From owner-freebsd-security@FreeBSD.ORG  Wed Mar 11 14:55:33 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 176F8B89
 for <freebsd-security@freebsd.org>; Wed, 11 Mar 2015 14:55:33 +0000 (UTC)
Received: from fw.ax.cz (fw.ax.cz [IPv6:2a00:1aa8:1:1000::2])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9B6A4986
 for <freebsd-security@freebsd.org>; Wed, 11 Mar 2015 14:55:32 +0000 (UTC)
Received: from [172.20.1.29] (host10.hide.ax.cz [172.20.1.29])
 by fw.ax.cz (8.14.5/8.14.5) with ESMTP id t2BEtOBv099620;
 Wed, 11 Mar 2015 15:55:26 +0100 (CET) (envelope-from dan@obluda.cz)
Message-ID: <55005753.3070306@obluda.cz>
Date: Wed, 11 Mar 2015 15:55:15 +0100
From: Dan Lukes <dan@obluda.cz>
User-Agent: Mozilla/5.0 (Windows NT 5.1;
 rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32.1
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>,
 freebsd security <freebsd-security@freebsd.org>
Subject: Re: sendmail broken by libssl in current
References: <54FFE774.50103@freebsd.org>
 <6BD2AE7F-8EC5-4EBC-A183-E03EC54456BC@vpnc.org>
In-Reply-To: <6BD2AE7F-8EC5-4EBC-A183-E03EC54456BC@vpnc.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: current@freebsd.com
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 14:55:33 -0000

Paul Hoffman wrote:
> Can you say which email servers *other* than unpatched Ironport fail?

> Cisco has known about this for many months; see <https://tools.cisco.com/quickview/bug/CSCuo25276>

Note that Bug CSCuo25276 is considered duplicate of the bug CSCuo25329.

> If that's true (I can't confirm), why would we want to do a patch to our core crypto?

Good question. The following should be taken into consideration.

According CSCuo25329, the issue has been fixed on Mar 2,2015 in
8.0.2-055 and 8.5.6-063 release of Cisco Email Security Appliance.

There are three known affected releases only - 8.0.1-023, 8.5.0-473,
8.5.5-280

Dan