Date: Sun, 13 Jul 2008 17:42:30 -0700 From: Doug Barton <dougb@FreeBSD.org> To: "Simon L. Nielsen" <simon@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL warning from dns/bind95 build...? Message-ID: <487AA0F6.1010801@FreeBSD.org> In-Reply-To: <20080713222344.GB15766@zaphod.nitro.dk> References: <DEB25E89-7447-4EA0-8800-23897C593756@mac.com> <20080713222344.GB15766@zaphod.nitro.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Simon L. Nielsen wrote:
> On 2008.07.11 13:14:09 -0700, Chuck Swiger wrote:
>
> [quote edited to contain important part]
>
>>> WARNING Your OpenSSL crypto library may be vulnerable to
>>> WARNING one or more of the the following known security
>>> WARNING flaws:
>>> WARNING
>>> WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and
>>> WARNING CVE-2006-2940.
>>> WARNING
> [...]
>> Is the version of OpenSSL now included with RELENG_6 (OpenSSL 0.9.7e-p1)
>> OK, or is it at risk as reported?
>
> Just so there is no doubt - the base system OpenSSL isn't actually
> vulnerable to those issues. They were fixed in SA-02:33.openssl,
> FreeBSD-SA-06:19.openssl, and FreeBSD-SA-06:23.openssl.
>
> The BIND build system just has no way to see this since they were
> patched instead of upgraded.
... hence the false economy of not doing a "standard" upgrade of the
version in the base. :) It's nice to know that for the particular set
of problems listed in this version of BIND's warning message our users
should not be at risk though.
I used the ports openssl on my 6-stable boxes without problems, but I
did not have that many ports installed, and I nuked the base openssl
first. YMMV.
Doug
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?487AA0F6.1010801>