FreeBSD Security Advisory FreeBSD-SA-21:16.openssl

Vincent Hoffman-Kazlauskas vince at unsane.co.uk
Wed Aug 25 15:42:47 UTC 2021 


On 25/08/2021 16:22, Gordon Tetlow via freebsd-security wrote:
> 
>> On Aug 25, 2021, at 4:59 AM, mike tancsa <mike at sentex.net> wrote:
>>
>> On 8/24/2021 4:53 PM, FreeBSD Security Advisories wrote:
>>>
>>> Branch/path                             Hash                     Revision
>>> -------------------------------------------------------------------------
>>> stable/13/                              9d31ae318711    stable/13-n246940
>>> releng/13.0/                            2261c814b7fa  releng/13.0-n244759
>>> stable/12/                                                        r370385
>>> releng/12.2/                                                      r370396
>>> -------------------------------------------------------------------------
>>
>>
>> Hi All,
>>
>>     Was reading the original advisory at
>> https://www.google.com/url?q=https://www.openssl.org/news/secadv/20210824.txt&source=gmail-imap&ust=1630497552000000&usg=AOvVaw21BGr3aGIh9CKIH3efYzY4 and it says
>>
>> "OpenSSL versions 1.0.2y and below are affected by this [CVE-2021-3712]
>> issue."
>>
>> Does it not then impact RELENG11 ?
>>
>> % openssl version
>> OpenSSL 1.0.2u-freebsd  20 Dec 2019
>>
>> I know RELENG_11 support ends in about a month, but should it not be
>> flagged ?
> 
> As we don't have a support contract with OpenSSL to get access to 1.0.2 patches, we could only roll the 1.1.1 patches.

I may have the wrong end of the stick but
https://www.openssl.org/news/vulnerabilities.html
says "Fixed in OpenSSL 1.0.2za (git commit) (Affected 1.0.2-1.0.2y)"
with the git commit linked being
https://github.com/openssl/openssl/commit/ccb0a11145ee72b042d10593a64eaf9e8a55ec12

Is this not eligible for inclusion? I do however appreciate that as
support ends so soon resources are best used on the longer lived versions.

Regards,
Vince

> 
> Best,
> Gordon
> Hat: security-officer
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>

More information about the freebsd-security mailing list