From owner-freebsd-security@FreeBSD.ORG Fri Apr 23 06:01:19 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49730106566B for ; Fri, 23 Apr 2010 06:01:19 +0000 (UTC) (envelope-from julianelischer@gmail.com) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id DA26C8FC0C; Fri, 23 Apr 2010 06:01:18 +0000 (UTC) Received: by gwj18 with SMTP id 18so2321904gwj.13 for ; Thu, 22 Apr 2010 23:01:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=q+T9vgUgb+BosO6tH3R1MhfM2RErlrs56Omr0hu3OZw=; b=nEKfkYDPzQYK+IbAkqytESucCUMCC9d1lEXhxRRJze2qXtqDp9NKkjFlMWju6Z80/z J53hJCWeEAAcr1Walb5pdIlJaHikRRHI+pzvMhyiacQm7L158kNT5BeCJygyH+yZ0VOs XxQCcFX1wMHkTF/mOSr9qLysyX4vQZ7SQ4i9U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=XTrZe8EuIprJ/IwnuYuY9aVDsl0IZ4PtXS8+jyLccCfbuzqKLG4LixWoyZ9f2mxG31 I/Ux2f8wyoeQ35pxjGIV0NB/JzGFnNQy0iG2UkP8cND3rQw4QxBXjZhirVJYNmVgiVXk 7nP63MfGt100awFjhUTriMvwU7jbVZbp8sI3o= Received: by 10.150.119.8 with SMTP id r8mr216482ybc.2.1272000668158; Thu, 22 Apr 2010 22:31:08 -0700 (PDT) Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by mx.google.com with ESMTPS id 23sm488578iwn.6.2010.04.22.22.31.05 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 22 Apr 2010 22:31:07 -0700 (PDT) Sender: Julian Elischer Message-ID: <4BD13097.4060200@elischer.org> Date: Thu, 22 Apr 2010 22:31:03 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: "Philip M. Gollucci" References: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> <4BD10D03.7010201@p6m7g8.com> In-Reply-To: <4BD10D03.7010201@p6m7g8.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Fri, 23 Apr 2010 11:12:51 +0000 Cc: Tim Gustafson , v , =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYQ==?=@FreeBSD.ORG, =?UTF-8?B?RWlyaWsgw5h2ZXJieQ==?= , freebsd-security@freebsd.org Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Apr 2010 06:01:19 -0000 On 4/22/10 7:59 PM, Philip M. Gollucci wrote: > On 4/21/2010 1:55 AM, Eirik Øverby wrote: >> It is a misconseption to think that one _has to_ run the latest version (as suggested by dumb network scans) in order to remain compliant (PCI DSS or otherwise). What is needed is that the issues found are either patched or documented to be not applicable. > I completely agree; however, having just achieved PCI certification for > $work in *this* month -- 2 different (unamed pci auditing firms) refused > to accept openssl had been patched without version number changes. > > Kind of odd considering they said my httpd 2.2.14 was vunlerable to the > windows mod_issapi cve on fbsd but accepted on face value that we can't > possibly be since its not windows and not loaded. Yet the version # > didn't change here. > > Additionally odd, they did accept that 2.2.14 disabled ssl functionality > to prevent the issue though not fix it. Yet again the version # didn't > change. > > Interestingly we have some other equipment that requires the client > renegotiation but b/c we are leasing it rather then own it, its out of > scope. > > IMHO, its simply easier to always mod the version string in some way > rather then trying to argue with them. append -p2 to teh end of the version number before submitting it to them :-) > > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"