oss-sec mailing list archives

Re: CVE's for SSLv2 support

From: Stuart Henderson <stu () spacehopper org>
Date: Tue, 1 Mar 2016 18:18:12 +0000

On 2016/03/01 17:39, Loganaden Velvindron wrote:

Btw, FreeBSD has done some work there:
https://wiki.freebsd.org/LibreSSL/PatchingPorts#SSLv2.2FSSLv3_method_failures


Debian did most of that work for SSLv2 years ago. Quite a lot was
upstreamed and a bunch more in patches, this really made it easier
to disable SSLv2 support in OpenSSL when we did it in OpenBSD.

Linking with LibreSSL would help uncover those cases, and assign CVEs :)


There shouldn't be all that many left for SSLv2. There are a number
of patches in OpenBSD ports for SSLv*3* removal, some upstreamed -
if OS/distros are already going through ABI change pain at this
point to drop SSLv2, why not go the whole hog and drop v3 as well
while you're at it?

Current thread:

CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support Loganaden Velvindron (Mar 01)
  - Re: CVE's for SSLv2 support Grant Ridder (Mar 01)
  - Re: CVE's for SSLv2 support Stuart Henderson (Mar 01)
- Re: CVE's for SSLv2 support gremlin (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
  - Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
    - Re: CVE's for SSLv2 support cve-assign (Mar 01)
    - Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
    - Re: CVE's for SSLv2 support cve-assign (Mar 01)
    - Re: Re: CVE's for SSLv2 support Tim (Mar 01)
    - Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)
    - Re: Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
    - Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)

(Thread continues...)