Date: Sat, 10 Nov 2018 12:54:51 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 233109] security/vuxml: exclude LibreSSL 2.7 from CVE-2018-0734 / CVE-2018-0735 Message-ID: <bug-233109-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D233109 Bug ID: 233109 Summary: security/vuxml: exclude LibreSSL 2.7 from CVE-2018-0734 / CVE-2018-0735 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ports-secteam@FreeBSD.org Reporter: franco@opnsense.org Assignee: ports-secteam@FreeBSD.org Flags: maintainer-feedback?(ports-secteam@FreeBSD.org) Created attachment 199109 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D199109&action= =3Dedit exclude LibreSSL smaller than 2.8 Hi, # libressl-2.7.4 is vulnerable: # OpenSSL -- Multiple vulnerabilities in 1.1 branch # CVE: CVE-2018-0734 # CVE: CVE-2018-0735 # WWW: https://vuxml.FreeBSD.org/freebsd/238ae7de-dba2-11e8-b713-b499baebfeaf.html This is incorrect. Alleged is 2.8 is affected because it shares the same qualities as OpenSSL 1.1.x. LibreSSL 2.7 is still a 1.0.x equivalent. To me it is unclear why LibreSSL was pulled into this entry due to apparent hearsay. LibreSSL has been officially silent about this issue and has not = even issued / announced "2.8.3" so the entry is completely bogus. https://www.libressl.org/releases.html For now, just exclude versions < 2.8 and let this be figured out by ports-secteam@ Cheers, Franco --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-233109-7788>