From owner-freebsd-security@FreeBSD.ORG Sat Apr 17 16:43:42 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE4491065674 for ; Sat, 17 Apr 2010 16:43:42 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id 760278FC16 for ; Sat, 17 Apr 2010 16:43:42 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 77781A57788; Sun, 18 Apr 2010 00:43:41 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id 56LHEMAjH4iZ; Sun, 18 Apr 2010 00:43:35 +0800 (CST) Received: from delta.delphij.net (c-69-181-249-146.hsd1.ca.comcast.net [69.181.249.146]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 8AB78A57792; Sun, 18 Apr 2010 00:43:34 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=Iu6L5zC3fLVMiBgNg6frZlw2zB4NIXp+6kQQ6nKB5O1HtoxyVKcS+Z2WU8EKdGFS/ ki+l1y2EWuIAx91++2Lcw== Message-ID: <4BC9E532.5020108@delphij.net> Date: Sat, 17 Apr 2010 09:43:30 -0700 From: Xin LI Organization: The Geek China Organization User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.9) Gecko/20100408 Thunderbird/3.0.4 ThunderBrowse/3.2.8.1 MIME-Version: 1.0 To: Tim Gustafson References: <1849729321.700021271515794985.JavaMail.root@mail-01.cse.ucsc.edu> In-Reply-To: <1849729321.700021271515794985.JavaMail.root@mail-01.cse.ucsc.edu> X-Enigmail-Version: 1.0.1 OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Apr 2010 16:43:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010/04/17 07:49, Tim Gustafson wrote: > Hi, > > I run a few web servers with need to be PCI compliant. Apparently there's a problem with OpenSSL 0.9.8k that requires us to upgrade to 0.9.8l for us to maintain our compliance level. > > I've csup'd to RELENG_8_0 and did a build/install cycle and OpenSSL is still at 0.9.8k. Using RELENG_8 isn't really an option for me because the last I upgraded to that level, ipfw was broken and I'm not sure that the problem with ipfw has been fixed (Luigi tells me that it has, but I haven't had time to test it yet). > > Is there any movement to patch RELENG_8_0 with OpenSSL 0.9.8l? Or will I be stuck with 0.9.8k until I move to RELENG_8? RELENG_8_0 is considered as "frozen" which means we will do massive upgrade there. RELENG_8 would have the latest OpenSSL. Note that "cheery picking" style of changes _may_ be permitted on RELENG_8_0 per re@ and security-officer@'s decision. If you know what the problem is, please feel free to let secteam@FreeBSD.org know, ideally with a reference to OpenSSL bug tracking system, a CVE number, etc. so we will be able to handle it more quickly. We do have patched RELENG_8_0 before 8.0-RELEASE for a few SSL protocol flaws. http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc Hope this helps. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLyeUyAAoJEATO+BI/yjfB1+MH/09y/TwPiSBwo/du9g3MdUX/ hiT0zI1FKgjEVEYw/QkEKD5F5TJLVQqhmgrW//JYzpVYt2w+QVZuEbuH2Mtf/wXk 6Py8Un3mUjeC7O2gEKmi0XgWX5cyFPariF4DGiXrZE0aO1y3xg/9SYwvuYX2dXdQ 4loqv4A74qTDiBedm/dLVFG7wlED5Tk03fgtvbyhbdEH5Dy7JnvUvgUc1P4/c2dN zkBs4lRn+zd31itORyq1HmvmD5dWcpbXeEyb7OoSDZAsreCWfn5I623oEdhoumem bJWsv8pSU6qc9ENY5Oot4CLhnweT3UvnMBTebM4egqG9YSvTwIRDqaVkHaPLdtw= =UH5d -----END PGP SIGNATURE-----