Date: Wed, 25 Aug 2021 16:42:38 +0100 From: Vincent Hoffman-Kazlauskas <vince@unsane.co.uk> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl Message-ID: <b2549498-4d31-72e2-3830-489ad1c8d4a9@unsane.co.uk> In-Reply-To: <A032A5CA-9FF3-4DBE-A4AD-8AE20B48544D@tetlows.org> References: <20210824205300.305BF72EF@freefall.freebsd.org> <44434c22-51c6-92cb-c9de-60fae4764347@sentex.net> <A032A5CA-9FF3-4DBE-A4AD-8AE20B48544D@tetlows.org>
index | next in thread | previous in thread | raw e-mail
On 25/08/2021 16:22, Gordon Tetlow via freebsd-security wrote: > >> On Aug 25, 2021, at 4:59 AM, mike tancsa <mike@sentex.net> wrote: >> >> On 8/24/2021 4:53 PM, FreeBSD Security Advisories wrote: >>> >>> Branch/path Hash Revision >>> ------------------------------------------------------------------------- >>> stable/13/ 9d31ae318711 stable/13-n246940 >>> releng/13.0/ 2261c814b7fa releng/13.0-n244759 >>> stable/12/ r370385 >>> releng/12.2/ r370396 >>> ------------------------------------------------------------------------- >> >> >> Hi All, >> >> Was reading the original advisory at >> https://www.google.com/url?q=https://www.openssl.org/news/secadv/20210824.txt&source=gmail-imap&ust=1630497552000000&usg=AOvVaw21BGr3aGIh9CKIH3efYzY4 and it says >> >> "OpenSSL versions 1.0.2y and below are affected by this [CVE-2021-3712] >> issue." >> >> Does it not then impact RELENG11 ? >> >> % openssl version >> OpenSSL 1.0.2u-freebsd 20 Dec 2019 >> >> I know RELENG_11 support ends in about a month, but should it not be >> flagged ? > > As we don't have a support contract with OpenSSL to get access to 1.0.2 patches, we could only roll the 1.1.1 patches. I may have the wrong end of the stick but https://www.openssl.org/news/vulnerabilities.html says "Fixed in OpenSSL 1.0.2za (git commit) (Affected 1.0.2-1.0.2y)" with the git commit linked being https://github.com/openssl/openssl/commit/ccb0a11145ee72b042d10593a64eaf9e8a55ec12 Is this not eligible for inclusion? I do however appreciate that as support ends so soon resources are best used on the longer lived versions. Regards, Vince > > Best, > Gordon > Hat: security-officer > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b2549498-4d31-72e2-3830-489ad1c8d4a9>