[Bug 233109] security/vuxml: exclude LibreSSL 2.7 from CVE-2018-0734 / CVE-2018-0735

Sat Nov 10 12:54:54 UTC 2018

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233109

            Bug ID: 233109
           Summary: security/vuxml: exclude LibreSSL 2.7 from
                    CVE-2018-0734 / CVE-2018-0735
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-secteam at FreeBSD.org
          Reporter: franco at opnsense.org
          Assignee: ports-secteam at FreeBSD.org
             Flags: maintainer-feedback?(ports-secteam at FreeBSD.org)

Created attachment 199109
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=199109&action=edit
exclude LibreSSL smaller than 2.8

Hi,

# libressl-2.7.4 is vulnerable:
# OpenSSL -- Multiple vulnerabilities in 1.1 branch
# CVE: CVE-2018-0734
# CVE: CVE-2018-0735
# WWW:
https://vuxml.FreeBSD.org/freebsd/238ae7de-dba2-11e8-b713-b499baebfeaf.html

This is incorrect.  Alleged is 2.8 is affected because it shares the same
qualities as OpenSSL 1.1.x.  LibreSSL 2.7 is still a 1.0.x equivalent.

To me it is unclear why LibreSSL was pulled into this entry due to apparent
hearsay.  LibreSSL has been officially silent about this issue and has not even
issued / announced "2.8.3" so the entry is completely bogus.

https://www.libressl.org/releases.html

For now, just exclude versions < 2.8 and let this be figured out by
ports-secteam@

Cheers,
Franco

-- 
You are receiving this mail because:
You are the assignee for the bug.