Ok, is there any CVE that covers this attack / disables SSLv2?

This is rather in-transparent to me. Would be nice, if somebody could give better advice on this soon.

DROWN is CVE-2016-0800. There are a lot of CVE's in openssl's advisory released 10 minutes ago: https://www.openssl.org/news/secadv/20160301.txt

None are fixed yet of course in debian. And not in ubuntu either: http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/...

Actually Ubuntu is not affected because it already has SSLv2 disabled: http://people.canonical.com/~ubuntu-security/cve/2016/CVE-20...

You won't see a fix appear in the changelog because there is nothing to fix in the Ubuntu packages.