From owner-freebsd-security@FreeBSD.ORG Wed Apr 21 00:19:33 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37D71106566C for ; Wed, 21 Apr 2010 00:19:33 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id EE10F8FC16 for ; Wed, 21 Apr 2010 00:19:32 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 38D4D1FFC22; Wed, 21 Apr 2010 00:19:32 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 1E56C844A7; Wed, 21 Apr 2010 02:19:00 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Tim Gustafson References: <1849729321.700021271515794985.JavaMail.root@mail-01.cse.ucsc.edu> Date: Wed, 21 Apr 2010 02:19:00 +0200 In-Reply-To: <1849729321.700021271515794985.JavaMail.root@mail-01.cse.ucsc.edu> (Tim Gustafson's message of "Sat, 17 Apr 2010 07:49:55 -0700 (PDT)") Message-ID: <867ho1mzd7.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2010 00:19:33 -0000 Tim Gustafson writes: > I run a few web servers with need to be PCI compliant. Apparently > there's a problem with OpenSSL 0.9.8k that requires us to upgrade to > 0.9.8l for us to maintain our compliance level. > > I've csup'd to RELENG_8_0 [...] RELENG_8_0 is 8.0 + critical bug fixes. If you're not too pressed for time, 8.1 is "only" a couple of months away and will hopefully ship with 0.9.8n which is what we currently have in head. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Apr 21 05:23:02 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C76D6106564A for ; Wed, 21 Apr 2010 05:23:02 +0000 (UTC) (envelope-from tjg@soe.ucsc.edu) Received: from mail-01.cse.ucsc.edu (mail-01.cse.ucsc.edu [128.114.48.32]) by mx1.freebsd.org (Postfix) with ESMTP id AFB258FC22 for ; Wed, 21 Apr 2010 05:23:02 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail-01.cse.ucsc.edu (Postfix) with ESMTP id 610A01008BF1; Tue, 20 Apr 2010 22:23:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at mail-01.cse.ucsc.edu Received: from mail-01.cse.ucsc.edu ([127.0.0.1]) by localhost (mail-01.cse.ucsc.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RFuy7IlCw32Q; Tue, 20 Apr 2010 22:23:02 -0700 (PDT) Received: from mail-01.cse.ucsc.edu (mail-01.cse.ucsc.edu [128.114.48.32]) by mail-01.cse.ucsc.edu (Postfix) with ESMTP id 417951008BF0; Tue, 20 Apr 2010 22:23:02 -0700 (PDT) Date: Tue, 20 Apr 2010 22:23:02 -0700 (PDT) From: Tim Gustafson To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Message-ID: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> In-Reply-To: <867ho1mzd7.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [98.234.59.118] X-Mailer: Zimbra 5.0.20_GA_3127.RHEL5_64 (ZimbraWebClient - FF3.0 ([unknown])/5.0.20_GA_3127.RHEL5_64) Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2010 05:23:02 -0000 > RELENG_8_0 is 8.0 + critical bug fixes. >From what I gather, the exploits in 0.9.8k are pretty serious. :\ > If you're not too pressed for time, 8.1 is "only" a couple of > months away and will hopefully ship with 0.9.8n which is what > we currently have in head. Well, we may have to wait, or maybe update to RELENG_8 and cross our fingers. :) Tim Gustafson Baskin School of Engineering UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354 From owner-freebsd-security@FreeBSD.ORG Wed Apr 21 05:55:17 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD052106567C for ; Wed, 21 Apr 2010 05:55:17 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id 7DA7E8FC1B for ; Wed, 21 Apr 2010 05:55:17 +0000 (UTC) Received: from [212.62.248.146] (helo=[192.168.2.100]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1O4Su3-000Oux-7I; Wed, 21 Apr 2010 07:55:15 +0200 Mime-Version: 1.0 (Apple Message framework v1078) Content-Type: text/plain; charset=us-ascii From: =?iso-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> Date: Wed, 21 Apr 2010 07:55:14 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> To: Tim Gustafson X-Mailer: Apple Mail (2.1078) Cc: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , freebsd-security@freebsd.org Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2010 05:55:17 -0000 On Apr 21, 2010, at 7:23 AM, Tim Gustafson wrote: >> RELENG_8_0 is 8.0 + critical bug fixes. >=20 >> =46rom what I gather, the exploits in 0.9.8k are pretty serious. :\ >=20 >> If you're not too pressed for time, 8.1 is "only" a couple of >> months away and will hopefully ship with 0.9.8n which is what >> we currently have in head. >=20 > Well, we may have to wait, or maybe update to RELENG_8 and cross our = fingers. :) It is a misconseption to think that one _has to_ run the latest version = (as suggested by dumb network scans) in order to remain compliant (PCI = DSS or otherwise). What is needed is that the issues found are either = patched or documented to be not applicable. All current OpenSSL issues in the versions shipping with RELENG_8_0 = have, to my knowledge, been fixed by the secteam or do not apply to = FreeBSD. /Eirik > Tim Gustafson > Baskin School of Engineering > UC Santa Cruz > tjg@soe.ucsc.edu > 831-459-5354 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" >=20 From owner-freebsd-security@FreeBSD.ORG Wed Apr 21 06:15:27 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEF52106564A for ; Wed, 21 Apr 2010 06:15:27 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 71C918FC21 for ; Wed, 21 Apr 2010 06:15:27 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 40B751FFC51; Wed, 21 Apr 2010 06:15:26 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 1F42B844B0; Wed, 21 Apr 2010 08:14:54 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Tim Gustafson References: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> Date: Wed, 21 Apr 2010 08:14:53 +0200 In-Reply-To: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> (Tim Gustafson's message of "Tue, 20 Apr 2010 22:23:02 -0700 (PDT)") Message-ID: <86aasxl4bm.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2010 06:15:27 -0000 Tim Gustafson writes: > "Dag-Erling Sm=C3=B8rgrav" writes: > > RELENG_8_0 is 8.0 + critical bug fixes. > From what I gather, the exploits in 0.9.8k are pretty serious. :\ If you mean FreeBSD-SA-09:15.ssl, that's been fixed in 8.0, although the OpenSSL version number was not changed. I assume that you have read the handbook and are familiar with the concept of security advisories and how to patch your system using freebsd-update(8), so I won't waste your time with the details. > From what I gather, the exploits in 0.9.8k are pretty serious. :\ Heard you the first time. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Apr 23 03:09:25 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 124921065675 for ; Fri, 23 Apr 2010 03:09:25 +0000 (UTC) (envelope-from pgollucci@p6m7g8.com) Received: from exhub015-2.exch015.msoutlookonline.net (exhub015-2.exch015.msoutlookonline.net [207.5.72.94]) by mx1.freebsd.org (Postfix) with ESMTP id EA11A8FC23 for ; Fri, 23 Apr 2010 03:09:24 +0000 (UTC) Received: from [192.168.1.2] (71.246.240.70) by smtpx15.msoutlookonline.net (207.5.72.103) with Microsoft SMTP Server (TLS) id 8.2.234.1; Thu, 22 Apr 2010 19:59:20 -0700 Message-ID: <4BD10D03.7010201@p6m7g8.com> Date: Thu, 22 Apr 2010 22:59:15 -0400 From: "Philip M. Gollucci" Organization: P6M7G8 Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: =?UTF-8?B?RWlyaWsgw5h2ZXJieQ==?= References: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: multipart/mixed; boundary="------------000806040504050001000200" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Tim Gustafson , =?UTF-8?B?dg==?= , =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYQ==?=, freebsd-security@freebsd.org Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Apr 2010 03:09:25 -0000 --------------000806040504050001000200 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit On 4/21/2010 1:55 AM, Eirik Øverby wrote: > It is a misconseption to think that one _has to_ run the latest version (as suggested by dumb network scans) in order to remain compliant (PCI DSS or otherwise). What is needed is that the issues found are either patched or documented to be not applicable. I completely agree; however, having just achieved PCI certification for $work in *this* month -- 2 different (unamed pci auditing firms) refused to accept openssl had been patched without version number changes. Kind of odd considering they said my httpd 2.2.14 was vunlerable to the windows mod_issapi cve on fbsd but accepted on face value that we can't possibly be since its not windows and not loaded. Yet the version # didn't change here. Additionally odd, they did accept that 2.2.14 disabled ssl functionality to prevent the issue though not fix it. Yet again the version # didn't change. Interestingly we have some other equipment that requires the client renegotiation but b/c we are leasing it rather then own it, its out of scope. IMHO, its simply easier to always mod the version string in some way rather then trying to argue with them. -- ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 VP Apache Infrastructure; Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Sr. System Admin, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. --------------000806040504050001000200-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 23 05:49:51 2010 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E1FD106564A for ; Fri, 23 Apr 2010 05:49:51 +0000 (UTC) (envelope-from pgollucci@p6m7g8.com) Received: from exhub015-2.exch015.msoutlookonline.net (exhub015-2.exch015.msoutlookonline.net [207.5.72.94]) by mx1.freebsd.org (Postfix) with ESMTP id 4E42B8FC18 for ; Fri, 23 Apr 2010 05:49:50 +0000 (UTC) Received: from [192.168.1.2] (71.246.240.70) by smtpx15.msoutlookonline.net (207.5.72.103) with Microsoft SMTP Server (TLS) id 8.2.234.1; Thu, 22 Apr 2010 22:49:50 -0700 Message-ID: <4BD134F6.6010802@p6m7g8.com> Date: Fri, 23 Apr 2010 01:49:42 -0400 From: "Philip M. Gollucci" Organization: P6M7G8 Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Julian Elischer References: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> <4BD10D03.7010201@p6m7g8.com> <4BD13097.4060200@elischer.org> In-Reply-To: <4BD13097.4060200@elischer.org> X-Enigmail-Version: 1.0.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigCFAA253F42798110619FC07A" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Tim Gustafson , v , =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYQ==?=@FreeBSD.ORG, =?UTF-8?B?RWlyaWsgw5h2ZXJieQ==?= , freebsd-security@FreeBSD.ORG Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Apr 2010 05:49:51 -0000 --------------enigCFAA253F42798110619FC07A Content-Type: multipart/mixed; boundary="------------000504010707040306010702" This is a multi-part message in MIME format. --------------000504010707040306010702 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 4/23/2010 1:31 AM, Julian Elischer wrote: > append -p2 to teh end of the version number before submitting it to the= m I was tempted to, but I just switched from base to port and updated. you really could do that with any peice of software pci complains about. (esp if you can recompile it). --=20 ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 VP Apache Infrastructure; Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Sr. System Admin, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. --------------000504010707040306010702-- --------------enigCFAA253F42798110619FC07A Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iEYEARECAAYFAkvRNPoACgkQdbiP+9ubjBww6gCcDHbjNCryYdNGol/s08Xh8fg+ uA8An1vy4TpyUo2RKMVkCgyrYcM/weBi =VsZV -----END PGP SIGNATURE----- --------------enigCFAA253F42798110619FC07A-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 23 06:01:19 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49730106566B for ; Fri, 23 Apr 2010 06:01:19 +0000 (UTC) (envelope-from julianelischer@gmail.com) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id DA26C8FC0C; Fri, 23 Apr 2010 06:01:18 +0000 (UTC) Received: by gwj18 with SMTP id 18so2321904gwj.13 for ; Thu, 22 Apr 2010 23:01:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=q+T9vgUgb+BosO6tH3R1MhfM2RErlrs56Omr0hu3OZw=; b=nEKfkYDPzQYK+IbAkqytESucCUMCC9d1lEXhxRRJze2qXtqDp9NKkjFlMWju6Z80/z J53hJCWeEAAcr1Walb5pdIlJaHikRRHI+pzvMhyiacQm7L158kNT5BeCJygyH+yZ0VOs XxQCcFX1wMHkTF/mOSr9qLysyX4vQZ7SQ4i9U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=XTrZe8EuIprJ/IwnuYuY9aVDsl0IZ4PtXS8+jyLccCfbuzqKLG4LixWoyZ9f2mxG31 I/Ux2f8wyoeQ35pxjGIV0NB/JzGFnNQy0iG2UkP8cND3rQw4QxBXjZhirVJYNmVgiVXk 7nP63MfGt100awFjhUTriMvwU7jbVZbp8sI3o= Received: by 10.150.119.8 with SMTP id r8mr216482ybc.2.1272000668158; Thu, 22 Apr 2010 22:31:08 -0700 (PDT) Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by mx.google.com with ESMTPS id 23sm488578iwn.6.2010.04.22.22.31.05 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 22 Apr 2010 22:31:07 -0700 (PDT) Sender: Julian Elischer Message-ID: <4BD13097.4060200@elischer.org> Date: Thu, 22 Apr 2010 22:31:03 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: "Philip M. Gollucci" References: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> <4BD10D03.7010201@p6m7g8.com> In-Reply-To: <4BD10D03.7010201@p6m7g8.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Fri, 23 Apr 2010 11:12:51 +0000 Cc: Tim Gustafson , v , =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYQ==?=@FreeBSD.ORG, =?UTF-8?B?RWlyaWsgw5h2ZXJieQ==?= , freebsd-security@freebsd.org Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Apr 2010 06:01:19 -0000 On 4/22/10 7:59 PM, Philip M. Gollucci wrote: > On 4/21/2010 1:55 AM, Eirik Øverby wrote: >> It is a misconseption to think that one _has to_ run the latest version (as suggested by dumb network scans) in order to remain compliant (PCI DSS or otherwise). What is needed is that the issues found are either patched or documented to be not applicable. > I completely agree; however, having just achieved PCI certification for > $work in *this* month -- 2 different (unamed pci auditing firms) refused > to accept openssl had been patched without version number changes. > > Kind of odd considering they said my httpd 2.2.14 was vunlerable to the > windows mod_issapi cve on fbsd but accepted on face value that we can't > possibly be since its not windows and not loaded. Yet the version # > didn't change here. > > Additionally odd, they did accept that 2.2.14 disabled ssl functionality > to prevent the issue though not fix it. Yet again the version # didn't > change. > > Interestingly we have some other equipment that requires the client > renegotiation but b/c we are leasing it rather then own it, its out of > scope. > > IMHO, its simply easier to always mod the version string in some way > rather then trying to argue with them. append -p2 to teh end of the version number before submitting it to them :-) > > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"