From owner-freebsd-security@freebsd.org Tue Nov 21 23:31:12 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F0679DBACF7 for ; Tue, 21 Nov 2017 23:31:12 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from echo.brtsvcs.net (echo.brtsvcs.net [208.111.40.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DFE433D55 for ; Tue, 21 Nov 2017 23:31:12 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from chombo.houseloki.net (c-73-240-250-185.hsd1.or.comcast.net [73.240.250.185]) by echo.brtsvcs.net (Postfix) with ESMTPS id A2E6F38D05 for ; Tue, 21 Nov 2017 15:31:06 -0800 (PST) Received: from [IPv6:fe80::7102:4df8:1f13:5c55] (unknown [IPv6:fe80::7102:4df8:1f13:5c55]) by chombo.houseloki.net (Postfix) with ESMTPSA id 308EBBC8 for ; Tue, 21 Nov 2017 15:31:05 -0800 (PST) To: freebsd-security@freebsd.org From: Mel Pilgrim Subject: Why no update of base/ports openssl for recent CVEs? Message-ID: <9a41694c-fffb-e58c-5946-abbc99160fb4@bluerosetech.com> Date: Tue, 21 Nov 2017 15:31:06 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Nov 2017 23:31:13 -0000 OpenSSL 1.0.2 before 1.0.2m (ports and 11.x base) are affected by CVE-2017-3735 and CVE-2017-3736, the most recent reported on 2 November. Why hasn't an SA and update for base been released, or security/openssl been updated?