From owner-freebsd-questions  Fri Aug  2  9:37:32 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AB7C837B400
	for <questions@freebsd.org>; Fri,  2 Aug 2002 09:37:30 -0700 (PDT)
Received: from mail.utexas.edu (wb1-a.mail.utexas.edu [128.83.126.134])
	by mx1.FreeBSD.org (Postfix) with SMTP id 04D5243E4A
	for <questions@freebsd.org>; Fri,  2 Aug 2002 09:37:30 -0700 (PDT)
	(envelope-from oscars@mail.utexas.edu)
Received: (qmail 25658 invoked by uid 0); 2 Aug 2002 16:37:28 -0000
Received: from chepe.cc.utexas.edu (HELO chepe.mail.utexas.edu) (128.83.135.25)
  by umbs-smtp-1 with SMTP; 2 Aug 2002 16:37:28 -0000
Message-Id: <5.1.0.14.2.20020802113236.01a2ba58@mail.utexas.edu>
X-Sender: oscars@mail.utexas.edu
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Fri, 02 Aug 2002 11:37:46 -0500
To: questions@freebsd.org
From: Oscar Ricardo Silva <oscars@mail.utexas.edu>
Subject: openssl vulnerability, openssh trojan - will patches be
  incorporated in 4.6.1
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I know that 4.6.1 was being created to address some of the vulnerabilities 
announced at the time:

apache
openssh
bind libraries


At the risk of advocating feature creep ... what about the recent openssl 
vulnerability?  I know 4.6.1 hasn't been released yet (RC2 last I looked), 
but might it be worthwhile to include latest openssl patches in 4.6.1?  Or 
will there be a 4.6.2 (or some other number)?

The reason I'm even asking is that the bind and openssl vulnerabilities 
can't be fixed with a simple patch.  Any binary that is statically linked 
to either libraries in these systems will need to be recompiled.  So we can 
install 4.6.1 and be safe with the bind libraries (although I haven't heard 
of an exploit) but still be vulnerable because of openssl (for which in the 
security announcement, exploits have been seen).



Oscar


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message