OpenSSL 1.0.1f was released today. It might be a good time to rebuild all the versions of nginx using static versions of OpenSSL.
There are three CVE remediations included in the release: CVE-2013-4353, CVE-2013-6449, CVE-2013-6450. http://www.openssl.org/news/openssl-1.0.1-notes.html. It does not look like 1.0.1f changed the default behavior of ENGINE_rdrand (coderman's been following it). 1.0.1f added hostname and email verification routines so programs no longer have to do it themselves. There's also an Apple SecureTransport bug workaround. Apple's SecrureTransport does not properly negotiate ECDHE-ECDSA cipher suites. It affects Mac OS X and could affect iOS. It might be prudent to add SSL_OP_SAFARI_ECDHE_ECDSA_BUG by default. http://www.mail-archive.com/[email protected]/msg32629.html. _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
