Re: [Evergreen] Fwd: [security-announce] Todays openssl release - "DROWN" CVE-2016-0800 and "Cachebleed"

On Wed, Mar 02, 2016 at 08:06:31AM +0100, Patrick Schaaf wrote: > On Wed, Mar 2, 2016 at 7:58 AM, Michal Kubecek wrote: > > This is surprising as current evergreen 11.4 openssl update (version > > 1.0.1p-68.2) does present exactly the same version (0x1000110f) which > > was one of the reasons why

Re: [Evergreen] Fwd: [security-announce] Todays openssl release - "DROWN" CVE-2016-0800 and "Cachebleed"

On Wed, Mar 2, 2016 at 7:58 AM, Michal Kubecek wrote: > This is surprising as current evergreen 11.4 openssl update (version > 1.0.1p-68.2) does present exactly the same version (0x1000110f) which > was one of the reasons why I did cherry pick CVE related fixes from > 1.0.1 branch since 1.0.1p ins

Re: [Evergreen] Fwd: [security-announce] Todays openssl release - "DROWN" CVE-2016-0800 and "Cachebleed"

On Wed, Mar 02, 2016 at 07:29:02AM +0100, Patrick Schaaf wrote: > On Tue, Mar 1, 2016 at 11:49 PM, Michal Kubecek wrote: > > http://download.opensuse.org/repositories/home:/mkubecek:/branches:/Evergreen_Maintained:/openssl/openSUSE_Evergreen_11.4/ > > I'm going to test that on a VM which makes ou

Re: [Evergreen] Fwd: [security-announce] Todays openssl release - "DROWN" CVE-2016-0800 and "Cachebleed"

> http://download.opensuse.org/repositories/home:/mkubecek:/branches:/Evergreen_Maintained:/openssl/openSUSE_Evergreen_11.4/ >> Installing: openssh-5.8p1-4.1 [done] ARGH. I'm stupid. Forget that. I copied the normal evergreen .repo file and changed the baseurl only, so I had two repo files with th

Re: [Evergreen] Fwd: [security-announce] Todays openssl release - "DROWN" CVE-2016-0800 and "Cachebleed"

On Wed, Mar 2, 2016 at 7:29 AM, Patrick Schaaf wrote: > On Tue, Mar 1, 2016 at 11:49 PM, Michal Kubecek wrote: >> http://download.opensuse.org/repositories/home:/mkubecek:/branches:/Evergreen_Maintained:/openssl/openSUSE_Evergreen_11.4/ > > First observation, upon updating (together with glibc, o

Re: [Evergreen] Fwd: [security-announce] Todays openssl release - "DROWN" CVE-2016-0800 and "Cachebleed"

On Tue, Mar 1, 2016 at 11:49 PM, Michal Kubecek wrote: > http://download.opensuse.org/repositories/home:/mkubecek:/branches:/Evergreen_Maintained:/openssl/openSUSE_Evergreen_11.4/ I'm going to test that on a VM which makes outgoing SSL connections (PHP/curl) all through the day. First observatio

Re: [Evergreen] Fwd: [security-announce] Todays openssl release - "DROWN" CVE-2016-0800 and "Cachebleed"

On Tue, Mar 01, 2016 at 07:05:24PM +0100, Wolfgang Rosenauer wrote: > > I'm not sure what to do for 11.4. 11.4 is currently on 1.0.1p and > probably it's totally acceptable to update it to 1.0.1s? > > Anyone up for taking care? I have packages ready in OBS; they passed openssl testsuite (as part

Re: [Evergreen] Fwd: [security-announce] Todays openssl release - "DROWN" CVE-2016-0800 and "Cachebleed"

> > I'm not sure what to do for 11.4. 11.4 is currently on 1.0.1p and > probably it's totally acceptable to update it to 1.0.1s? > > Anyone up for taking care? I'll take a look. Michal ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://l

[Evergreen] Fwd: [security-announce] Todays openssl release - "DROWN" CVE-2016-0800 and "Cachebleed"

Hi, please see below. I'd like to add that openSUSE 13.1 still had SSLv2 enabled. Therefore I'm planning to do the same for 13.1 as described here for SLES and Leap 42.1. The patch is currently building for 13.1. I'm not sure what to do for 11.4. 11.4 is currently on 1.0.1p and probably it's tot