> On Aug 25, 2021, at 8:32 AM, mike tancsa <[email protected]> wrote: > > On 8/25/2021 11:22 AM, Gordon Tetlow wrote: >> Hi All, >>> Was reading the original advisory at >>> https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://www.openssl.org/news/secadv/20210824.txt%26source%3Dgmail-imap%26ust%3D1630497552000000%26usg%3DAOvVaw21BGr3aGIh9CKIH3efYzY4&source=gmail-imap&ust=1630510336000000&usg=AOvVaw1DOZPIolrilgltIWdl61D6 >>> and it says >>> >>> "OpenSSL versions 1.0.2y and below are affected by this [CVE-2021-3712] >>> issue." >>> >>> Does it not then impact RELENG11 ? >>> >>> % openssl version >>> OpenSSL 1.0.2u-freebsd 20 Dec 2019 >>> >>> I know RELENG_11 support ends in about a month, but should it not be >>> flagged ? >> As we don't have a support contract with OpenSSL to get access to 1.0.2 >> patches, we could only roll the 1.1.1 patches. > > Hi Gordon, > > I was thinking more in terms of just a mention that RELENG_11 is > indeed vulnerable, no ?
I hear you. We don't really have a way of doing that with our existing SA setup. It's oriented to releasing patches; it is not equipped to notify users of vulnerabilities that we do not have a patch for. Let me think on how we might support such a thing and discuss with the team. Thanks, Gordon _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
