From owner-freebsd-security@freebsd.org Wed Aug 25 15:42:47 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9B05E676667 for ; Wed, 25 Aug 2021 15:42:47 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from unsane.co.uk (fbsd.rdg.namesco.net [213.246.108.13]) by mx1.freebsd.org (Postfix) with ESMTP id 4GvqxL0B2jz3nvx for ; Wed, 25 Aug 2021 15:42:46 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from MacBook-Air.local (unknown [81.174.148.213]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by unsane.co.uk (Postfix) with ESMTPSA id D65C230019 for ; Wed, 25 Aug 2021 16:42:38 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=unsane.co.uk; s=251017; t=1629906159; bh=WoAn8YsTcIbm24bdycISMtLcphsvLzi1GEP2i8HzrA0=; h=To:References:From:Subject:Date:In-Reply-To; b=f+dFTh+7a+mSvU14YrMcoWG2EpcIM5sYgEBKUGMZWNYvbw/DZd5l6+TwD9sopo6zC kZd+FXI1pb3bjrUcWUs0NWtyubi68dkFU51BYnxw+XourrHGsQNZGIR0fhCZ4t5A5m e32PoavNrIHLDlr5PEyF2YmrWiCNQX0hYNs17XaM= To: freebsd-security@freebsd.org References: <20210824205300.305BF72EF@freefall.freebsd.org> <44434c22-51c6-92cb-c9de-60fae4764347@sentex.net> From: Vincent Hoffman-Kazlauskas Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl Message-ID: Date: Wed, 25 Aug 2021 16:42:38 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4GvqxL0B2jz3nvx X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=unsane.co.uk header.s=251017 header.b=f+dFTh+7; dmarc=pass (policy=none) header.from=unsane.co.uk; spf=pass (mx1.freebsd.org: domain of vince@unsane.co.uk designates 213.246.108.13 as permitted sender) smtp.mailfrom=vince@unsane.co.uk X-Spamd-Result: default: False [-0.98 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[unsane.co.uk:s=251017]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; DKIM_TRACE(0.00)[unsane.co.uk:+]; DMARC_POLICY_ALLOW(-0.50)[unsane.co.uk,none]; NEURAL_HAM_SHORT(-0.09)[-0.094]; RCVD_NO_TLS_LAST(0.10)[]; HAS_GOOGLE_REDIR(0.01)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8622, ipnet:213.246.64.0/18, country:GB]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2021 15:42:47 -0000 On 25/08/2021 16:22, Gordon Tetlow via freebsd-security wrote: > >> On Aug 25, 2021, at 4:59 AM, mike tancsa wrote: >> >> On 8/24/2021 4:53 PM, FreeBSD Security Advisories wrote: >>> >>> Branch/path Hash Revision >>> ------------------------------------------------------------------------- >>> stable/13/ 9d31ae318711 stable/13-n246940 >>> releng/13.0/ 2261c814b7fa releng/13.0-n244759 >>> stable/12/ r370385 >>> releng/12.2/ r370396 >>> ------------------------------------------------------------------------- >> >> >> Hi All, >> >> Was reading the original advisory at >> https://www.google.com/url?q=https://www.openssl.org/news/secadv/20210824.txt&source=gmail-imap&ust=1630497552000000&usg=AOvVaw21BGr3aGIh9CKIH3efYzY4 and it says >> >> "OpenSSL versions 1.0.2y and below are affected by this [CVE-2021-3712] >> issue." >> >> Does it not then impact RELENG11 ? >> >> % openssl version >> OpenSSL 1.0.2u-freebsd 20 Dec 2019 >> >> I know RELENG_11 support ends in about a month, but should it not be >> flagged ? > > As we don't have a support contract with OpenSSL to get access to 1.0.2 patches, we could only roll the 1.1.1 patches. I may have the wrong end of the stick but https://www.openssl.org/news/vulnerabilities.html says "Fixed in OpenSSL 1.0.2za (git commit) (Affected 1.0.2-1.0.2y)" with the git commit linked being https://github.com/openssl/openssl/commit/ccb0a11145ee72b042d10593a64eaf9e8a55ec12 Is this not eligible for inclusion? I do however appreciate that as support ends so soon resources are best used on the longer lived versions. Regards, Vince > > Best, > Gordon > Hat: security-officer > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >