From owner-freebsd-security@freebsd.org Fri Dec 11 11:15:32 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 145F14AB9A8 for ; Fri, 11 Dec 2020 11:15:32 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.18.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Csp9b26ghz3QfY for ; Fri, 11 Dec 2020 11:15:30 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from [217.246.62.22] (helo=fabiankeil.de) by smtprelay04.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1kngOL-0004Bv-Uy for freebsd-security@freebsd.org; Fri, 11 Dec 2020 12:15:18 +0100 Date: Fri, 11 Dec 2020 12:14:42 +0100 From: Fabian Keil To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201211121442.1062671e@fabiankeil.de> In-Reply-To: <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> References: <20201209230300.03251CA1@freefall.freebsd.org> <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_//ciArv_5W.mpuyk+tBE4fSZ"; protocol="application/pgp-signature"; micalg=pgp-sha1 X-Df-Sender: Nzc1MDY3 X-Rspamd-Queue-Id: 4Csp9b26ghz3QfY X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-listen@fabiankeil.de has no SPF policy when checking 80.67.18.16) smtp.mailfrom=freebsd-listen@fabiankeil.de X-Spamd-Result: default: False [1.80 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[80.67.18.16:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(1.00)[0.999]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[80.67.18.16:from:127.0.2.255]; DMARC_NA(0.00)[fabiankeil.de]; RBL_DBL_DONT_QUERY_IPS(0.00)[80.67.18.16:from]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:8972, ipnet:80.67.16.0/20, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; RECEIVED_SPAMHAUS_PBL(0.00)[217.246.62.22:received] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 11:15:32 -0000 --Sig_//ciArv_5W.mpuyk+tBE4fSZ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Andrea Venturoli wrote on 2020-12-11: > On 12/10/20 12:03 AM, FreeBSD Security Advisories wrote: >=20 > > Note: The OpenSSL project has published publicly available patches for > > versions included in FreeBSD 12.x. This vulnerability is also known to > > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > > project is only giving patches for that version to premium support cont= ract > > holders. The FreeBSD project does not have access to these patches and > > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leve= rage > > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Pro= ject > > may update this advisory to include FreeBSD 11.4 should patches become > > publicly available. >=20 > So I'm looking for suggestion on how to handle this. > I guess I'll just upgrade some 11.4 to 12.2 and that'll be it. The fix was already backported to stable/11 so it's now "publicly available= ": https://svnweb.freebsd.org/base?view=3Drevision&revision=3D368530 I expect that releng/11.4 will receive the fix in the near future. Fabian --Sig_//ciArv_5W.mpuyk+tBE4fSZ Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQTKUNd6H/m3+ByGULIFiohV/3dUnQUCX9NUogAKCRAFiohV/3dU nUy/AKCguZmaH22xeLW+4Qm/LT5KQJoDdQCcDHmAsS8397iP0voh1RuyuauDFHo= =iydC -----END PGP SIGNATURE----- --Sig_//ciArv_5W.mpuyk+tBE4fSZ--