On 28 Mar, Pedro Giffuni wrote: > Hi Don; > >> On 28 Mar, Pedro Giffuni wrote: >> > In reply to Don, >> >> >> The versions of openssl and curl badly need updating for the same >> >> reason, and there is one CVE for serf. >> > >> > FreeBSD casually keeps some backported updates for the same openssl >> > version AOO uses: >> > >> > https://svnweb.freebsd.org/base/stable/9/crypto/openssl/?view=log >> > >> > It should be pretty straightforward to take them from there and use >> them >> > into >> > main/openssl with minor adaptions. >> >> That would fix only part of the problem. The other part of the problem >> is that the version of openssl that we currently bundle doesn't >> implement the newer and more secure protocols and ciphers. The older >> and less secure ones are gradually getting disabled on the server side. >> >> For instance, my only copy of Windows is XP, and the last version of IE >> released for XP can no longer connect to some web sites because they >> have disabled all of the protocols that IE supports. >> > > That is a valid concern, however I am unsure about what in OpenOffice > uses the new cyphers. I think OpenSSL is used for signing documents: > when we update OpenSSL will AOO automatically accept more signing > options? I would expect browsers will bring their own SSL > implementations.
I don't know what OpenOffice uses it for, either, but I would expect that it also gets used for downloading extensions. I hadn't even thought about signatures. That's something I haven't exercised it at all. > TBH, when I updated OpenSSL in AOO, I intentionally didn't upgrade it > further because the newer versions have more code but also more > vulnerabilities, therefore the expected maintenance cost would be > higher. The FreeBSD 9.x updates are only a temporary workaround. > Now that upstream is not maintaining the older 0.9.8 version > it probably makes sense to reconsider upgrading. And using FreeBSD 9.x as a patch source will not work past the end of this year because of the FreeBSD 9 EOL. The FreeBSD OpenOffice port uses --with-system-openssl, and when I build it for my own use, I set WITH_OPENSSL_PORT=yes, so I am always using the latest and greatest openssl release. I haven't run into any problems with it. I just signed a document with it ;-) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
