From owner-freebsd-questions@FreeBSD.ORG Thu Oct 2 07:59:19 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29DA316A4B3 for ; Thu, 2 Oct 2003 07:59:19 -0700 (PDT) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [66.30.200.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A37843FE3 for ; Thu, 2 Oct 2003 07:59:16 -0700 (PDT) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: by be-well.ilk.org (Postfix, from userid 1147) id C0A613AF4; Thu, 2 Oct 2003 10:59:15 -0400 (EDT) Sender: lowell@be-well.ilk.org To: gabriel_ambuehl@buz.ch References: <9272442000.20031002161755@buz.ch> <44he2rso7b.fsf@be-well.ilk.org> <12973598421.20031002163711@buz.ch> From: Lowell Gilbert Date: 02 Oct 2003 10:59:15 -0400 In-Reply-To: <12973598421.20031002163711@buz.ch> Message-ID: <444qyrsn24.fsf@be-well.ilk.org> Lines: 24 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: questions@freebsd.org Subject: Re: Re[2]: openssl ASN bug? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2003 14:59:19 -0000 X-List-Received-Date: Thu, 02 Oct 2003 14:59:19 -0000 gaml@buz.ch writes: > Hello Lowell, > > Thursday, October 2, 2003, 4:34:32 PM, you wrote: > > > Gabriel Ambuehl writes: > > >> There was a security advisory about openssl <0.9.7b having a bug in > >> the ASN encoding code on 30th Sept 03 and now I'm wondering what to do > >> about it? Install the port? Wait some more and do another cvsup > >> (currently, nothing shows up in UPDATING)? > > > The security officer announced (on the 30th) that he was going to > > import 0.9.7c "over the next few days". That's complete, but there > > hasn't been an announcement or FreeBSD SA release. > > So I can cvsup as of today and be safe, right? So you can cvsup as of today and get openssl 0.9.7c. Whether that constitutes "safe," you'd have to ask the security officer. Note that this bug does *not* open your machine up to remote compromise.