiple vulnerabilities were discovered and fixed in OpenSSL.
CVE-2015-0235
You’ve probably heard of CVE-2015-0235 already: buffer overflow in glibc gethostbyname() function allows for arbitrary code execution.
NTP vulnerability update
Squeeze-LTS team imported patches for those vulnerabilities, so it’s probably the best to take the path of least resistance and just use those.
CVE-2014-9295: arbitrary code execution in NTPd
A recently discovered vulnerability in NTPd allows remote code execution.
1.1.0 preview image update
Those who are using 1.1.0-beta can install an updated image from the build system that includes updates for the shellshock vulnerability.
1.0.5 security release
1.0.5 release images are available for download from packages.vyos.net, and soon will be available from mirrors when they sync.
bash and apt vulnerabilities
Recently discovered vulnerabilities in bash and APT are low risk for VyOS, since it doesn’t use CGI scripts written in bash and APT is not normally used for upg...
CVE-2014-4607
There is a vulnerability in LZO implementation discovered recently.
