Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160301181812.GY13281@symphytum.spacehopper.org>
Date: Tue, 1 Mar 2016 18:18:12 +0000
From: Stuart Henderson <stu@...cehopper.org>
To: oss-security@...ts.openwall.com
Cc: CVE ID Requests <cve-assign@...re.org>
Subject: Re: CVE's for SSLv2 support

On 2016/03/01 17:39, Loganaden Velvindron wrote:
> Btw, FreeBSD has done some work there:
> https://wiki.freebsd.org/LibreSSL/PatchingPorts#SSLv2.2FSSLv3_method_failures

Debian did most of that work for SSLv2 years ago. Quite a lot was
upstreamed and a bunch more in patches, this really made it easier
to disable SSLv2 support in OpenSSL when we did it in OpenBSD.

> Linking with LibreSSL would help uncover those cases, and assign CVEs :)

There shouldn't be all that many left for SSLv2. There are a number
of patches in OpenBSD ports for SSLv*3* removal, some upstreamed -
if OS/distros are already going through ABI change pain at this
point to drop SSLv2, why not go the whole hog and drop v3 as well
while you're at it?

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.