Looks like only Fedora is safe ;)
On Mon, Aug 22, 2016 at 9:15 PM, Eric Christensen <echriste(a)redhat.com> wrote:
> This could be interesting while doing code audits and while looking for
> trouble.
>
> --Eric
>
>
> -------- Forwarded Message --------
> Subject: [oss-security] TLS testing results - OS distro vulnerabilities
> Date: Sat, 20 Aug 2016 16:50:29 +0000
> From: Mauri Miettinen <Mauri.Miettinen(a)student.oulu.fi>
> Reply-To: oss-security(a)lists.openwall.com
> To: oss-security(a)lists.openwall.com <oss-security(a)lists.openwall.com>
> CC: ouspg(a)ee.oulu.fi <ouspg(a)ee.oulu.fi>
>
> To whom it may concern,
>
> We developed a tool to check if languages and libraries verify TLS
> certificates properly.
> While testing this tool we did a shootout against supported versions of the
> some major Linux distributions.
>
> Results are available from:
>
>
https://github.com/ouspg/trytls/blob/shootout-0.3/shootout/README.md
>
> It seems it may be unsafe to do TLS in some of the common distros.
> E.g. the native Python version in the distros varies, and not all fixes have
> been backported. In these cases Python still doesn't always have certificate
> checking enabled by default.
>
> We have contacted Python developers about the results.
>
>
https://mail.python.org/pipermail/python-dev/2016-August/145815.html
>
> They gave us a couple of good pointers on how configuration could be
> used to mitigate the issues in some of the distributions. We are afraid
> this is still a hazard where neither software developers or users realize
> that code that works well for the developer may not be safe for the users.
>
> Would you have any other resources, advice or pointers we should
> document when communicating about this in the TryTLS project?
>
> Mauri Miettinen
>
> PS. Results have indications of weak crypto issues as well.
> _______________________________________________
> security-team mailing list
> security-team(a)lists.fedoraproject.org
>
https://lists.fedoraproject.org/admin/lists/security-team@lists.fedorapro...