Is there a plan to update OpenSSL to patch for CVE-2012-2131? Also, is the DOS vulnerability in libkrb5 that Heimdal 1.5.2 patches present in Heimdal 1.1 which shipped with 9.0-RELEASE?
Robert Simmons wrote:> Is there a plan to update OpenSSL to patch for CVE-2012-2131? > > Also, is the DOS vulnerability in libkrb5 that Heimdal 1.5.2 patches > present in Heimdal 1.1 which shipped with 9.0-RELEASE?I'll second this one. 1. Is there any plans on updating openssl and why not? It's getting a bad hype nowadays. And will we ever support TLS v1.[12]? BEAST attack seems to be not so far from most of us: https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls 2. What's with CVE-2011-1945? I'm waiting for months for just a tiny comment on this one as if this truly is not fixed in our source all 9.0 installations with world-open ssh are potentially vulnerable. 3. DragonFly is much faster then we are, they have 1.0.1b on master branch, while we have 1.0.1a in ports. They also already removed heimdal from base and pkgsrc has 1.5.2 available with our 1.4 present in ports. -- Sphinx of black quartz judge my vow.
On Thu, May 3, 2012 at 12:24 PM, Mark Felder <feld@feld.me> wrote:> On Thu, 03 May 2012 10:21:24 -0500, Robert Simmons <rsimmons0@gmail.com> > wrote: > >> TLS 1.1: >> https://bugzilla.mozilla.org/show_bug.cgi?id=565047 >> TLS 1.2: >> https://bugzilla.mozilla.org/show_bug.cgi?id=480514 > > > > Cool, thanks for the followup!It looks like 50% of my original question was just answered: http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc