From owner-freebsd-security@freebsd.org Sat Dec 12 19:33:21 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BEBCAA142EA; Sat, 12 Dec 2015 19:33:21 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-qg0-x22c.google.com (mail-qg0-x22c.google.com [IPv6:2607:f8b0:400d:c04::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7A16E11A1; Sat, 12 Dec 2015 19:33:21 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by qgev16 with SMTP id v16so282883qge.0; Sat, 12 Dec 2015 11:33:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fGWVjYyu3HEWshXoSSZ49OnGbsgzQihVDWmMkvjA0CE=; b=MZtUZh6j0BjOUPixai7IFM6IBxB86U0N+IlZIVlS3xQugw/DGg4d44vDU2gksdVyOe AwAoHrzKLY9AvGsgrssdGs5B/Gq28aErRNQN0jO8U8NdYkO9Ed8p+0zND2c6Vc1q0zq1 QDCtxcGfwHPXH/FkleMUAJ5TY+QZPuHCeuJaB0xqbG7pDh+5GNWHSNHP4TjPeqRlkPYu QxsdGcE26VNbnKDfg7vJrOYDrwlRfIM6balI0uX4CIeCL7VL8zX3C+L6If6cqAksOvtj qBIfsRsOSWD8iA5vSOpqE8BqZ2ZZOEQQNIKFoW+IZZTHOneSTtkwZM36hwcL2Bf9V6CI o45w== MIME-Version: 1.0 X-Received: by 10.140.94.201 with SMTP id g67mr32200302qge.43.1449948800587; Sat, 12 Dec 2015 11:33:20 -0800 (PST) Received: by 10.140.32.101 with HTTP; Sat, 12 Dec 2015 11:33:20 -0800 (PST) In-Reply-To: <20151117133552.GA37538@misty.eyesbeyond.com> References: <1447601433.2163074.440262121.5DEBCEDD@webmail.messagingengine.com> <1447682799.243430.441054785.7914EFBA@webmail.messagingengine.com> <1447685844.882362.441101225.09D0492D@webmail.messagingengine.com> <564A33F0.9010902@FreeBSD.org> <564A353B.3040102@FreeBSD.org> <20151117133552.GA37538@misty.eyesbeyond.com> Date: Sat, 12 Dec 2015 14:33:20 -0500 Message-ID: Subject: Re: java/openjdk8 and jre From: Robert Simmons To: Greg Lewis Cc: Jung-uk Kim , Mark Felder , freebsd-security@freebsd.org, "ports-secteam@freebsd.org" , java@freebsd.org, Greg Lewis Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2015 19:33:21 -0000 Hi, It looks like there is a holdup to pushing out u66. In the mean time, can someone mark u60 vulnerable, please? On Tue, Nov 17, 2015 at 8:35 AM, Greg Lewis wrote: > On Mon, Nov 16, 2015 at 02:57:47PM -0500, Jung-uk Kim wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > On 11/16/15 02:52 PM, Jung-uk Kim wrote: > > > Patches for FreeBSD ports tree are maintained by glewis and it is > > > directly generated from public Mercurial, AFAIK. > > > > > > http://hg.openjdk.java.net/jdk8u/jdk8u > > > > and its modules: > > > > http://hg.openjdk.java.net/jdk8u/jdk8u/corba > > http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot > > http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp > > http://hg.openjdk.java.net/jdk8u/jdk8u/jaxws > > http://hg.openjdk.java.net/jdk8u/jdk8u/jdk > > http://hg.openjdk.java.net/jdk8u/jdk8u/langtools > > http://hg.openjdk.java.net/jdk8u/jdk8u/nashorn > > That is correct. I'm a little behind since my diff generating script > didn't cope with 8u66 terribly well. I'll see if I can generate a > good diff for it today. > > -- > Greg Lewis Email : glewis@eyesbeyond.com > Eyes Beyond Web : http://www.eyesbeyond.com > Information Technology FreeBSD : glewis@FreeBSD.org > From owner-freebsd-security@freebsd.org Sat Dec 12 18:32:55 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 02CDFA3B09E for ; Sat, 12 Dec 2015 18:32:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CA0A6139D for ; Sat, 12 Dec 2015 18:32:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id tBCIWs5o057545 for ; Sat, 12 Dec 2015 18:32:54 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 201446] Server name indication (sni) is not supported in base OpenSSL Date: Sat, 12 Dec 2015 18:32:54 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: standards X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: darkkiller@gmail.com X-Bugzilla-Status: Open X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: apache@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Sat, 12 Dec 2015 21:02:46 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2015 18:32:55 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201446 Gea-Suan Lin changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |darkkiller@gmail.com --- Comment #10 from Gea-Suan Lin --- This bug affects curl too, not just openssl cli itself. gslin@FreeBSD [~] [02:22] uname -a FreeBSD FreeBSD.cs.nctu.edu.tw 9.3-RELEASE-p30 FreeBSD 9.3-RELEASE-p30 #0: Mon Nov 2 10:11:50 UTC 2015 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 gslin@FreeBSD [~] [02:22] curl -v https://i.kfs.io/robots.txt * Trying 118.214.255.182... * Connected to i.kfs.io (118.214.255.182) port 443 (#0) * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * TLSv1.0 (OUT), TLS handshake, Client hello (1): * TLSv1.0 (IN), TLS handshake, Server hello (2): * TLSv1.0 (IN), TLS handshake, Certificate (11): * TLSv1.0 (OUT), TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. -- You are receiving this mail because: You are on the CC list for the bug.