From owner-freebsd-security@FreeBSD.ORG  Sun Aug 31 15:02:20 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A8CC8F05
 for <freebsd-security@freebsd.org>; Sun, 31 Aug 2014 15:02:20 +0000 (UTC)
Received: from mail-qa0-f42.google.com (mail-qa0-f42.google.com
 [209.85.216.42])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 6B9AD1FD8
 for <freebsd-security@freebsd.org>; Sun, 31 Aug 2014 15:02:19 +0000 (UTC)
Received: by mail-qa0-f42.google.com with SMTP id dc16so68576qab.1
 for <freebsd-security@freebsd.org>; Sun, 31 Aug 2014 08:02:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:cc:content-type;
 bh=Le6bwHO2wc7znvfhUs9tAfSMYuglLGwuPoZxA7/Do/A=;
 b=jfGnvCPY6jp/DfQk14DRcWkgUXSqorRcb6NuKcAYEt2G3XRyJoDtdjN8DyvbEW0ODC
 oliobxLzFL+UKaUCxosbl8oR9F1GKqn3VkOHIx+PYd2STueT1fKD+mv6st+YlO4hP5hp
 AdwCCnb1i85auzQ7KEkUdSeNwdQFPHaecRbQEhxUNw5DP9FeiYAnVtEy8lAx1k3sLPvk
 rLeO4G8L11Qcvr509A/K+kvN28I8W1ELw1oHsSYJgwH2g4D4ur7IukEYhLSGOiCRKXvG
 8mvwbll5YbKQwTJ3n1ECLR+UmlDizId+7CQZW4k2ydFRbksCgBJkxCeXEkGLB73tIu3V
 GXtQ==
X-Gm-Message-State: ALoCoQkVNSpfGZicmHKUoge4Gq6b6MhoHSQlRWpVdWn04CjE9iVuXGzOXo+RQmkxWwjWS7eo2OUg
MIME-Version: 1.0
X-Received: by 10.140.18.211 with SMTP id 77mr33970191qgf.57.1409497332960;
 Sun, 31 Aug 2014 08:02:12 -0700 (PDT)
Received: by 10.140.103.77 with HTTP; Sun, 31 Aug 2014 08:02:12 -0700 (PDT)
In-Reply-To: <54021C36.6070709@riseup.net>
References: <54021C36.6070709@riseup.net>
Date: Sun, 31 Aug 2014 08:02:12 -0700
Message-ID: <CAJm4239s68dRu2Ft1s7j6wsALhr5MRWnptCT1_r7PU+xcS_vKw@mail.gmail.com>
Subject: Re: OpenSSL SA
From: Brandon Vincent <Brandon.Vincent@asu.edu>
To: Piotr Kubaj <pkubaj@riseup.net>
Content-Type: text/plain; charset=UTF-8
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Aug 2014 15:02:20 -0000

On Sat, Aug 30, 2014 at 11:47 AM, Piotr Kubaj <pkubaj@riseup.net> wrote:
> Hello. According to https://www.openssl.org/news/secadv_20140806.txt
> there's been a known SA in OpenSSL for 24 days. Since then
> security/openssl has been updated and there have been updates to head
> and stable{8,9,10} but there hasn't been any FreeBSD SA. Is it that so@
> has somehow forgotten about it, or the vulnerable features are off in base?

It looks like OpenSSL 1.0.1i (which fixes all the issues in the SA
from upstream) was merged into stable on August 7th. The announcement
from FreeBSD was probably accidentally not published.

Brandon Vincent