Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Dec 2020 13:08:22 +0100
From:      "Herbert J. Skuhra" <herbert@gojira.at>
To:        FreeBSD <freebsd-questions@freebsd.org>
Subject:   Re: Patches for OpenSSL
Message-ID:  <X9IPts200IJP+rvz@mail.bsd4all.net>
In-Reply-To: <267201d6ceeb$52ffcaa0$f8ff5fe0$@seibercom.net>
References:  <267201d6ceeb$52ffcaa0$f8ff5fe0$@seibercom.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Thu, Dec 10, 2020 at 06:55:15AM -0500, jerry@seibercom.net wrote:
> I just read "FreeBSD Security Advisory FreeBSD-SA-20:33.openssl". I found the following part of the message quite troubling.
> 
>  
> 
> "Note: The OpenSSL project has published publicly available patches for versions included in FreeBSD 12.x.  This vulnerability is also known to affect OpenSSL versions included in FreeBSD 11.4.  However, the OpenSSL project is only giving patches for that version to premium support contract holders.  The FreeBSD project does not have access to these patches and recommends ..."
> 
>  
> 
> Exactly why doesn't FreeBSD have access to the above mentioned 'patches'? Is this purely a financial matter? If so, then exactly how much are we talking about here? For one, I would be too interested in knowing the specifics regarding FreeBSD's inability to gain access to these patches.

https://www.openssl.org/news/secadv/20201208.txt

OpenSSL 1.0.2 is out of support and no longer receiving public updates.
Extended support is available for premium support customers:
https://www.openssl.org/support/contracts.html


Premium Level Support

US$50,000 annually

-- 
Herbert



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?X9IPts200IJP+rvz>