Date: Tue, 1 Mar 2016 17:39:16 +0000 From: Loganaden Velvindron <loganaden@...il.com> To: oss-security@...ts.openwall.com Cc: CVE ID Requests <cve-assign@...re.org> Subject: Re: CVE's for SSLv2 support On Tue, Mar 1, 2016 at 5:33 PM, Kurt Seifried <kseifried@...hat.com> wrote: > So there is this proposed RFC: > > https://tools.ietf.org/html/rfc6176 > > TL;DR: SSLv2 needs to be shot. > > Now we have yet another significant SSLv2 problem, DROWN, bad enough in > fact that Red Hat has now disabled SSLv2 in OpenSSL by default (already > done in NSS/GnuTLS), so from my vendor perspective, we're treating SSLv2 > support as a security problem, the solution of which is to remove said > support. > > But more generally, should we look at assigning CVE's for support of SSLv2, > much like we would for products supporting DES or other known insecure > cryptographic algorithms, hashes, digests and protocols? My personal vote > is for yes. > > > > Btw, FreeBSD has done some work there: https://wiki.freebsd.org/LibreSSL/PatchingPorts#SSLv2.2FSSLv3_method_failures Linking with LibreSSL would help uncover those cases, and assign CVEs :) > > > -- > Kurt Seifried -- Red Hat -- Product Security -- Cloud > PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > Red Hat Product Security contact: secalert@...hat.com >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ