Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Mar 2016 17:39:16 +0000
From: Loganaden Velvindron <loganaden@...il.com>
To: oss-security@...ts.openwall.com
Cc: CVE ID Requests <cve-assign@...re.org>
Subject: Re: CVE's for SSLv2 support

On Tue, Mar 1, 2016 at 5:33 PM, Kurt Seifried <kseifried@...hat.com> wrote:

> So there is this proposed RFC:
>
> https://tools.ietf.org/html/rfc6176
>
> TL;DR: SSLv2 needs to be shot.
>
> Now we have yet another significant SSLv2 problem, DROWN, bad enough in
> fact that Red Hat has now disabled SSLv2 in OpenSSL by default (already
> done in NSS/GnuTLS), so from my vendor perspective, we're treating SSLv2
> support as a security problem, the solution of which is to remove said
> support.
>
> But more generally, should we look at assigning CVE's for support of SSLv2,
> much like we would for products supporting DES or other known insecure
> cryptographic algorithms, hashes, digests and protocols? My personal vote
> is for yes.
>
>
>
>
Btw, FreeBSD has done some work there:
https://wiki.freebsd.org/LibreSSL/PatchingPorts#SSLv2.2FSSLv3_method_failures

Linking with LibreSSL would help uncover those cases, and assign CVEs :)


>
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> Red Hat Product Security contact: secalert@...hat.com
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ