Date: Sun, 17 May 2015 23:28:55 +0200 From: Dan Lukes <dan@obluda.cz> To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <55590817.1030507@obluda.cz> In-Reply-To: <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 05/17/15 22:20, Mark Felder: > You're not understanding the situation: the vulnerability isn't in > OpenSSL; it's a design flaw / weakness in the protocol. Sorry, my English seems to be so poor so you don't understand my very simple question. You are still answering other questions I didn't asked. Last attempt. I will try ti make question as simple as possible. If it will not help I will become silent. TLS 1.0 *protocol* is buggy, new protocol has been implemented in new version of OpenSSL, but such version will not be imported into FreeBSD 9 because of ABI incompatibility. Instead old version of OpenSSL and vulnerable protocol is still used by base system libraries and utilities. So base system IS affected by known vulnerability. Thus I'm asking. If TLS 1.0 is considered severe security issue AND system utilities are using it, why there is no Security Advisory describing this system vulnerability ? Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55590817.1030507>