On Sun, May 17, 2015, at 16:28, Dan Lukes wrote:> On 05/17/15 22:20, Mark Felder:
> > You're not understanding the situation: the vulnerability
isn't in
> > OpenSSL; it's a design flaw / weakness in the protocol.
>
> Sorry, my English seems to be so poor so you don't understand my very
> simple question. You are still answering other questions I didn't
asked.
>
> Last attempt. I will try ti make question as simple as possible. If it
> will not help I will become silent.
>
> TLS 1.0 *protocol* is buggy, new protocol has been implemented in new
> version of OpenSSL, but such version will not be imported into FreeBSD 9
> because of ABI incompatibility. Instead old version of OpenSSL and
> vulnerable protocol is still used by base system libraries and
> utilities. So base system IS affected by known vulnerability.
>
> Thus I'm asking.
>
> If TLS 1.0 is considered severe security issue AND system utilities are
> using it, why there is no Security Advisory describing this system
> vulnerability ?
>
It's not a vulnerability in software, it's weakness in the protocol
design. By your logic we should have SAs for all of the following in the
base system:
hashes:
MD5
SHA1
default passwd hash in FreeBSD 8:
md5crypt (though phk did request a CVE to help usher its death)
any openssl cipher using the following:
MD5
SHA1
DES
3DES
IDEA
I'm sure there are even more examples.
None of these problems fit the definition required to issue an SA.
They're just a violation of widely-accepted Best Current Practices.