Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Mar 2016 18:18:12 +0000
From: Stuart Henderson <stu@...cehopper.org>
To: oss-security@...ts.openwall.com
Cc: CVE ID Requests <cve-assign@...re.org>
Subject: Re: CVE's for SSLv2 support

On 2016/03/01 17:39, Loganaden Velvindron wrote:
> Btw, FreeBSD has done some work there:
> https://wiki.freebsd.org/LibreSSL/PatchingPorts#SSLv2.2FSSLv3_method_failures

Debian did most of that work for SSLv2 years ago. Quite a lot was
upstreamed and a bunch more in patches, this really made it easier
to disable SSLv2 support in OpenSSL when we did it in OpenBSD.

> Linking with LibreSSL would help uncover those cases, and assign CVEs :)

There shouldn't be all that many left for SSLv2. There are a number
of patches in OpenBSD ports for SSLv*3* removal, some upstreamed -
if OS/distros are already going through ABI change pain at this
point to drop SSLv2, why not go the whole hog and drop v3 as well
while you're at it?

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ