Date: Wed, 4 Sep 2024 09:31:21 -0400 From: mike tancsa <mike@sentex.net> To: "Wall, Stephen" <stephen.wall@redcom.com>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: OpenSSL Security Advisory (fwd) Message-ID: <69b5814d-20a9-4142-8a4c-81ba04936502@sentex.net> In-Reply-To: <MW4PR09MB9284CF613B5C1BB155D03A13EE9C2@MW4PR09MB9284.namprd09.prod.outlook.com> References: <20240903155326.C282E207@slippy.cwsent.com> <MW4PR09MB9284CF613B5C1BB155D03A13EE9C2@MW4PR09MB9284.namprd09.prod.outlook.com>
index | next in thread | previous in thread | raw e-mail
On 9/4/2024 9:27 AM, Wall, Stephen wrote: >>> Possible denial of service in X.509 name checks (CVE-2024-6119) >> Is this something we need to concern ourselves with? > Since no one else is chiming in, I'll provide my feeble thoughts. As I read it, it primarily affects outgoing TLS connections. I.e., curl, wget, et al, and possibly (and more importantly IMO) apache/nginx proxying to another server. Speculating here: this could affect high volume web services where security is enough of a concern that the operators have enabled certificate name checks. > > As a commercial user of FreeBSD with security conscious customers, I would certainly like to see it fixed in a FreeBSD patch release, but in all honesty we could easily enough apply the openssl patches to our FreeBSD source tree ourselves. It seems to be worked on. The fix is already in the tree as of yesterday. https://cgit.freebsd.org/src/commit/?id=fbd465f263400d3bc6c1a5c30857a76738c64396 I imagine there will be a SA in the near future. ---Mikehelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69b5814d-20a9-4142-8a4c-81ba04936502>