Simon L. Nielsen wrote:
On 2008.07.11 13:14:09 -0700, Chuck Swiger wrote:
[quote edited to contain important part]
WARNING Your OpenSSL crypto library may be vulnerable to
WARNING one or more of the the following known security
WARNING flaws:
WARNING
WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and
WARNING CVE-2006-2940.
WARNING
[...]
Is the version of OpenSSL now included with RELENG_6 (OpenSSL 0.9.7e-p1)
OK, or is it at risk as reported?
Just so there is no doubt - the base system OpenSSL isn't actually
vulnerable to those issues. They were fixed in SA-02:33.openssl,
FreeBSD-SA-06:19.openssl, and FreeBSD-SA-06:23.openssl.
The BIND build system just has no way to see this since they were
patched instead of upgraded.
... hence the false economy of not doing a "standard" upgrade of the
version in the base. :) It's nice to know that for the particular set
of problems listed in this version of BIND's warning message our users
should not be at risk though.
I used the ports openssl on my 6-stable boxes without problems, but I
did not have that many ports installed, and I nuked the base openssl
first. YMMV.
Doug
--
This .signature sanitized for your protection
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
