Date: Mon, 14 Jul 2008 00:23:45 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-security@freebsd.org, Doug Barton <dougb@FreeBSD.org> Subject: Re: OpenSSL warning from dns/bind95 build...? Message-ID: <20080713222344.GB15766@zaphod.nitro.dk> In-Reply-To: <DEB25E89-7447-4EA0-8800-23897C593756@mac.com> References: <DEB25E89-7447-4EA0-8800-23897C593756@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2008.07.11 13:14:09 -0700, Chuck Swiger wrote: [quote edited to contain important part] >> WARNING Your OpenSSL crypto library may be vulnerable to >> WARNING one or more of the the following known security >> WARNING flaws: >> WARNING >> WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and >> WARNING CVE-2006-2940. >> WARNING [...] > Is the version of OpenSSL now included with RELENG_6 (OpenSSL 0.9.7e-p1) > OK, or is it at risk as reported? Just so there is no doubt - the base system OpenSSL isn't actually vulnerable to those issues. They were fixed in SA-02:33.openssl, FreeBSD-SA-06:19.openssl, and FreeBSD-SA-06:23.openssl. The BIND build system just has no way to see this since they were patched instead of upgraded. -- Simon L. Nielsen Hats: Base system OpenSSL janitor and FreeBSD Security Team
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080713222344.GB15766>