Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Aug 2021 08:35:54 -0700
From:      Gordon Tetlow <gordon@tetlows.org>
To:        mike tancsa <mike@sentex.net>
Cc:        freebsd-security <freebsd-security@freebsd.org>
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl
Message-ID:  <7137A3E8-7B53-452B-8187-9F873A68A228@tetlows.org>
In-Reply-To: <c63f05fa-b710-e577-845e-c019c08de4df@sentex.net>
References:  <20210824205300.305BF72EF@freefall.freebsd.org> <44434c22-51c6-92cb-c9de-60fae4764347@sentex.net> <A032A5CA-9FF3-4DBE-A4AD-8AE20B48544D@tetlows.org> <c63f05fa-b710-e577-845e-c019c08de4df@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

> On Aug 25, 2021, at 8:32 AM, mike tancsa <mike@sentex.net> wrote:
>=20
> On 8/25/2021 11:22 AM, Gordon Tetlow wrote:
>> Hi All,
>>>    Was reading the original advisory at
>>> =
https://www.google.com/url?q=3Dhttps://www.google.com/url?q%3Dhttps://www.=
openssl.org/news/secadv/20210824.txt%26source%3Dgmail-imap%26ust%3D1630497=
552000000%26usg%3DAOvVaw21BGr3aGIh9CKIH3efYzY4&source=3Dgmail-imap&ust=3D1=
630510336000000&usg=3DAOvVaw1DOZPIolrilgltIWdl61D6 and it says
>>>=20
>>> "OpenSSL versions 1.0.2y and below are affected by this =
[CVE-2021-3712]
>>> issue."
>>>=20
>>> Does it not then impact RELENG11 ?
>>>=20
>>> % openssl version
>>> OpenSSL 1.0.2u-freebsd  20 Dec 2019
>>>=20
>>> I know RELENG_11 support ends in about a month, but should it not be
>>> flagged ?
>> As we don't have a support contract with OpenSSL to get access to =
1.0.2 patches, we could only roll the 1.1.1 patches.
>=20
> Hi Gordon,
>=20
>     I was thinking more in terms of just a mention that RELENG_11 is
> indeed vulnerable, no ?

I hear you. We don't really have a way of doing that with our existing =
SA setup. It's oriented to releasing patches; it is not equipped to =
notify users of vulnerabilities that we do not have a patch for. Let me =
think on how we might support such a thing and discuss with the team.

Thanks,
Gordon=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7137A3E8-7B53-452B-8187-9F873A68A228>