From owner-freebsd-security@FreeBSD.ORG Wed Apr 21 05:55:17 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD052106567C for ; Wed, 21 Apr 2010 05:55:17 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id 7DA7E8FC1B for ; Wed, 21 Apr 2010 05:55:17 +0000 (UTC) Received: from [212.62.248.146] (helo=[192.168.2.100]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1O4Su3-000Oux-7I; Wed, 21 Apr 2010 07:55:15 +0200 Mime-Version: 1.0 (Apple Message framework v1078) Content-Type: text/plain; charset=us-ascii From: =?iso-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> Date: Wed, 21 Apr 2010 07:55:14 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> To: Tim Gustafson X-Mailer: Apple Mail (2.1078) Cc: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , freebsd-security@freebsd.org Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2010 05:55:17 -0000 On Apr 21, 2010, at 7:23 AM, Tim Gustafson wrote: >> RELENG_8_0 is 8.0 + critical bug fixes. >=20 >> =46rom what I gather, the exploits in 0.9.8k are pretty serious. :\ >=20 >> If you're not too pressed for time, 8.1 is "only" a couple of >> months away and will hopefully ship with 0.9.8n which is what >> we currently have in head. >=20 > Well, we may have to wait, or maybe update to RELENG_8 and cross our = fingers. :) It is a misconseption to think that one _has to_ run the latest version = (as suggested by dumb network scans) in order to remain compliant (PCI = DSS or otherwise). What is needed is that the issues found are either = patched or documented to be not applicable. All current OpenSSL issues in the versions shipping with RELENG_8_0 = have, to my knowledge, been fixed by the secteam or do not apply to = FreeBSD. /Eirik > Tim Gustafson > Baskin School of Engineering > UC Santa Cruz > tjg@soe.ucsc.edu > 831-459-5354 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" >=20