From turutani@scphys.kyoto-u.ac.jp  Mon Aug 11 08:48:55 2008
Return-Path: <turutani@scphys.kyoto-u.ac.jp>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 44E7E106566B
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 11 Aug 2008 08:48:55 +0000 (UTC)
	(envelope-from turutani@scphys.kyoto-u.ac.jp)
Received: from proxy2.aams.jp (proxy2.aams.jp [202.189.147.98])
	by mx1.freebsd.org (Postfix) with ESMTP id E7BF48FC31
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 11 Aug 2008 08:48:54 +0000 (UTC)
	(envelope-from turutani@scphys.kyoto-u.ac.jp)
Received: from h120.65.226.10.32118.vlan.kuins.net (softbank218183189199.bbtec.net [218.183.189.199])
	(authenticated bits=0)
	by proxy2.aams.jp (Switch-3.2.7/Switch-3.1.7) with ESMTP id m7B8mpvp018541
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Mon, 11 Aug 2008 17:48:51 +0900
Received: from h120.65.226.10.32118.vlan.kuins.net (localhost [127.0.0.1])
	by h120.65.226.10.32118.vlan.kuins.net (8.14.2/8.14.2/20071004-1) with ESMTP id m7B8mbOK001180;
	Mon, 11 Aug 2008 17:48:38 +0900 (JST)
	(envelope-from turutani@h120.65.226.10.32118.vlan.kuins.net)
Received: (from turutani@localhost)
	by h120.65.226.10.32118.vlan.kuins.net (8.14.2/8.14.2/Submit) id m7B8mbvS001179;
	Mon, 11 Aug 2008 17:48:37 +0900 (JST)
	(envelope-from turutani)
Message-Id: <200808110848.m7B8mbvS001179@h120.65.226.10.32118.vlan.kuins.net>
Date: Mon, 11 Aug 2008 17:48:37 +0900 (JST)
From: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Reply-To: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
To: FreeBSD-gnats-submit@freebsd.org
Cc: turutani@scphys.kyoto-u.ac.jp
Subject: Vulnerability about OpenSSL
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         126446
>Category:       bin
>Synopsis:       Vulnerability about OpenSSL
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    secteam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 11 08:50:01 UTC 2008
>Closed-Date:    Thu Mar 25 17:43:28 UTC 2010
>Last-Modified:  Thu Mar 25 17:43:28 UTC 2010
>Originator:     Tsurutani Naoki
>Release:        FreeBSD 7.0-STABLE i386
>Organization:
>Environment:
System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 7.0-STABLE FreeBSD 7.0-STABLE #15: Sun Jul 20 21:06:33 JST 2008 turutani@h120.65.226.10.32118.vlan.kuins.net:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386


	
>Description:
	"US-CERT Vulnerability Note VU#724968"
	
>How-To-Repeat:
	
>Fix:
	http://openssl.org/news/patch-CVE-2007-3108.txt
	I guess this patch is not adopted, about for 1 year.
	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->secteam 
Responsible-Changed-By: remko 
Responsible-Changed-When: Mon Aug 11 08:53:09 UTC 2008 
Responsible-Changed-Why:  
over to secteam 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126446 
State-Changed-From-To: open->analyzed 
State-Changed-By: linimon 
State-Changed-When: Sun Feb 1 01:29:18 UTC 2009 
State-Changed-Why:  
Apparently this will be fixed with the OpenSSL version update. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126446 

From: Alexander Best <alexbestms@wwu.de>
To: <bug-followup@FreeBSD.org>
Cc: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Subject: Re: bin/126446: Vulnerability about OpenSSL
Date: Sat, 27 Feb 2010 01:19:19 +0100 (CET)

 CVE-2007-3108 got fixed in openssl 0.9.8e-6 (unstable) and thus openssl
 0.9.8f.
 
 according to http://wiki.freebsd.org/ContribSoftware stable7 and stable6 are
 still suffering from this issue since they come with <= openssl 0.9.8e. the
 FreeBSD Security Advisories team has no record of this security issue so it
 hasn't been fixed in those branches.
 
 CVE-2007-3108 however has been categorised as being only a minor security
 thread. probably that's the reason for not issuing a security warning by the
 secteam.
 
 question is if stable6 and stable7 will get an openssl update in the near
 future. 7stable maybe, but 6stable most definitely not.
 
 so it might be a reasonable course of action to merge the patch into 6stable
 and 7stable. maybe even issue a security warning although the issue has
 existed for 3 years now.
 
 cheers.
 alex
State-Changed-From-To: analyzed->closed 
State-Changed-By: remko 
State-Changed-When: Thu Mar 25 17:43:27 UTC 2010 
State-Changed-Why:  
This is already fixed in multiple branches, and low-profile which does 
not get an SA. If needed OPenSSL will be updated, but I see no reason to 
keep the PR open longer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126446 
>Unformatted:
