From owner-freebsd-security@FreeBSD.ORG Sun May 17 22:00:12 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 06F6C202 for ; Sun, 17 May 2015 22:00:12 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CA88613A6 for ; Sun, 17 May 2015 22:00:11 +0000 (UTC) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 5F95F207C1 for ; Sun, 17 May 2015 18:00:10 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute2.internal (MEProxy); Sun, 17 May 2015 18:00:10 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=flUgMVcpSFiKy8O jZdIDBPtk+Vo=; b=TlE57qnquez78FaJDHOPnImxQdF1mg5Hhu9Q1BVRJL3huWn ShG5txtovWj9/AK0W2sNQ2at3ZIIbzvu0BkX3e7cPM55xUR1WXSizUezrvL+Tkck GoFjT2CkFXLyjaDMJu3nTpcZNJ+nzIFFP/mpYT/+5mTAhv97WuFSSP0uxBhQ= Received: by web3.nyi.internal (Postfix, from userid 99) id 2C145101927; Sun, 17 May 2015 18:00:10 -0400 (EDT) Message-Id: <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> X-Sasl-Enc: Pop7Mjgt+PPqW86zyitIQW/GoH5xAzoB5IhrvVRe/9rh 1431900010 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 In-Reply-To: <55590817.1030507@obluda.cz> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Sun, 17 May 2015 17:00:10 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 22:00:12 -0000 On Sun, May 17, 2015, at 16:28, Dan Lukes wrote: > On 05/17/15 22:20, Mark Felder: > > You're not understanding the situation: the vulnerability isn't in > > OpenSSL; it's a design flaw / weakness in the protocol. > > Sorry, my English seems to be so poor so you don't understand my very > simple question. You are still answering other questions I didn't asked. > > Last attempt. I will try ti make question as simple as possible. If it > will not help I will become silent. > > TLS 1.0 *protocol* is buggy, new protocol has been implemented in new > version of OpenSSL, but such version will not be imported into FreeBSD 9 > because of ABI incompatibility. Instead old version of OpenSSL and > vulnerable protocol is still used by base system libraries and > utilities. So base system IS affected by known vulnerability. > > Thus I'm asking. > > If TLS 1.0 is considered severe security issue AND system utilities are > using it, why there is no Security Advisory describing this system > vulnerability ? > It's not a vulnerability in software, it's weakness in the protocol design. By your logic we should have SAs for all of the following in the base system: hashes: MD5 SHA1 default passwd hash in FreeBSD 8: md5crypt (though phk did request a CVE to help usher its death) any openssl cipher using the following: MD5 SHA1 DES 3DES IDEA I'm sure there are even more examples. None of these problems fit the definition required to issue an SA. They're just a violation of widely-accepted Best Current Practices.