From owner-freebsd-security@FreeBSD.ORG Sun May 17 21:29:36 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 20244EA5 for ; Sun, 17 May 2015 21:29:36 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A33951113 for ; Sun, 17 May 2015 21:29:35 +0000 (UTC) X-SubmittedBy: id 100000045929 subject /C=CZ/O=Univerzita+20Karlova+20v+20Praze/CN=Dan+20Lukes/unstructuredName=100000045929 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20Personal+20CA+202 auth type TLS.MFF Received: from kgw.obluda.cz ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t4HLStng095557 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Sun, 17 May 2015 23:29:30 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <55590817.1030507@obluda.cz> Date: Sun, 17 May 2015 23:28:55 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> In-Reply-To: <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 21:29:36 -0000 On 05/17/15 22:20, Mark Felder: > You're not understanding the situation: the vulnerability isn't in > OpenSSL; it's a design flaw / weakness in the protocol. Sorry, my English seems to be so poor so you don't understand my very simple question. You are still answering other questions I didn't asked. Last attempt. I will try ti make question as simple as possible. If it will not help I will become silent. TLS 1.0 *protocol* is buggy, new protocol has been implemented in new version of OpenSSL, but such version will not be imported into FreeBSD 9 because of ABI incompatibility. Instead old version of OpenSSL and vulnerable protocol is still used by base system libraries and utilities. So base system IS affected by known vulnerability. Thus I'm asking. If TLS 1.0 is considered severe security issue AND system utilities are using it, why there is no Security Advisory describing this system vulnerability ? Dan