thr3ads.net - freebsd security - [Fwd: OpenSSL 1.0.0 beta5 release] [Jan 2010]

If this information is useful, please help other people find it:
Share via:

Brian A. Seklecki

2010-Jan-21 02:23 UTC

[Fwd: OpenSSL 1.0.0 beta5 release]

All:

  Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as 
  well as with a provision/draft fix for CVE-2009-3555
  MITM/Renegotiation Venerability.

  I suspect we wont have a patch out for RELENG_6_3 by the 31st?  
  But I'm willing to maintain one for another few months.

~BAS

-------- Forwarded Message --------
From: OpenSSL <openssl@openssl.org>
Reply-to: openssl-users@openssl.org
To: openssl-users@openssl.org, openssl-announce@openssl.org
Subject: OpenSSL 1.0.0 beta5 release
Date: Wed, 20 Jan 2010 19:19:16 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


  OpenSSL version 1.0.0 Beta 5
  ===========================
 [..snip...]

  Since the fourth beta, the following has happened:

    - Provisional TLS session renegotiation fix
    - Option to output hash using older algorithm in x509 utility
    - Compression session handling bug fix
    - Build system fixes.
    - Other bug fixes.

  Reports and patches should be sent to openssl-bugs@openssl.org.

[..snip...]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20100120/4702a42c/attachment.pgp

Brian A. Seklecki

2010-Jan-21 02:37 UTC

head link

[Fwd: OpenSSL 1.0.0 beta5 release]

All:

  Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as 
  well as with a provision/draft fix for CVE-2009-3555
  MITM/Renegotiation Venerability.

  I suspect we wont have a patch out for RELENG_6_3 by the 31st?  
  But I'm willing to maintain one for another few months.

~BAS

-------- Forwarded Message --------
From: OpenSSL <openssl@openssl.org>
Reply-to: openssl-users@openssl.org
To: openssl-users@openssl.org, openssl-announce@openssl.org
Subject: OpenSSL 1.0.0 beta5 release
Date: Wed, 20 Jan 2010 19:19:16 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


  OpenSSL version 1.0.0 Beta 5
  ===========================
 [..snip...]

  Since the fourth beta, the following has happened:

    - Provisional TLS session renegotiation fix
    - Option to output hash using older algorithm in x509 utility
    - Compression session handling bug fix
    - Build system fixes.
    - Other bug fixes.

  Reports and patches should be sent to openssl-bugs@openssl.org.

[..snip...]

Brian A. Seklecki (CFI NOC)

2010-Apr-27 16:13 UTC

head link

OpenSSL CVE-2009-4355

On 1/20/2010 2:56 PM, Brian A. Seklecki wrote:
>    Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as
>    well as with a provision/draft fix for CVE-2009-3555
>    MITM/Renegotiation Venerability.
All:

  Did anyone ever come to a finding on CVE-2009-4355?

  Using the comments in Redhat Bugzilla, I was never able
  to re-create it on RELENG_6_3.

  Of course, RELENG_6_3, RELENG_7_2, and RELENG_8 are still
  behind OpenSSL 0.9.8m.  FreeBSD9-Current seems to have 1.x-latest

  - NetBSD fixed it in 5.0.2:
    http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto
           /dist/openssl/crypto/comp/Attic/c_zlib.c
  - RHEL/Fedora patched their OpenSSL RPMs months ago.

  Without widespread working DoS code in the wild, are we happy
  instead, with patches to userland/ports etc.?  Apache
  httpd 2.2.15 and php5.3.2 in Ports?

Thanks,

  ~BAS
>    I suspect we wont have a patch out for RELENG_6_3 by the 31st?
>    But I'm willing to maintain one for another few months.
>
> -------- Forwarded Message --------
> From: OpenSSL<openssl@openssl.org>
> Reply-to: openssl-users@openssl.org
> To: openssl-users@openssl.org, openssl-announce@openssl.org
> Subject: OpenSSL 1.0.0 beta5 release
> Date: Wed, 20 Jan 2010 19:19:16 +0100
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

Brian A. Seklecki

2010-Apr-27 17:27 UTC

head link

OpenSSL CVE-2009-4355

On 1/20/2010 2:56 PM, Brian A. Seklecki wrote:
>    Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as
>    well as with a provision/draft fix for CVE-2009-3555
>    MITM/Renegotiation Venerability.
All:

  Did anyone ever come to a finding on CVE-2009-4355?

  Using the comments in Redhat Bugzilla, I was never able
  to re-create it on RELENG_6_3.

  Of course, RELENG_6_3, RELENG_7_2, and RELENG_8 are still
  behind OpenSSL 0.9.8m.  FreeBSD9-Current seems to have 1.x-latest

  - NetBSD fixed it in 5.0.2:
    http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto
           /dist/openssl/crypto/comp/Attic/c_zlib.c
  - RHEL/Fedora patched their OpenSSL RPMs months ago.

  Without widespread working DoS code in the wild, are we happy
  instead, with patches to userland/ports etc.?  Apache
  httpd 2.2.15 and php5.3.2 in Ports?

Thanks,

  ~BAS
>    I suspect we wont have a patch out for RELENG_6_3 by the 31st?
>    But I'm willing to maintain one for another few months.
>
> -------- Forwarded Message --------
> From: OpenSSL<openssl@openssl.org>
> Reply-to: openssl-users@openssl.org
> To: openssl-users@openssl.org, openssl-announce@openssl.org
> Subject: OpenSSL 1.0.0 beta5 release
> Date: Wed, 20 Jan 2010 19:19:16 +0100
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

freebsd security - Jan 2010 - [Fwd: OpenSSL 1.0.0 beta5 release]

[Fwd: OpenSSL 1.0.0 beta5 release]

[Fwd: OpenSSL 1.0.0 beta5 release]

OpenSSL CVE-2009-4355

OpenSSL CVE-2009-4355