Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Mar 2016 17:39:16 +0000
From: Loganaden Velvindron <>
Cc: CVE ID Requests <>
Subject: Re: CVE's for SSLv2 support

On Tue, Mar 1, 2016 at 5:33 PM, Kurt Seifried <> wrote:

> So there is this proposed RFC:
> TL;DR: SSLv2 needs to be shot.
> Now we have yet another significant SSLv2 problem, DROWN, bad enough in
> fact that Red Hat has now disabled SSLv2 in OpenSSL by default (already
> done in NSS/GnuTLS), so from my vendor perspective, we're treating SSLv2
> support as a security problem, the solution of which is to remove said
> support.
> But more generally, should we look at assigning CVE's for support of SSLv2,
> much like we would for products supporting DES or other known insecure
> cryptographic algorithms, hashes, digests and protocols? My personal vote
> is for yes.
Btw, FreeBSD has done some work there:

Linking with LibreSSL would help uncover those cases, and assign CVEs :)

> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> Red Hat Product Security contact:

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ