freebsd security - Mar 2015 - sendmail broken by libssl in current

On Mar 10, 2015, at 11:57 PM, Julian Elischer <julian at freebsd.org>
wrote:
> unfortunatly this makes sendmail incompatible with various email servers
around the world,
> including (apparently (ironically (*))) Ironport email gateways.
> It fails in TLS handshake.
Can you say which email servers *other* than unpatched Ironport fail? I've
only seen it with unpatched Ironport on my (somewhat active) FreeBSD-based mail
server. FWIW, I only see these bounces in my mail queue for exactly two sites.

Cisco has known about this for many months; see
<https://tools.cisco.com/quickview/bug/CSCuo25276>. I have been told by an
Ironport user that there is already a patch that is available from Cisco. If
that's true (I can't confirm), why would we want to do a patch to our
core crypto?

--Paul Hoffman

Paul Hoffman wrote:
> Can you say which email servers *other* than unpatched Ironport fail?
> Cisco has known about this for many months; see
<https://tools.cisco.com/quickview/bug/CSCuo25276>
Note that Bug CSCuo25276 is considered duplicate of the bug CSCuo25329.
> If that's true (I can't confirm), why would we want to do a patch
to our core crypto?
Good question. The following should be taken into consideration.

According CSCuo25329, the issue has been fixed on Mar 2,2015 in
8.0.2-055 and 8.5.6-063 release of Cisco Email Security Appliance.

There are three known affected releases only - 8.0.1-023, 8.5.0-473,
8.5.5-280

Dan