From owner-freebsd-security@FreeBSD.ORG Tue Apr 27 17:23:52 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 604971065677 for ; Tue, 27 Apr 2010 17:23:52 +0000 (UTC) (envelope-from lavalamp@spiritual-machines.org) Received: from mx04.pub.collaborativefusion.com (mx04.pub.collaborativefusion.com [206.210.72.84]) by mx1.freebsd.org (Postfix) with ESMTP id 29D438FC21 for ; Tue, 27 Apr 2010 17:23:51 +0000 (UTC) Received: from [127.0.0.1] ([206.210.89.202]) by mx04.pub.collaborativefusion.com (StrongMail Enterprise 4.1.1.4(4.1.1.4-47689)); Tue, 27 Apr 2010 13:32:00 -0400 X-VirtualServerGroup: Default X-MailingID: 00000::00000::00000::00000::::1375 X-SMHeaderMap: mid="X-MailingID" X-Destination-ID: freebsd-security@freebsd.org X-SMFBL: ZnJlZWJzZC1zZWN1cml0eUBmcmVlYnNkLm9yZw== Message-ID: <4BD71DA6.6020906@spiritual-machines.org> Date: Tue, 27 Apr 2010 13:23:50 -0400 From: "Brian A. Seklecki" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <1264017412.18129.38.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> In-Reply-To: <1264017412.18129.38.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 27 Apr 2010 17:27:54 +0000 Subject: Re: OpenSSL CVE-2009-4355 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2010 17:23:52 -0000 On 1/20/2010 2:56 PM, Brian A. Seklecki wrote: > Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as > well as with a provision/draft fix for CVE-2009-3555 > MITM/Renegotiation Venerability. All: Did anyone ever come to a finding on CVE-2009-4355? Using the comments in Redhat Bugzilla, I was never able to re-create it on RELENG_6_3. Of course, RELENG_6_3, RELENG_7_2, and RELENG_8 are still behind OpenSSL 0.9.8m. FreeBSD9-Current seems to have 1.x-latest - NetBSD fixed it in 5.0.2: http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto /dist/openssl/crypto/comp/Attic/c_zlib.c - RHEL/Fedora patched their OpenSSL RPMs months ago. Without widespread working DoS code in the wild, are we happy instead, with patches to userland/ports etc.? Apache httpd 2.2.15 and php5.3.2 in Ports? Thanks, ~BAS > I suspect we wont have a patch out for RELENG_6_3 by the 31st? > But I'm willing to maintain one for another few months. > > -------- Forwarded Message -------- > From: OpenSSL > Reply-to: openssl-users@openssl.org > To: openssl-users@openssl.org, openssl-announce@openssl.org > Subject: OpenSSL 1.0.0 beta5 release > Date: Wed, 20 Jan 2010 19:19:16 +0100 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1