All:
Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as
well as with a provision/draft fix for CVE-2009-3555
MITM/Renegotiation Venerability.
I suspect we wont have a patch out for RELENG_6_3 by the 31st?
But I'm willing to maintain one for another few months.
~BAS
-------- Forwarded Message --------
From: OpenSSL <openssl@openssl.org>
Reply-to: openssl-users@openssl.org
To: openssl-users@openssl.org, openssl-announce@openssl.org
Subject: OpenSSL 1.0.0 beta5 release
Date: Wed, 20 Jan 2010 19:19:16 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OpenSSL version 1.0.0 Beta 5
===========================
[..snip...]
Since the fourth beta, the following has happened:
- Provisional TLS session renegotiation fix
- Option to output hash using older algorithm in x509 utility
- Compression session handling bug fix
- Build system fixes.
- Other bug fixes.
Reports and patches should be sent to openssl-bugs@openssl.org.
[..snip...]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20100120/4702a42c/attachment.pgp
All:
Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as
well as with a provision/draft fix for CVE-2009-3555
MITM/Renegotiation Venerability.
I suspect we wont have a patch out for RELENG_6_3 by the 31st?
But I'm willing to maintain one for another few months.
~BAS
-------- Forwarded Message --------
From: OpenSSL <openssl@openssl.org>
Reply-to: openssl-users@openssl.org
To: openssl-users@openssl.org, openssl-announce@openssl.org
Subject: OpenSSL 1.0.0 beta5 release
Date: Wed, 20 Jan 2010 19:19:16 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OpenSSL version 1.0.0 Beta 5
===========================
[..snip...]
Since the fourth beta, the following has happened:
- Provisional TLS session renegotiation fix
- Option to output hash using older algorithm in x509 utility
- Compression session handling bug fix
- Build system fixes.
- Other bug fixes.
Reports and patches should be sent to openssl-bugs@openssl.org.
[..snip...]
On 1/20/2010 2:56 PM, Brian A. Seklecki wrote:> Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as > well as with a provision/draft fix for CVE-2009-3555 > MITM/Renegotiation Venerability.All: Did anyone ever come to a finding on CVE-2009-4355? Using the comments in Redhat Bugzilla, I was never able to re-create it on RELENG_6_3. Of course, RELENG_6_3, RELENG_7_2, and RELENG_8 are still behind OpenSSL 0.9.8m. FreeBSD9-Current seems to have 1.x-latest - NetBSD fixed it in 5.0.2: http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto /dist/openssl/crypto/comp/Attic/c_zlib.c - RHEL/Fedora patched their OpenSSL RPMs months ago. Without widespread working DoS code in the wild, are we happy instead, with patches to userland/ports etc.? Apache httpd 2.2.15 and php5.3.2 in Ports? Thanks, ~BAS> I suspect we wont have a patch out for RELENG_6_3 by the 31st? > But I'm willing to maintain one for another few months. > > -------- Forwarded Message -------- > From: OpenSSL<openssl@openssl.org> > Reply-to: openssl-users@openssl.org > To: openssl-users@openssl.org, openssl-announce@openssl.org > Subject: OpenSSL 1.0.0 beta5 release > Date: Wed, 20 Jan 2010 19:19:16 +0100 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1
On 1/20/2010 2:56 PM, Brian A. Seklecki wrote:> Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as > well as with a provision/draft fix for CVE-2009-3555 > MITM/Renegotiation Venerability.All: Did anyone ever come to a finding on CVE-2009-4355? Using the comments in Redhat Bugzilla, I was never able to re-create it on RELENG_6_3. Of course, RELENG_6_3, RELENG_7_2, and RELENG_8 are still behind OpenSSL 0.9.8m. FreeBSD9-Current seems to have 1.x-latest - NetBSD fixed it in 5.0.2: http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto /dist/openssl/crypto/comp/Attic/c_zlib.c - RHEL/Fedora patched their OpenSSL RPMs months ago. Without widespread working DoS code in the wild, are we happy instead, with patches to userland/ports etc.? Apache httpd 2.2.15 and php5.3.2 in Ports? Thanks, ~BAS> I suspect we wont have a patch out for RELENG_6_3 by the 31st? > But I'm willing to maintain one for another few months. > > -------- Forwarded Message -------- > From: OpenSSL<openssl@openssl.org> > Reply-to: openssl-users@openssl.org > To: openssl-users@openssl.org, openssl-announce@openssl.org > Subject: OpenSSL 1.0.0 beta5 release > Date: Wed, 20 Jan 2010 19:19:16 +0100 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1