On 04/03/2016 15:57, walt wrote: > I notice that openssl-1.0.2g-r2 restores SSLv2 as a temporary fix > for the breakage caused by r1 yesterday. > > My machines are working just fine without SSLv2 so I'm going to skip > the update to r2 and keep r1 while waiting for a permanent fix. I'm > not a security expert, so I'd like to hear opinions from people who are. > > Should people who have already installed r1 and are not having any > problems just stay with r1 for now? Or not. > >
The relevant bug is here https://bugs.gentoo.org/show_bug.cgi?id=576128 If you have sslv2 enabled, your choices are clear: 1. high likelihood of wholesale breakage, or 2. wait a little longer for a proper fix Obviously -r1 is ideal as it disables sslv2. If you have it and it works, leave it in place. Everyone else is going to have to make up their own mind, and there's no sane rational advice that can be given for all, considering what the choices are above. FreeBSD is also hit with the same issue for similar reasons, and Fedora has it's own pain. Between them and Gentoo I have every confidence a real fix will come out soon. My choice is to sit tight for now. I can't afford to run the risk of taking the company's vital FreeBSD servers of the air to fix a bug unproven to be exploited in the wild. It's a tough choice. -- Alan McKinnon [email protected]
