Breakpoint 2015 Call For Papers
Melbourne, Australia, October 22th-23th
Intercontinental Rialto
http://www.ruxconbreakpoint.com
.[x]. Introduction .[x].
We are pleased to announce Call For Presentations for Breakpoint 2015.
Breakpoint showcases the work of expert security researchers from aro
On Sat, May 16, 2015, at 01:38, Dan Lukes wrote:
> Mark Felder wrote:
> >> Base OpenSSL in still supported releases is too old version and doesn't
> >> support TLS 1.2 as well.
> >>
> >> Either TLS 1.0 is so insecure and should not be used, or is secure
> >> enough for FreeBSD.
>
> > When the Fr
On 2015-05-16 07:20, Kimmo Paasiala wrote:
On Fri, May 15, 2015 at 9:34 PM, Roger Marquis wrote:
Mark Felder wrote:
Another option is a second openssl port, one that overwrites base and
guarantees compatibility with RELEASE. Then we could at least have all
versions of openssl in vuln.xml (no
You're not understanding the situation: the vulnerability isn't in
OpenSSL; it's a design flaw / weakness in the protocol. This is why
everyone is running like mad from SSL 3.0 and TLS 1.0.
Right, there are two issues being discussed that should be separated.
The thread was originally about SSL
On Sun, May 17, 2015, at 15:50, Roger Marquis wrote:
> > You're not understanding the situation: the vulnerability isn't in
> > OpenSSL; it's a design flaw / weakness in the protocol. This is why
> > everyone is running like mad from SSL 3.0 and TLS 1.0.
>
> Right, there are two issues being dis
Does anyone know what's going on with vuln.xml updates? Over the last
few weeks and months CVEs and application mailing lists have announced
vulnerabilities for several ports that in some cases only showed up in
vuln.xml after several days and in other cases are still not listed
(despite email to
Mark Felder wrote:
Considering the time to write and test patches is the same in either case
it is still an open question.
Again, this is not possible. You can't just "replace" the base OpenSSL.
That port or package would also have to replace every binary and library
in the base system linked
On Sun, May 17, 2015 at 3:50 PM, Roger Marquis wrote:
> I recommended an openssl_base port so that
> security vulnerabilities (not necessarily protocol weaknesses) could be
> more easily remediated (than installworld) and so 'pkg audit' could
> report on those.
>
Exactly how would that differ fr
On Sun, May 17, 2015, at 16:08, Roger Marquis wrote:
> Mark Felder wrote:
> >> Considering the time to write and test patches is the same in either case
> >> it is still an open question.
>
> > Again, this is not possible. You can't just "replace" the base OpenSSL.
> > That port or package would
On 05/17/15 22:20, Mark Felder:
You're not understanding the situation: the vulnerability isn't in
OpenSSL; it's a design flaw / weakness in the protocol.
Sorry, my English seems to be so poor so you don't understand my very
simple question. You are still answering other questions I didn't ask
Mark Felder wrote:
Sure, when you must change the ABI you also have to rebuild linked libs
and bins, but how many openssl 0.9 updates have required ABI changes?
This entire discussion has been about doing MAJOR updates to OpenSSL in
base.
I agree that this discussion has been about updates to
On Sun, May 17, 2015, at 16:28, Dan Lukes wrote:
> On 05/17/15 22:20, Mark Felder:
> > You're not understanding the situation: the vulnerability isn't in
> > OpenSSL; it's a design flaw / weakness in the protocol.
>
> Sorry, my English seems to be so poor so you don't understand my very
> simpl
On 05/18/15 00:00, Mark Felder:
If TLS 1.0 is considered severe security issue AND system utilities are
using it, why there is no Security Advisory describing this system
vulnerability ?
It's not a vulnerability in software, it's weakness in the protocol
design.
Like protocol protocol downgr
On May 17, 2015 4:49 PM, "Roger Marquis" wrote:
> Leif Pedersen wrote:
>>>
>>> ... more easily remediated (than installworld) and so 'pkg audit' could
>>
>> report on those.
>>
>> Exactly how would that differ from using freebsd-update?
>
>
> You mean aside from being locally compiled? Does freeb
14 matches
Mail list logo
