[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenSSL CVE-2016-2177, CVE-2016-2178
From: |
Leo Famulari |
Subject: |
Re: OpenSSL CVE-2016-2177, CVE-2016-2178 |
Date: |
Mon, 13 Jun 2016 16:27:59 -0400 |
User-agent: |
Mutt/1.6.0 (2016-04-01) |
On Sun, Jun 12, 2016 at 10:49:23PM +0200, Ludovic Courtès wrote:
> Leo Famulari <address@hidden> skribis:
> > CVE-2016-2177
> > http://seclists.org/oss-sec/2016/q2/500
> >
> > CVE-2016-2178
> > http://seclists.org/oss-sec/2016/q2/493
> >
> > Should we try cherry-picking the upstream commits from the OpenSSL
> > development repo?
>
> Sounds like it. Could you look into it?
I've attached my patch.
According to OpenSSL's security policy [0], they seem to consider these
bugs to be "LOW severity", since they did not keep them private or issue
a new release, or even an advisory [1].
There is also some discussion of the severity in this thread:
http://seclists.org/oss-sec/2016/q2/493
So, perhaps it's not worth the risk of cherry-picking these commits out
of context, at least not without asking the upstream maintainers.
Thoughts?
[0]
https://www.openssl.org/policies/secpolicy.html
[1]
https://www.openssl.org/news/vulnerabilities.html#y2016
0001-gnu-openssl-Fix-CVE-2016-2177-and-CVE-2016-2178.patch
Description: Text Data
signature.asc
Description: PGP signature