Date: Fri, 02 Aug 2002 11:37:46 -0500 From: Oscar Ricardo Silva <oscars@mail.utexas.edu> To: questions@freebsd.org Subject: openssl vulnerability, openssh trojan - will patches be incorporated in 4.6.1 Message-ID: <5.1.0.14.2.20020802113236.01a2ba58@mail.utexas.edu>
next in thread | raw e-mail | index | archive | help
I know that 4.6.1 was being created to address some of the vulnerabilities announced at the time: apache openssh bind libraries At the risk of advocating feature creep ... what about the recent openssl vulnerability? I know 4.6.1 hasn't been released yet (RC2 last I looked), but might it be worthwhile to include latest openssl patches in 4.6.1? Or will there be a 4.6.2 (or some other number)? The reason I'm even asking is that the bind and openssl vulnerabilities can't be fixed with a simple patch. Any binary that is statically linked to either libraries in these systems will need to be recompiled. So we can install 4.6.1 and be safe with the bind libraries (although I haven't heard of an exploit) but still be vulnerable because of openssl (for which in the security announcement, exploits have been seen). Oscar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.2.20020802113236.01a2ba58>