From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 20:29:16 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8758106566B; Fri, 11 Jul 2008 20:29:16 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by mx1.freebsd.org (Postfix) with ESMTP id B10748FC16; Fri, 11 Jul 2008 20:29:16 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay13.apple.com (relay13.apple.com [17.128.113.29]) by mail-out4.apple.com (Postfix) with ESMTP id 2951133D9003; Fri, 11 Jul 2008 13:14:10 -0700 (PDT) Received: from relay13.apple.com (unknown [127.0.0.1]) by relay13.apple.com (Symantec Mail Security) with ESMTP id 0775628095; Fri, 11 Jul 2008 13:14:10 -0700 (PDT) X-AuditID: 1180711d-a3ff9bb000000ece-b5-4877bf11457c Received: from cswiger1.apple.com (cswiger1.apple.com [17.227.140.124]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay13.apple.com (Apple SCV relay) with ESMTP id D0C8A2808F; Fri, 11 Jul 2008 13:14:09 -0700 (PDT) Message-Id: From: Chuck Swiger To: freebsd-security@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v926) Date: Fri, 11 Jul 2008 13:14:09 -0700 X-Mailer: Apple Mail (2.926) X-Brightmail-Tracker: AAAAAA== Cc: Doug Barton Subject: OpenSSL warning from dns/bind95 build...? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 20:29:16 -0000 Hi, all-- Apropos of this security issue with BIND, I just tried updating a FreeBSD-6.3-STABLE system with dns/bind95, and it loudly complains about the OpenSSL version which comes with the system: > [ ... ] > config.status: creating include/isc/platform.h > config.status: creating config.h > WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING > WARNING WARNING > WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING > WARNING WARNING > WARNING > > WARNING > WARNING Your OpenSSL crypto library may be vulnerable > to WARNING > WARNING one or more of the the following known > security WARNING > WARNING > flaws: WARNING > WARNING > > WARNING > WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 > and WARNING > WARNING > CVE-2006-2940. WARNING > WARNING > > WARNING > WARNING It is recommended that you upgrade to > OpenSSL WARNING > WARNING version 0.9.8d/0.9.7l (or > greater). WARNING > WARNING > > WARNING > WARNING You can disable this warning by > specifying: WARNING > WARNING > > WARNING > WARNING --disable-openssl-version-check > WARNING > WARNING > > WARNING > WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING > WARNING WARNING > WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING > WARNING WARNING > ===> Building for bind95-base-9.5.0.1 Is the version of OpenSSL now included with RELENG_6 (OpenSSL 0.9.7e- p1) OK, or is it at risk as reported? Regards, -- -Chuck