Re: OpenSSL CVE-2016-2177, CVE-2016-2178

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenSSL CVE-2016-2177, CVE-2016-2178

From:	Leo Famulari
Subject:	Re: OpenSSL CVE-2016-2177, CVE-2016-2178
Date:	Mon, 13 Jun 2016 16:27:59 -0400
User-agent:	Mutt/1.6.0 (2016-04-01)

On Sun, Jun 12, 2016 at 10:49:23PM +0200, Ludovic Courtès wrote:
> Leo Famulari <address@hidden> skribis:
> > CVE-2016-2177
> > http://seclists.org/oss-sec/2016/q2/500
> >
> > CVE-2016-2178
> > http://seclists.org/oss-sec/2016/q2/493
> >
> > Should we try cherry-picking the upstream commits from the OpenSSL
> > development repo?
> 
> Sounds like it.  Could you look into it?

I've attached my patch.

According to OpenSSL's security policy [0], they seem to consider these
bugs to be "LOW severity", since they did not keep them private or issue
a new release, or even an advisory [1].

There is also some discussion of the severity in this thread:
http://seclists.org/oss-sec/2016/q2/493

So, perhaps it's not worth the risk of cherry-picking these commits out
of context, at least not without asking the upstream maintainers.

Thoughts?

[0]
https://www.openssl.org/policies/secpolicy.html

[1]
https://www.openssl.org/news/vulnerabilities.html#y2016

0001-gnu-openssl-Fix-CVE-2016-2177-and-CVE-2016-2178.patch
Description: Text Data

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

OpenSSL CVE-2016-2177, CVE-2016-2178, Leo Famulari, 2016/06/11
- Re: OpenSSL CVE-2016-2177, CVE-2016-2178, Ludovic Courtès, 2016/06/12
  - Re: OpenSSL CVE-2016-2177, CVE-2016-2178, Leo Famulari <=
    - Re: OpenSSL CVE-2016-2177, CVE-2016-2178, Ludovic Courtès, 2016/06/14
    - Re: OpenSSL CVE-2016-2177, CVE-2016-2178, Leo Famulari, 2016/06/15

Prev by Date: Re: Install gpg2 as gpg
Next by Date: Re: Package: workrave
Previous by thread: Re: OpenSSL CVE-2016-2177, CVE-2016-2178
Next by thread: Re: OpenSSL CVE-2016-2177, CVE-2016-2178
Index(es):
- Date
- Thread