Created attachment 199109 [details] exclude LibreSSL smaller than 2.8 Hi, # libressl-2.7.4 is vulnerable: # OpenSSL -- Multiple vulnerabilities in 1.1 branch # CVE: CVE-2018-0734 # CVE: CVE-2018-0735 # WWW: https://vuxml.FreeBSD.org/freebsd/238ae7de-dba2-11e8-b713-b499baebfeaf.html This is incorrect. Alleged is 2.8 is affected because it shares the same qualities as OpenSSL 1.1.x. LibreSSL 2.7 is still a 1.0.x equivalent. To me it is unclear why LibreSSL was pulled into this entry due to apparent hearsay. LibreSSL has been officially silent about this issue and has not even issued / announced "2.8.3" so the entry is completely bogus. https://www.libressl.org/releases.html For now, just exclude versions < 2.8 and let this be figured out by ports-secteam@ Cheers, Franco
A commit references this bug: Author: brnrd Date: Sat Nov 10 14:02:01 UTC 2018 New revision: 484612 URL: https://svnweb.freebsd.org/changeset/ports/484612 Log: security/vuxml: Update latest openssl entry - LibreSSL prior to 2.8 not vulnerable - LibreSSL likely not vulnerable to CVE-2018-0735 PR: 233109 Submitted by: Franco Fichtner <franco opnsense org> Changes: head/security/vuxml/vuln.xml
Thank you.
Comment on attachment 199109 [details] exclude LibreSSL smaller than 2.8 security/libressl in FreeBSD's ports tree is 2.8.2 and is vulnerable.
PS: I don't get the "-" maintainer approval. The commit you pushed is the same. You can use multiple names in <package/> ;)
(In reply to Franco Fichtner from comment #4) Didn't spot that in the diff, you're right. For the record (from IRC, 2018-10-27) User: "is libressl affected by CVE-2018-0735? https://www.openssl.org/news/secadv/20181029.txt" LibreSSL dev: "yes, we're going to be starting on it soon"(In reply to Franco Fichtner from comment #4)