OpenSSL 0.9.8k -> 0.9.8l

[Xin LI]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2010/04/17 07:49, Tim Gustafson wrote:
> Hi,
> 
> I run a few web servers with need to be PCI compliant.  Apparently there's a problem with OpenSSL 0.9.8k that requires us to upgrade to 0.9.8l for us to maintain our compliance level.
> 
> I've csup'd to RELENG_8_0 and did a build/install cycle and OpenSSL is still at 0.9.8k.  Using RELENG_8 isn't really an option for me because the last I upgraded to that level, ipfw was broken and I'm not sure that the problem with ipfw has been fixed (Luigi tells me that it has, but I haven't had time to test it yet).
> 
> Is there any movement to patch RELENG_8_0 with OpenSSL 0.9.8l?  Or will I be stuck with 0.9.8k until I move to RELENG_8?

RELENG_8_0 is considered as "frozen" which means we will do massive
upgrade there.  RELENG_8 would have the latest OpenSSL.

Note that "cheery picking" style of changes _may_ be permitted on
RELENG_8_0 per re@ and security-officer@'s decision.  If you know what
the problem is, please feel free to let secteam at FreeBSD.org know,
ideally with a reference to OpenSSL bug tracking system, a CVE number,
etc. so we will be able to handle it more quickly.

We do have patched RELENG_8_0 before 8.0-RELEASE for a few SSL protocol
flaws.  http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc

Hope this helps.

Cheers,
- -- 
Xin LI <delphij at delphij.net>	http://www.delphij.net/
FreeBSD - The Power to Serve!	       Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)

iQEcBAEBAgAGBQJLyeUyAAoJEATO+BI/yjfB1+MH/09y/TwPiSBwo/du9g3MdUX/
hiT0zI1FKgjEVEYw/QkEKD5F5TJLVQqhmgrW//JYzpVYt2w+QVZuEbuH2Mtf/wXk
6Py8Un3mUjeC7O2gEKmi0XgWX5cyFPariF4DGiXrZE0aO1y3xg/9SYwvuYX2dXdQ
4loqv4A74qTDiBedm/dLVFG7wlED5Tk03fgtvbyhbdEH5Dy7JnvUvgUc1P4/c2dN
zkBs4lRn+zd31itORyq1HmvmD5dWcpbXeEyb7OoSDZAsreCWfn5I623oEdhoumem
bJWsv8pSU6qc9ENY5Oot4CLhnweT3UvnMBTebM4egqG9YSvTwIRDqaVkHaPLdtw=
=UH5d
-----END PGP SIGNATURE-----