From owner-freebsd-security@FreeBSD.ORG Wed May 2 12:44:20 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4B772106566C for ; Wed, 2 May 2012 12:44:20 +0000 (UTC) (envelope-from c.kworr@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id BFA158FC14 for ; Wed, 2 May 2012 12:44:19 +0000 (UTC) Received: by bkvi17 with SMTP id i17so582300bkv.13 for ; Wed, 02 May 2012 05:44:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=1wH9pi5yugVYY6vz3IhyjTzo/Y1OD4whIuCV7IEPGr0=; b=FQb1DYzWBACiV61KAf8xaoepxxEtUbT6sdHw9/9oexbxlPbcJH5UFfo6fyhRAY5cNV qqXkBDUkpKeLII5LMz/L63RPZKudC3WH7V0YL0hDissw0o62CpQBr0GbCEjq2nawZFPs b/y5YcEUpr4lAtByyTZHGRDkgWiaBUiWKGzk4Ebw+fXVhB5HviBnQ788vMtDWSNwLS+p 40l0fc5xQpBTCahjMcvjB3bPj2IduIZb8BB4mFWuJ8+7RfxliPXkboDUGnbM1l5Jy0KH GzSoEESsdVEn7gSqd+op/irBmtSryB9z4aqxVPaTIbcoq/GKM13XlF/fVMkFhxSi2qyC +NFA== Received: by 10.204.153.199 with SMTP id l7mr4899335bkw.86.1335962658764; Wed, 02 May 2012 05:44:18 -0700 (PDT) Received: from green.tandem.local (208-245-132-95.pool.ukrtel.net. [95.132.245.208]) by mx.google.com with ESMTPS id r14sm3554710bkv.11.2012.05.02.05.44.15 (version=SSLv3 cipher=OTHER); Wed, 02 May 2012 05:44:17 -0700 (PDT) Message-ID: <4FA12C1E.3030102@gmail.com> Date: Wed, 02 May 2012 15:44:14 +0300 From: Volodymyr Kostyrko User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:12.0) Gecko/20120426 Firefox/12.0 SeaMonkey/2.9 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 02 May 2012 13:53:22 +0000 Cc: Robert Simmons Subject: Re: OpenSSL and Heimdal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2012 12:44:20 -0000 Robert Simmons wrote: > Is there a plan to update OpenSSL to patch for CVE-2012-2131? > > Also, is the DOS vulnerability in libkrb5 that Heimdal 1.5.2 patches > present in Heimdal 1.1 which shipped with 9.0-RELEASE? I'll second this one. 1. Is there any plans on updating openssl and why not? It's getting a bad hype nowadays. And will we ever support TLS v1.[12]? BEAST attack seems to be not so far from most of us: https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls 2. What's with CVE-2011-1945? I'm waiting for months for just a tiny comment on this one as if this truly is not fixed in our source all 9.0 installations with world-open ssh are potentially vulnerable. 3. DragonFly is much faster then we are, they have 1.0.1b on master branch, while we have 1.0.1a in ports. They also already removed heimdal from base and pkgsrc has 1.5.2 available with our 1.4 present in ports. -- Sphinx of black quartz judge my vow.