FreeBSD Security Advisory FreeBSD-SA-21:16.openssl
Gordon Tetlow
gordon at tetlows.org
Wed Aug 25 15:35:57 UTC 2021
> On Aug 25, 2021, at 8:32 AM, mike tancsa <mike at sentex.net> wrote:
>
> On 8/25/2021 11:22 AM, Gordon Tetlow wrote:
>> Hi All,
>>> Was reading the original advisory at
>>> https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://www.openssl.org/news/secadv/20210824.txt%26source%3Dgmail-imap%26ust%3D1630497552000000%26usg%3DAOvVaw21BGr3aGIh9CKIH3efYzY4&source=gmail-imap&ust=1630510336000000&usg=AOvVaw1DOZPIolrilgltIWdl61D6 and it says
>>>
>>> "OpenSSL versions 1.0.2y and below are affected by this [CVE-2021-3712]
>>> issue."
>>>
>>> Does it not then impact RELENG11 ?
>>>
>>> % openssl version
>>> OpenSSL 1.0.2u-freebsd 20 Dec 2019
>>>
>>> I know RELENG_11 support ends in about a month, but should it not be
>>> flagged ?
>> As we don't have a support contract with OpenSSL to get access to 1.0.2 patches, we could only roll the 1.1.1 patches.
>
> Hi Gordon,
>
> I was thinking more in terms of just a mention that RELENG_11 is
> indeed vulnerable, no ?
I hear you. We don't really have a way of doing that with our existing SA setup. It's oriented to releasing patches; it is not equipped to notify users of vulnerabilities that we do not have a patch for. Let me think on how we might support such a thing and discuss with the team.
Thanks,
Gordon
More information about the freebsd-security
mailing list