OpenSSL CVE-2009-4355
Brian A. Seklecki (CFI NOC)
seklecki at noc.cfi.pgh.pa.us
Tue Apr 27 15:54:17 UTC 2010
On 1/20/2010 2:56 PM, Brian A. Seklecki wrote:
> Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as
> well as with a provision/draft fix for CVE-2009-3555
> MITM/Renegotiation Venerability.
All:
Did anyone ever come to a finding on CVE-2009-4355?
Using the comments in Redhat Bugzilla, I was never able
to re-create it on RELENG_6_3.
Of course, RELENG_6_3, RELENG_7_2, and RELENG_8 are still
behind OpenSSL 0.9.8m. FreeBSD9-Current seems to have 1.x-latest
- NetBSD fixed it in 5.0.2:
http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto
/dist/openssl/crypto/comp/Attic/c_zlib.c
- RHEL/Fedora patched their OpenSSL RPMs months ago.
Without widespread working DoS code in the wild, are we happy
instead, with patches to userland/ports etc.? Apache
httpd 2.2.15 and php5.3.2 in Ports?
Thanks,
~BAS
> I suspect we wont have a patch out for RELENG_6_3 by the 31st?
> But I'm willing to maintain one for another few months.
>
> -------- Forwarded Message --------
> From: OpenSSL<openssl at openssl.org>
> Reply-to: openssl-users at openssl.org
> To: openssl-users at openssl.org, openssl-announce at openssl.org
> Subject: OpenSSL 1.0.0 beta5 release
> Date: Wed, 20 Jan 2010 19:19:16 +0100
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
More information about the freebsd-security
mailing list