OpenSSL and Heimdal
Volodymyr Kostyrko
c.kworr at gmail.com
Wed May 2 12:44:20 UTC 2012
Robert Simmons wrote:
> Is there a plan to update OpenSSL to patch for CVE-2012-2131?
>
> Also, is the DOS vulnerability in libkrb5 that Heimdal 1.5.2 patches
> present in Heimdal 1.1 which shipped with 9.0-RELEASE?
I'll second this one.
1. Is there any plans on updating openssl and why not? It's getting a
bad hype nowadays. And will we ever support TLS v1.[12]? BEAST attack
seems to be not so far from most of us:
https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
2. What's with CVE-2011-1945? I'm waiting for months for just a tiny
comment on this one as if this truly is not fixed in our source all 9.0
installations with world-open ssh are potentially vulnerable.
3. DragonFly is much faster then we are, they have 1.0.1b on master
branch, while we have 1.0.1a in ports. They also already removed heimdal
from base and pkgsrc has 1.5.2 available with our 1.4 present in ports.
--
Sphinx of black quartz judge my vow.
More information about the freebsd-security
mailing list