On Sun, May 17, 2015, at 16:28, Dan Lukes wrote: > On 05/17/15 22:20, Mark Felder: > > You're not understanding the situation: the vulnerability isn't in > > OpenSSL; it's a design flaw / weakness in the protocol. > > Sorry, my English seems to be so poor so you don't understand my very > simple question. You are still answering other questions I didn't asked. > > Last attempt. I will try ti make question as simple as possible. If it > will not help I will become silent. > > TLS 1.0 *protocol* is buggy, new protocol has been implemented in new > version of OpenSSL, but such version will not be imported into FreeBSD 9 > because of ABI incompatibility. Instead old version of OpenSSL and > vulnerable protocol is still used by base system libraries and > utilities. So base system IS affected by known vulnerability. > > Thus I'm asking. > > If TLS 1.0 is considered severe security issue AND system utilities are > using it, why there is no Security Advisory describing this system > vulnerability ? >
It's not a vulnerability in software, it's weakness in the protocol design. By your logic we should have SAs for all of the following in the base system: hashes: MD5 SHA1 default passwd hash in FreeBSD 8: md5crypt (though phk did request a CVE to help usher its death) any openssl cipher using the following: MD5 SHA1 DES 3DES IDEA I'm sure there are even more examples. None of these problems fit the definition required to issue an SA. They're just a violation of widely-accepted Best Current Practices. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
