freebsd security - Mar 2015 - sendmail broken by libssl in current

On Mar 11, 2015, at 9:15 AM, Gregory Shapiro <gshapiro at freebsd.org>
wrote:
> First, thank you Philip for jumping on this.  Much appreciated.
> 
>> This wonderful change (cough) to include SSL_OP_TLSEXT_PADDING in 
>> SSL_OP_ALL was addressed in sendmail 8.15.1, which explicitly removes 
>> SSL_OP_TLSEXT_PADDING from the default ClientSSLOptions value if that 
>> #define exists.  I believe Greg is working on importing that to
FreeBSD.
> 
> sendmail 8.15.1 is imported into the vendor area but not merged due to an
incompatible change that is being moved into a run-time configuration variable
in 8.15.2.  Rather than expose the FreeBSD populate to the churn from that
change, I am skipping 8.15.1 and will import 8.15.2.
> 
> That being said, I can certainly make the local fix that Philip mention to
take care of the padding issue.  Is the new libssl in 11-CURRENT going to
be/already been MFC'ed to other branches?
I'm still *really* hesitant for us to be patching OpenSSL for a bug on a
middlebox vendor's system that already has a fix.

--Paul Hoffman

> > sendmail 8.15.1 is imported into the vendor area but not merged due to
an incompatible change that is being moved into a run-time configuration
variable in 8.15.2.  Rather than expose the FreeBSD populate to the churn from
that change, I am skipping 8.15.1 and will import 8.15.2.
> > 
> > That being said, I can certainly make the local fix that Philip
mention to take care of the padding issue.  Is the new libssl in 11-CURRENT
going to be/already been MFC'ed to other branches?
> 
> I'm still *really* hesitant for us to be patching OpenSSL for a bug on
a middlebox vendor's system that already has a fix.
My intent is to patch sendmail, not OpenSSL, with a change that is already part
of a newer sendmail release.