On 05/18/15 00:00, Mark Felder:
If TLS 1.0 is considered severe security issue AND system utilities are
using it, why there is no Security Advisory describing this system
vulnerability ?
It's not a vulnerability in software, it's weakness in the protocol
design.
Like protocol protocol downgrade triggered by MITM attack flaw or
protocol design flaw in session renegotiation support. The first one
addressed in FreeBSD-SA-14:23.openssl, the second one in
FreeBSD-SA-09:15.ssl
So the "is it protocol flaw or implementation bug" seems not to be true
major criteria.
OK, I wish I got best answer to my question possible. I'm not going to
discuss SA issuing policy in this thread.
Thank you.
Dan
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
