oss-sec mailing list archives
Re: CVE's for SSLv2 support
From: Stuart Henderson <stu () spacehopper org>
Date: Tue, 1 Mar 2016 18:18:12 +0000
On 2016/03/01 17:39, Loganaden Velvindron wrote:
Btw, FreeBSD has done some work there: https://wiki.freebsd.org/LibreSSL/PatchingPorts#SSLv2.2FSSLv3_method_failures
Debian did most of that work for SSLv2 years ago. Quite a lot was upstreamed and a bunch more in patches, this really made it easier to disable SSLv2 support in OpenSSL when we did it in OpenBSD.
Linking with LibreSSL would help uncover those cases, and assign CVEs :)
There shouldn't be all that many left for SSLv2. There are a number of patches in OpenBSD ports for SSLv*3* removal, some upstreamed - if OS/distros are already going through ABI change pain at this point to drop SSLv2, why not go the whole hog and drop v3 as well while you're at it?
Current thread:
- CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support Loganaden Velvindron (Mar 01)
- Re: CVE's for SSLv2 support Grant Ridder (Mar 01)
- Re: CVE's for SSLv2 support Stuart Henderson (Mar 01)
- Re: CVE's for SSLv2 support gremlin (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
- Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
- Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
- Re: Re: CVE's for SSLv2 support Tim (Mar 01)
- Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)
- Re: Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)
- Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support Loganaden Velvindron (Mar 01)