From owner-freebsd-security@freebsd.org Fri Dec 11 11:48:12 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1E7A84AC8C5 for ; Fri, 11 Dec 2020 11:48:12 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from mail.lispworks.com (mail.lispworks.com [46.17.166.21]) by mx1.freebsd.org (Postfix) with ESMTP id 4CspvH2q86z3j7S for ; Fri, 11 Dec 2020 11:48:11 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (higson.cam.lispworks.com [192.168.1.7]) by lwfs1-cam.cam.lispworks.com (8.15.2/8.15.2) with ESMTP id 0BBBm72q069995; Fri, 11 Dec 2020 11:48:07 GMT (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by higson.cam.lispworks.com (8.14.4) id 0BBBm76U012384; Fri, 11 Dec 2020 11:48:07 GMT Received: (from martin@localhost) by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id 0BBBm7uw012149; Fri, 11 Dec 2020 11:48:07 GMT Date: Fri, 11 Dec 2020 11:48:07 GMT Message-Id: <202012111148.0BBBm7uw012149@higson.cam.lispworks.com> From: Martin Simmons To: freebsd-security@freebsd.org In-reply-to: <20201209230300.03251CA1@freefall.freebsd.org> (message from FreeBSD Security Advisories on Wed, 9 Dec 2020 23:03:00 +0000 (UTC)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl References: <20201209230300.03251CA1@freefall.freebsd.org> X-Rspamd-Queue-Id: 4CspvH2q86z3j7S X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of martin@lispworks.com has no SPF policy when checking 46.17.166.21) smtp.mailfrom=martin@lispworks.com X-Spamd-Result: default: False [2.00 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[46.17.166.21:from]; FREEFALL_USER(0.00)[martin]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[lispworks.com]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[46.17.166.21:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[46.17.166.21:from]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:51055, ipnet:46.17.166.0/24, country:GB]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 11:48:12 -0000 >>>>> On Wed, 9 Dec 2020 23:03:00 +0000 (UTC), FreeBSD Security Advisories said: > > Note: The OpenSSL project has published publicly available patches for > versions included in FreeBSD 12.x. This vulnerability is also known to > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > project is only giving patches for that version to premium support contract > holders. The FreeBSD project does not have access to these patches and > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > may update this advisory to include FreeBSD 11.4 should patches become > publicly available. I see that Ubuntu have backported this (see 1.0.2n-1ubuntu5.5 in https://launchpad.net/ubuntu/+source/openssl1.0). __Martin