From owner-freebsd-security@FreeBSD.ORG Fri Apr 23 03:09:25 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 124921065675 for ; Fri, 23 Apr 2010 03:09:25 +0000 (UTC) (envelope-from pgollucci@p6m7g8.com) Received: from exhub015-2.exch015.msoutlookonline.net (exhub015-2.exch015.msoutlookonline.net [207.5.72.94]) by mx1.freebsd.org (Postfix) with ESMTP id EA11A8FC23 for ; Fri, 23 Apr 2010 03:09:24 +0000 (UTC) Received: from [192.168.1.2] (71.246.240.70) by smtpx15.msoutlookonline.net (207.5.72.103) with Microsoft SMTP Server (TLS) id 8.2.234.1; Thu, 22 Apr 2010 19:59:20 -0700 Message-ID: <4BD10D03.7010201@p6m7g8.com> Date: Thu, 22 Apr 2010 22:59:15 -0400 From: "Philip M. Gollucci" Organization: P6M7G8 Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: =?UTF-8?B?RWlyaWsgw5h2ZXJieQ==?= References: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: multipart/mixed; boundary="------------000806040504050001000200" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Tim Gustafson , =?UTF-8?B?dg==?= , =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYQ==?=, freebsd-security@freebsd.org Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Apr 2010 03:09:25 -0000 --------------000806040504050001000200 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit On 4/21/2010 1:55 AM, Eirik Øverby wrote: > It is a misconseption to think that one _has to_ run the latest version (as suggested by dumb network scans) in order to remain compliant (PCI DSS or otherwise). What is needed is that the issues found are either patched or documented to be not applicable. I completely agree; however, having just achieved PCI certification for $work in *this* month -- 2 different (unamed pci auditing firms) refused to accept openssl had been patched without version number changes. Kind of odd considering they said my httpd 2.2.14 was vunlerable to the windows mod_issapi cve on fbsd but accepted on face value that we can't possibly be since its not windows and not loaded. Yet the version # didn't change here. Additionally odd, they did accept that 2.2.14 disabled ssl functionality to prevent the issue though not fix it. Yet again the version # didn't change. Interestingly we have some other equipment that requires the client renegotiation but b/c we are leasing it rather then own it, its out of scope. IMHO, its simply easier to always mod the version string in some way rather then trying to argue with them. -- ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 VP Apache Infrastructure; Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Sr. System Admin, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. --------------000806040504050001000200--