Looks like only Fedora is safe ;)
On Mon, Aug 22, 2016 at 9:15 PM, Eric Christensen <echriste(a)redhat.com> wrote:
> This could be interesting while doing code audits and while looking for
> -------- Forwarded Message --------
> Subject: [oss-security] TLS testing results - OS distro vulnerabilities
> Date: Sat, 20 Aug 2016 16:50:29 +0000
> From: Mauri Miettinen <Mauri.Miettinen(a)student.oulu.fi>
> Reply-To: oss-security(a)lists.openwall.com
> To: oss-security(a)lists.openwall.com <oss-security(a)lists.openwall.com>
> CC: ouspg(a)ee.oulu.fi <ouspg(a)ee.oulu.fi>
> To whom it may concern,
> We developed a tool to check if languages and libraries verify TLS
> certificates properly.
> While testing this tool we did a shootout against supported versions of the
> some major Linux distributions.
> Results are available from:
> It seems it may be unsafe to do TLS in some of the common distros.
> E.g. the native Python version in the distros varies, and not all fixes have
> been backported. In these cases Python still doesn't always have certificate
> checking enabled by default.
> We have contacted Python developers about the results.
> They gave us a couple of good pointers on how configuration could be
> used to mitigate the issues in some of the distributions. We are afraid
> this is still a hazard where neither software developers or users realize
> that code that works well for the developer may not be safe for the users.
> Would you have any other resources, advice or pointers we should
> document when communicating about this in the TryTLS project?
> Mauri Miettinen
> PS. Results have indications of weak crypto issues as well.
> security-team mailing list