206610 – security/libressl: Identify whether affected by OpenSSL vulnerability

Bug 206610 - security/libressl: Identify whether affected by OpenSSL vulnerability

Summary: security/libressl: Identify whether affected by OpenSSL vulnerability

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Bernard Spil

URL:	https://mta.openssl.org/pipermail/ope...
Keywords:	needs-qa, security

Depends on:
Blocks:	206607
	Show dependency tree / graph

Reported:	2016-01-25 13:59 UTC by Kubilay Kocak
Modified:	2016-01-29 09:28 UTC (History)
CC List:	2 users (show)

See Also:	206608

Flags:	bugzilla: maintainer-feedback? (brnrd) koobs: merge-quarterly?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kubilay Kocak freebsd_committer

2016-01-25 13:59:27 UTC

Comment 1 Dirk Meyer freebsd_committer

2016-01-28 19:44:12 UTC

LibreSSL seems to be affected.

http://intothesymmetry.blogspot.de/2016/01/openssl-key-recovery-attack-on-dh-small.html

Comment 2 Kubilay Kocak freebsd_committer

2016-01-29 09:25:03 UTC

Ping. I read the libressl is not affected (after removing the implicated feature last week?) Can you confirm and update this issue accordingly

Comment 3 Bernard Spil freebsd_committer

2016-01-29 09:28:50 UTC

Upstream project has released new versions of 2.1, 2.2 and 2.3. None of these have been deemed vulnerability fixes, i.e. came with no errata.

Reviews for the new versions created
https://reviews.freebsd.org/D5115 (security/libressl)
https://reviews.freebsd.org/D5116 (security/libressl-devel)