From nobody Mon May 09 18:31:01 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EE5D11AE31F1 for ; Mon, 9 May 2022 18:31:09 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mr85p00im-zteg06011501.me.com (mr85p00im-zteg06011501.me.com [17.58.23.182]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4KxqW104wGz3MkM for ; Mon, 9 May 2022 18:31:08 +0000 (UTC) (envelope-from gordon@tetlows.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1652121062; bh=ENzP0kVz0Lcyw2ZsWOAtzvlCDAF6tBFCXNsxy199IN0=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; b=odplGbsLnzwaqjhbYjzjTEOpI9FOgRVZ2+XL02vSTlEqB5f0udX6d1m1vKXuGBGov mQIbbECpSdWTWDFu3sEtTV/CuDC5uJiF3BiIJ7hATSsgW+4+Qx/XMLZGHq9/ilhpTI nuelg0X7QvD+n2SXKbCIybtrYmtnuc5vjVJKpG2OFy0TsadjqbFOHUMnIEa2ogvqgK BcvBgAAw1IkUThWAawAhKU8y+vxEwlWcr5Upa633nBKNnS2A85ni4XHQt9TKI6iw6e A9TsFmO5x4OnXOVfnHc8mk5ChWlmwl7eher+3iIJmFcIgsGQBvKxpW7Yr70k6kjObj 4VdxiQivMdkjQ== Received: from smtpclient.apple (mr38p00im-dlb-asmtp-mailmevip.me.com [17.57.152.18]) by mr85p00im-zteg06011501.me.com (Postfix) with ESMTPSA id 34D5A480B6F; Mon, 9 May 2022 18:31:02 +0000 (UTC) From: Gordon Tetlow Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_8BC18703-5B5B-4E04-9AFF-3E1EDA885A1C" List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\)) Subject: Re: OpenSSL 1.1.1o in 12.3? Date: Mon, 9 May 2022 11:31:01 -0700 In-Reply-To: Cc: "freebsd-security@freebsd.org" To: Natalino Picone References: X-Mailer: Apple Mail (2.3696.80.82.1.1) X-Proofpoint-ORIG-GUID: y56Gk8ERDGf3anAz9UGdNA8wane006-h X-Proofpoint-GUID: y56Gk8ERDGf3anAz9UGdNA8wane006-h X-Proofpoint-Virus-Version: =?UTF-8?Q?vendor=3Dfsecure_engine=3D1.1.170-22c6f66c430a71ce266a39bfe25bc?= =?UTF-8?Q?2903e8d5c8f:6.0.138,18.0.816,17.11.62.513.0000000_definitions?= =?UTF-8?Q?=3D2022-01-18=5F01:2020-02-14=5F02,2022-01-18=5F01,2021-12-02?= =?UTF-8?Q?=5F01_signatures=3D0?= X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 malwarescore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=936 bulkscore=0 spamscore=0 clxscore=1030 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205090097 X-Rspamd-Queue-Id: 4KxqW104wGz3MkM X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=sig1 header.b=odplGbsL; dmarc=pass (policy=quarantine) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 17.58.23.182 as permitted sender) smtp.mailfrom=gordon@tetlows.org X-Spamd-Result: default: False [-2.60 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:17.58.0.0/16]; DKIM_TRACE(0.00)[tetlows.org:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:714, ipnet:17.58.16.0/20, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[17.58.23.182:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=sig1]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security]; RWL_MAILSPIKE_POSSIBLE(0.00)[17.58.23.182:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_8BC18703-5B5B-4E04-9AFF-3E1EDA885A1C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 The only vulnerability in 1.1.1 was regarding the c_rehash script, which = we don't ship as part of FreeBSD. As such, we didn't push it into = so-maintained releng branches. Best, Gordon Hat: security-officer > On May 9, 2022, at 12:37 AM, Natalino Picone = wrote: >=20 > Hi, > I was looking at the latest OpenSSL CVE. > Should this also be merged on 12.3? right now it has been done only on = 13.1 >=20 > = https://github.com/freebsd/freebsd-src/commit/2e121bd7c73932ac52332b53ebd7= 824965e6a7b4 = >=20 > Thanks, > Nat >=20 >=20 >=20 > Natalino Picone=20 > Senior Product Security Engineer > =E2=80=A2 Phone: +41 (0)91 647 04 06 > =E2=80=A2 natalino.picone@nozominetworks.com = >=20 > Nozomi Networks | = The Leader in OT & IoT Security=20 > Website | Blog = | Twitter = | Linkedin=C2=A0|=C2=A0 = YouTube = | Podcast = =20 >=20 > --Apple-Mail=_8BC18703-5B5B-4E04-9AFF-3E1EDA885A1C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 The = only vulnerability in 1.1.1 was regarding the c_rehash script, which we = don't ship as part of FreeBSD. As such, we didn't push it into = so-maintained releng branches.

Best,
Gordon
Hat: = security-officer

On May 9, 2022, at 12:37 AM, = Natalino Picone <natalino.picone@nozominetworks.com> wrote:

Hi,
I was looking at the latest = OpenSSL CVE.
Should this also be merged on 12.3? right now it has been done = only on 13.1


Thanks,
Nat



=
Natalino Picone 
Senior Product Security = Engineer
=E2=80=A2 Phone: +41 (0)91 647 04 06
=E2=80=A2 natalino.picone@nozominetworks.com
Nozomi = Networks
 | The Leader in OT & IoT Security 
Website | Blog | Twitter | Linkedin | YouTube | Podcast  

= --Apple-Mail=_8BC18703-5B5B-4E04-9AFF-3E1EDA885A1C--