> So my opinion is that eliminating the openssl version check has only one
> drawback: we lose our single possibility to influence what openssl we build
> against. This /could/ have certain security implications and thus tainting
> ntpsec's name.
I don't think the version check is intended to ca
On 08-03-18 21:22, Richard Laager wrote:
>> Can't we simply enforce a reasonable level? (e.g. maximum of XX months
>> old version of openssl)
>
> Probably not, as backported fixes for particular issues will not
> increment the version number.
But fixes by the openssl team /will/ increment the ver
On 03/08/2018 05:06 AM, Udo van den Heuvel wrote:
> Can we trust the distros to deliver openssl updates in time?
Yes. If you can't trust the distro to deliver security updates, you have
a serious problem that cannot be solved by ntpsec's tarball.
> Can't we simply enforce a reasonable level? (e.g
On 08-03-18 08:57, Hal Murray wrote:
> Do you have a pointer to a list of the insecure versions with a summary of
> the bug so we can see if we use that feature?
https://www.openssl.org/news/vulnerabilities.html ?
That is from the source of openssl...
We also have
https://www.cvedetails.com/vul
On 08-03-18 10:57, Richard Laager via devel wrote:
> On 03/08/2018 01:40 AM, Udo van den Heuvel via devel wrote:
>> Why wouldn't we require a certain openssl version as there are a number
>> of security vulnerabilities in (older) openssl?
>
> Isn't this potentially the case with any dependency? Sh
On 03/08/2018 01:40 AM, Udo van den Heuvel via devel wrote:
> Why wouldn't we require a certain openssl version as there are a number
> of security vulnerabilities in (older) openssl?
Isn't this potentially the case with any dependency? Shouldn't this be
handled through normal update mechanisms, r
devel@ntpsec.org said:
> Why wouldn't we require a certain openssl version as there are a number of
> security vulnerabilities in (older) openssl?
Do you have a pointer to a list of the insecure versions with a summary of
the bug so we can see if we use that feature?
--
These are my opinions.
Hello,
I noticed the commit at
https://gitlab.com/NTPsec/ntpsec/commit/6d17955b03ca65d67f2cc2ceba01bd60e07d5fd4
and have a question regarding this:
Why wouldn't we require a certain openssl version as there are a number
of security vulnerabilities in (older) openssl?
Kind regards,
Udo
___
