> On Aug 25, 2021, at 4:59 AM, mike tancsa <mike at sentex.net> wrote: > > On 8/24/2021 4:53 PM, FreeBSD Security Advisories wrote: >> >> Branch/path Hash Revision >> ------------------------------------------------------------------------- >> stable/13/ 9d31ae318711 stable/13-n246940 >> releng/13.0/ 2261c814b7fa releng/13.0-n244759 >> stable/12/ r370385 >> releng/12.2/ r370396 >> ------------------------------------------------------------------------- > > > Hi All, > > Was reading the original advisory at > https://www.google.com/url?q=https://www.openssl.org/news/secadv/20210824.txt&source=gmail-imap&ust=1630497552000000&usg=AOvVaw21BGr3aGIh9CKIH3efYzY4 and it says > > "OpenSSL versions 1.0.2y and below are affected by this [CVE-2021-3712] > issue." > > Does it not then impact RELENG11 ? > > % openssl version > OpenSSL 1.0.2u-freebsd 20 Dec 2019 > > I know RELENG_11 support ends in about a month, but should it not be > flagged ?As we don't have a support contract with OpenSSL to get access to 1.0.2 patches, we could only roll the 1.1.1 patches. Best, Gordon Hat: security-officer
On 8/25/2021 11:22 AM, Gordon Tetlow wrote:> Hi All, >> Was reading the original advisory at >> https://www.google.com/url?q=https://www.openssl.org/news/secadv/20210824.txt&source=gmail-imap&ust=1630497552000000&usg=AOvVaw21BGr3aGIh9CKIH3efYzY4 and it says >> >> "OpenSSL versions 1.0.2y and below are affected by this [CVE-2021-3712] >> issue." >> >> Does it not then impact RELENG11 ? >> >> % openssl version >> OpenSSL 1.0.2u-freebsd 20 Dec 2019 >> >> I know RELENG_11 support ends in about a month, but should it not be >> flagged ? > As we don't have a support contract with OpenSSL to get access to 1.0.2 patches, we could only roll the 1.1.1 patches.Hi Gordon, ??? I was thinking more in terms of just a mention that RELENG_11 is indeed vulnerable, no ? ??? ---Mike
Vincent Hoffman-Kazlauskas
2021-Aug-25 15:42 UTC
FreeBSD Security Advisory FreeBSD-SA-21:16.openssl
On 25/08/2021 16:22, Gordon Tetlow via freebsd-security wrote:> >> On Aug 25, 2021, at 4:59 AM, mike tancsa <mike at sentex.net> wrote: >> >> On 8/24/2021 4:53 PM, FreeBSD Security Advisories wrote: >>> >>> Branch/path Hash Revision >>> ------------------------------------------------------------------------- >>> stable/13/ 9d31ae318711 stable/13-n246940 >>> releng/13.0/ 2261c814b7fa releng/13.0-n244759 >>> stable/12/ r370385 >>> releng/12.2/ r370396 >>> ------------------------------------------------------------------------- >> >> >> Hi All, >> >> Was reading the original advisory at >> https://www.google.com/url?q=https://www.openssl.org/news/secadv/20210824.txt&source=gmail-imap&ust=1630497552000000&usg=AOvVaw21BGr3aGIh9CKIH3efYzY4 and it says >> >> "OpenSSL versions 1.0.2y and below are affected by this [CVE-2021-3712] >> issue." >> >> Does it not then impact RELENG11 ? >> >> % openssl version >> OpenSSL 1.0.2u-freebsd 20 Dec 2019 >> >> I know RELENG_11 support ends in about a month, but should it not be >> flagged ? > > As we don't have a support contract with OpenSSL to get access to 1.0.2 patches, we could only roll the 1.1.1 patches.I may have the wrong end of the stick but https://www.openssl.org/news/vulnerabilities.html says "Fixed in OpenSSL 1.0.2za (git commit) (Affected 1.0.2-1.0.2y)" with the git commit linked being https://github.com/openssl/openssl/commit/ccb0a11145ee72b042d10593a64eaf9e8a55ec12 Is this not eligible for inclusion? I do however appreciate that as support ends so soon resources are best used on the longer lived versions. Regards, Vince> > Best, > Gordon > Hat: security-officer > _______________________________________________ > freebsd-security at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org" >