From owner-freebsd-security@FreeBSD.ORG Wed Mar 11 19:09:37 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 41B97250 for ; Wed, 11 Mar 2015 19:09:37 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 12B7FCF1 for ; Wed, 11 Mar 2015 19:09:36 +0000 (UTC) Received: from Julian-MBP3.local (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id t2BJ9NhE016841 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 11 Mar 2015 12:09:29 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <550092DD.9030808@freebsd.org> Date: Wed, 11 Mar 2015 12:09:17 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Dan Lukes , Paul Hoffman , freebsd security Subject: Re: sendmail broken by libssl in current References: <54FFE774.50103@freebsd.org> <6BD2AE7F-8EC5-4EBC-A183-E03EC54456BC@vpnc.org> <55005753.3070306@obluda.cz> In-Reply-To: <55005753.3070306@obluda.cz> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Cc: current@freebsd.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 19:09:37 -0000 On 3/11/15 7:55 AM, Dan Lukes wrote: > Paul Hoffman wrote: >> Can you say which email servers *other* than unpatched Ironport fail? >> Cisco has known about this for many months; see > Note that Bug CSCuo25276 is considered duplicate of the bug CSCuo25329. > >> If that's true (I can't confirm), why would we want to do a patch to our core crypto? > Good question. The following should be taken into consideration. > > According CSCuo25329, the issue has been fixed on Mar 2,2015 in > 8.0.2-055 and 8.5.6-063 release of Cisco Email Security Appliance. > > There are three known affected releases only - 8.0.1-023, 8.5.0-473, > 8.5.5-280 well my problem is that I don't know what the other ends are running exactly, but they are pretty big institution. Comonwealth Bank of Australia, and Western Australian department of Education (which shares infrastructure with the rest of the government, so, I might as well just say "state of Western Australia". I don't contact a LOT of large institutions, so given that I had two failures over a small sample, and that the documents in each case were very important, I think it's worth some sort of action. Big institutions don't take updates that often, so its hard to know when they will update their mail appliances. (they may also not be ironport appliances, I just know those are susceptible). since hte change is coming in on the next sendmail anyhow I see no reason to not take it.. Julian > > Dan > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >