An OpenSSL advisory and the "DROWN" attack

The OpenSSL project has disclosed a newhigh-profile vulnerability. This one, known as CVE-2016-800, or "DROWN", affects servers that stillhave the old SSLv2 protocol enabled. Yes, it has its own domain name andlogo. "DROWN allows attackers to break the encryption and read orsteal sensitive communications, including passwords, credit card numbers,trade secrets, or financial data. Our measurements indicate 33% of allHTTPS servers are vulnerable to the attack." The solution is tojust disable SSLv2 completely. Note that there are several othervulnerabilities (with a lower presumed severity) fixed in the OpenSSL1.0.2g and 1.0.1s releases.