RE: OpenSSL Security Advisory (fwd)

Reply: mike tancsa : "Re: OpenSSL Security Advisory (fwd)"
In reply to: Cy Schubert : "OpenSSL Security Advisory (fwd)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Wall, Stephen <stephen.wall_at_redcom.com>
Date: Wed, 04 Sep 2024 13:27:46 UTC

>> Possible denial of service in X.509 name checks (CVE-2024-6119)
> Is this something we need to concern ourselves with?

Since no one else is chiming in, I'll provide my feeble thoughts.  As I read it, it primarily affects outgoing TLS connections.  I.e., curl, wget, et al, and possibly (and more importantly IMO) apache/nginx proxying to another server.  Speculating here: this could affect high volume web services where security is enough of a concern that the operators have enabled certificate name checks.

As a commercial user of FreeBSD with security conscious customers, I would certainly like to see it fixed in a FreeBSD patch release, but in all honesty we could easily enough apply the openssl patches to our FreeBSD source tree ourselves.

- Steve Wall