Date: Tue, 1 Mar 2016 18:18:12 +0000 From: Stuart Henderson <stu@...cehopper.org> To: oss-security@...ts.openwall.com Cc: CVE ID Requests <cve-assign@...re.org> Subject: Re: CVE's for SSLv2 support On 2016/03/01 17:39, Loganaden Velvindron wrote: > Btw, FreeBSD has done some work there: > https://wiki.freebsd.org/LibreSSL/PatchingPorts#SSLv2.2FSSLv3_method_failures Debian did most of that work for SSLv2 years ago. Quite a lot was upstreamed and a bunch more in patches, this really made it easier to disable SSLv2 support in OpenSSL when we did it in OpenBSD. > Linking with LibreSSL would help uncover those cases, and assign CVEs :) There shouldn't be all that many left for SSLv2. There are a number of patches in OpenBSD ports for SSLv*3* removal, some upstreamed - if OS/distros are already going through ABI change pain at this point to drop SSLv2, why not go the whole hog and drop v3 as well while you're at it?
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ