From owner-freebsd-security@FreeBSD.ORG Thu Jan 14 23:55:25 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 75A6F1065695 for ; Thu, 14 Jan 2010 23:55:25 +0000 (UTC) (envelope-from billy@nlcc.us) Received: from toaster.abovetec.com (toaster.abovetec.com [208.75.177.126]) by mx1.freebsd.org (Postfix) with ESMTP id 26FBD8FC1B for ; Thu, 14 Jan 2010 23:55:24 +0000 (UTC) Received: (qmail 55737 invoked by uid 89); 14 Jan 2010 23:28:41 -0000 Received: from unknown (HELO ibm.nlcc.us) (67.54.213.138) by 127.0.0.21 with SMTP; 14 Jan 2010 23:28:41 -0000 Received: (qmail 61350 invoked by uid 89); 14 Jan 2010 23:28:35 -0000 Received: from unknown (HELO ?192.168.0.46?) (billy@192.168.0.46) by ibm.nlcc.us with ESMTPA; 14 Jan 2010 23:28:35 -0000 Message-ID: <4B4FA898.3090007@nlcc.us> Date: Thu, 14 Jan 2010 17:28:24 -0600 From: Billy Newsom User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 15 Jan 2010 00:21:15 +0000 Subject: OpenSSL marked deprecated? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2010 23:55:25 -0000 Why is the OpenSSL port marked deprecated? No security issue, but the port builds... no fallback to a safe alternative, no known fix? Does the security team know? ===> Cleaning for openssl-0.9.8l_1 ===> openssl-0.9.8l_1 is marked as broken: coredumps on i386 and amd64. *** Error code 1 Maybe someone should explain this in a way we can understand? The port maintainer or "dinoex" is responsible.... dinoex@FreeBSD.org From the Makefile for the port: # $FreeBSD: ports/security/openssl/Makefile,v 1.161 2010/01/12 15:43:52 dinoex Exp $ BROKEN= coredumps on i386 and amd64 DEPRECATED= has unfixed vulnerabilities EXPIRATION_DATE=2010-01-12 Where have there been coredumps? Says who? Where? Why? How? When? Which version? Which OS? Billy From owner-freebsd-security@FreeBSD.ORG Fri Jan 15 00:29:50 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0F2D1065676 for ; Fri, 15 Jan 2010 00:29:50 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id 7BFE18FC22 for ; Fri, 15 Jan 2010 00:29:50 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id DA62CA57E2B; Fri, 15 Jan 2010 08:29:43 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id qhQFoR1j4eDA; Fri, 15 Jan 2010 08:29:35 +0800 (CST) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 7422FA57DBF; Fri, 15 Jan 2010 08:29:34 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:subject:references:in-reply-to:x-enigmail-version:openpgp: content-type:content-transfer-encoding; b=VOEaSZBxblcWutAuonOq/5dDvHxceOyp8FQjYxayketpBSnFvQKfwDdYt6NH6FF23 BMlKpMmHUtREm5Jj4DHbA== Message-ID: <4B4FB6E7.2040208@delphij.net> Date: Thu, 14 Jan 2010 16:29:27 -0800 From: Xin LI Organization: The Geek China Organization User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.5) Gecko/20091220 Thunderbird/3.0 ThunderBrowse/3.2.7 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4B4FA898.3090007@nlcc.us> In-Reply-To: <4B4FA898.3090007@nlcc.us> X-Enigmail-Version: 1.0 OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: OpenSSL marked deprecated? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jan 2010 00:29:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010/01/14 15:28, Billy Newsom wrote: > Why is the OpenSSL port marked deprecated? No security issue, but the > port builds... no fallback to a safe alternative, no known fix? Does the > security team know? Please update your ports tree, you have a stale version of the port... Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLT7bnAAoJEATO+BI/yjfBcKQH/2L1ejz5cDLn5oH6Ne+FWdep cZMxd6EiWx2J005o5rKmVPPprTDVEcID2j2w1CTkMiGoW2LIFtEsbZb20OVvUGVc 0qaJw0b2lZZnqXKCieYzU+gsJP2fPUux0Px3awiNZUjY4rozxvo8XiUjOvvfQZR8 5JuT1/Cm6LxV0YLmAWFtLVtn4dGDzBZ+jangdiyBUrosKgiyrfFNpsgCwEh54Hyr PDtgFvTpW7Ox6EwPv5ocUVsn5R2Rjd/hYH2/OvvNvqSc3Yn4gbN0v/ilkHxerobw dNXur16YGaEXREnj+L9RxmWNG89tLCJzLxVHJHIb5cZtU4KEYOpyqukTzo3rVVs= =qFfg -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jan 15 00:30:38 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5B101065697 for ; Fri, 15 Jan 2010 00:30:38 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id 807FF8FC2C for ; Fri, 15 Jan 2010 00:30:38 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id CDD73A57E2B; Fri, 15 Jan 2010 08:30:36 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id NYYgu0kbK1Jp; Fri, 15 Jan 2010 08:30:29 +0800 (CST) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 35F5AA57E2D; Fri, 15 Jan 2010 08:30:27 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=p5IUxAsGrjcFlsa5dSIurg31m25I3wgHQnt8Cys5b+Uw2Y8IwYaRI+/KpIRmoudqs HEEI2h1SyVm5WivRmmKgw== Message-ID: <4B4FB721.3080409@delphij.net> Date: Thu, 14 Jan 2010 16:30:25 -0800 From: Xin LI Organization: The Geek China Organization User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.5) Gecko/20091220 Thunderbird/3.0 ThunderBrowse/3.2.7 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4B4FA898.3090007@nlcc.us> In-Reply-To: <4B4FA898.3090007@nlcc.us> X-Enigmail-Version: 1.0 OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: billy@nlcc.us Subject: Re: OpenSSL marked deprecated? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jan 2010 00:30:38 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010/01/14 15:28, Billy Newsom wrote: > Why is the OpenSSL port marked deprecated? No security issue, but the > port builds... no fallback to a safe alternative, no known fix? Does the > security team know? Please update your ports tree, you have a stale version of the port... Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLT7chAAoJEATO+BI/yjfBHUsH/25OGrb2rjTyuz8/BMrpIfiG I20QWulnm5QwiAKY9yHHpyu+B4e49UZIySTpP/hIAfiaMLpSgKCpBHC6oRkCopaZ naLrx7Ip6nRyjONNNalWZiP3rAcbzNpmHXoNzxORFX6GXhTFUpA8M9gWVmC8brH/ v/KDEgeXGLrR72JZdR9l/JLIQB6LiHKtU2yKg0QHPNoipz660KroQf0MibItGa4+ pws/XOwDI3vSIJ8PieDBD6J4pMgudF+P/a8fEWEd4CaHXpEqoE7RmKvMZ0IaM4NZ Tvws2/ylPev1Ien0MTf05GhOwj5oL1qFS/ruXfWb9R9qEL4TvUhrZ7yOipjP0KQ= =LBdg -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jan 15 01:52:31 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32226106566B for ; Fri, 15 Jan 2010 01:52:31 +0000 (UTC) (envelope-from kenyon@kenyonralph.com) Received: from cdptpa-omtalb.mail.rr.com (cdptpa-omtalb.mail.rr.com [75.180.132.120]) by mx1.freebsd.org (Postfix) with ESMTP id DABA78FC17 for ; Fri, 15 Jan 2010 01:52:30 +0000 (UTC) Received: from cdptpa-omtalb.mail.rr.com ([10.127.143.51]) by cdptpa-qmta01.mail.rr.com with ESMTP id <20100115003219128.WKRL16905@cdptpa-qmta01.mail.rr.com> for ; Fri, 15 Jan 2010 00:32:19 +0000 X-Authority-Analysis: v=1.0 c=0 wl=env:27 X-Cloudmark-Score: 0 X-Originating-IP: 76.176.200.148 Received: from [76.176.200.148] ([76.176.200.148:60043] helo=voodoo.kenyonralph.com) by cdptpa-oedge01.mail.rr.com (envelope-from ) (ecelerity 2.2.2.39 r()) with ESMTP id 08/1C-19578-457BF4B4; Fri, 15 Jan 2010 00:31:16 +0000 Received: from voodoo.kenyonralph.com (localhost [127.0.0.1]) by voodoo.kenyonralph.com (Postfix) with ESMTP id 66169181C18 for ; Thu, 14 Jan 2010 16:31:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=kenyonralph.com; h=date :from:to:subject:message-id:references:mime-version:content-type :in-reply-to; s=postfix; bh=HlkPzhWoL8Uv9tFGMPDzdCd7RkBZQFQ2gC2T bvjJhE8=; b=g2T9yaW06bSLu5e3dtRoARByD+wuxLa/DgWYWMiq+1cCMGygXLr3 fqM+vv1h6xujGX/0z+KnU6WTcIcy+RJvij1upLjyLTEUh6Zd3J9wmLZwDOku4syn YY2Oec67783WTjcTxthgckcLisdrIDIvr7vXR6lReUDy/sd50n5tPD8= Received: by voodoo.kenyonralph.com (Postfix, from userid 1000) id 32E72181C1C; Thu, 14 Jan 2010 16:31:15 -0800 (PST) Date: Thu, 14 Jan 2010 16:31:15 -0800 From: Kenyon Ralph To: freebsd-security@freebsd.org Message-ID: <20100115003115.GC32381@kenyonralph.com> Mail-Followup-To: freebsd-security@freebsd.org References: <4B4FA898.3090007@nlcc.us> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="9l24NVCWtSuIVIod" Content-Disposition: inline In-Reply-To: <4B4FA898.3090007@nlcc.us> X-Operating-System: Ubuntu 9.10 Linux 2.6.31-18-generic on i686 User-Agent: Mutt/1.5.20 (2009-06-14) Subject: Re: OpenSSL marked deprecated? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jan 2010 01:52:31 -0000 --9l24NVCWtSuIVIod Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2010-01-14T17:28:24-0600, Billy Newsom wrote: > Why is the OpenSSL port marked deprecated? No security issue, but > the port builds... no fallback to a safe alternative, no known fix? > Does the security team know? [...] > Where have there been coredumps? Says who? Where? Why? How? When? > Which version? Which OS? There is a thread about this on freebsd-ports, but I don't know if it answers all of your questions (yet): http://lists.freebsd.org/pipermail/freebsd-ports/2010-January/thread.html#5= 8899 --=20 Kenyon Ralph --9l24NVCWtSuIVIod Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCgAGBQJLT7dRAAoJEJj/PvnJuRLVjjEP/0ZWHRpLrhPzHvvwZ7ZhbXQh CYyirOtQPKm08FE4HVos3RggR5Q9PvesAIqk9EijnSgwxLUBLvfqtEWq02kBCxBg c+Z2Zar9v2F++UtuDHLPaZ/tC1gIio9FKOuhZWVTrzhLOVmZKsnVjXt2efH1KDq7 iQo5bjDdhRoS4oIV5SdQpuG2o9HGKE+K2xY/oF8PcQblxYiAe/sI/qyE5izAzyMN pU4wwHWVU0HJwgneuKntoq8BwvxFgK1OBhv04HKzGzQh2cfYPUafkt2p/xN4UZLC u5PKQMGrgF9mSi+2P+CLL3B1tBR//frpLGY9C3b5TvN0JOiwsvWTv1UKZsUxLBWz KdwGacsu3yacwqZUmwY9BrZ/ClraQyRmtcDAIAHRBOY0htQxJcav+2PNw7QI6snX T1n7Nn3c40A+JDc7F2uqS9k76bDuR6mA7voAkx/qgnytqq15CjugVErBbt72dB3P Xk01rFag2rPm3MEX5FBLwsuSEzRe+aRqx8BvgYRudSeExOPwe2SZ+9ob8F/EsN3U MtzyWDy3djt/vfkyUbNlPlTLm/U1b97WNnBIE7WlUzJyc00A13luIERR83SgqKTt qKaPn5mRiqEajY0IOj0CkXDx22wkD2FJgMV0klexq780klzEV7Nw9NbXKKHB7J5W CSzyd5GKfZcqV+wIqU6d =CM2i -----END PGP SIGNATURE----- --9l24NVCWtSuIVIod-- From owner-freebsd-security@FreeBSD.ORG Fri Jan 15 12:35:08 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 946E21065670 for ; Fri, 15 Jan 2010 12:35:08 +0000 (UTC) (envelope-from inter-actief@daenney.net) Received: from zeratul.nl (unknown [IPv6:2a02:898:86::4]) by mx1.freebsd.org (Postfix) with ESMTP id 2CC0A8FC14 for ; Fri, 15 Jan 2010 12:35:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zeratul.nl (Postfix) with ESMTP id 6FAB5DC113 for ; Fri, 15 Jan 2010 13:34:44 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at zeratul.daenney.net X-Spam-Flag: NO X-Spam-Score: -4.399 X-Spam-Level: X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.8, AWL=0.000, BAYES_00=-2.599] Received: from zeratul.nl ([127.0.0.1]) by localhost (daenney.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wSW5Wwrhqy6R for ; Fri, 15 Jan 2010 13:34:43 +0100 (CET) Received: from switch.thematrix (unknown [82.74.193.138]) by zeratul.nl (Postfix) with ESMTPSA id A487FDC081 for ; Fri, 15 Jan 2010 13:34:43 +0100 (CET) Message-ID: <4B5060DC.6020608@daenney.net> Date: Fri, 15 Jan 2010 13:34:36 +0100 From: Daniele Sluijters User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.1.5) Gecko/20091204 Lightning/1.0b2pre Thunderbird/3.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig2DA032FCABA02D9575FE03E6" Subject: CVE-2009-4355 / openssl memory leak in SSLv3 (DoS) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jan 2010 12:35:08 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig2DA032FCABA02D9575FE03E6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Yesterday most major linux distributions pushed an update to their servers with a patched version of openssl conerning CVE-2009-4355. However, I have unitl now been unable to find anything on the subject (no SA or anything on VuXML) as to how this bug affects FreeBSD and if there's a patch on its way to the upstream ports-tree. Is there anyone who has some information on the subject? -- Daniele Sluijters --------------enig2DA032FCABA02D9575FE03E6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.12 (Darwin) iEYEARECAAYFAktQYOMACgkQR+7VkEHuyHxdfwCfapKB7QPdKtgEUlfiSYjRElaX SL8AnRFpLKs16dAsAN3wqzB5l5hcQeRh =CwcZ -----END PGP SIGNATURE----- --------------enig2DA032FCABA02D9575FE03E6-- From owner-freebsd-security@FreeBSD.ORG Sat Jan 16 00:13:45 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 199FD106566B for ; Sat, 16 Jan 2010 00:13:45 +0000 (UTC) (envelope-from oz@nixil.net) Received: from nixil.net (nixil.net [161.58.222.1]) by mx1.freebsd.org (Postfix) with ESMTP id D4C088FC24 for ; Sat, 16 Jan 2010 00:13:44 +0000 (UTC) Received: from demigorgon.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by nixil.net (8.13.6.20060614/8.13.6) with ESMTP id o0FNoWuQ046970 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Fri, 15 Jan 2010 16:50:39 -0700 (MST) Message-ID: <4B50FF48.2070801@nixil.net> Date: Fri, 15 Jan 2010 16:50:32 -0700 From: Phil Oleson User-Agent: Thunderbird 2.0.0.21 (X11/20090619) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (nixil.net [161.58.222.1]); Fri, 15 Jan 2010 16:50:40 -0700 (MST) X-Virus-Scanned: clamav-milter 0.95.2 at nixil.net X-Virus-Status: Clean X-Mailman-Approved-At: Sat, 16 Jan 2010 02:32:05 +0000 Subject: sendmail 8.14.4 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jan 2010 00:13:45 -0000 I'm seeing this in the release notes for the latest release of sendmail, plus a customers PCI scan is reporting this as a problem. I know many of these scans tend to do version string checks and don't actually check if the problem is possible to exploit, but I just wanted your thoughts on if this is something the security team feels it needs to deal with or not? -Phil. 8.14.4/8.14.4 2009/12/30 SECURITY: Handle bogus certificates containing NUL characters in CNs by placing a string indicating a bad certificate in the {cn_subject} or {cn_issuer} macro. Patch inspired by Matthias Andree's changes for fetchmail.