| 1 |
On 04/03/2016 15:57, walt wrote: |
| 2 |
> I notice that openssl-1.0.2g-r2 restores SSLv2 as a temporary fix |
| 3 |
> for the breakage caused by r1 yesterday. |
| 4 |
> |
| 5 |
> My machines are working just fine without SSLv2 so I'm going to skip |
| 6 |
> the update to r2 and keep r1 while waiting for a permanent fix. I'm |
| 7 |
> not a security expert, so I'd like to hear opinions from people who are. |
| 8 |
> |
| 9 |
> Should people who have already installed r1 and are not having any |
| 10 |
> problems just stay with r1 for now? Or not. |
| 11 |
> |
| 12 |
> |
| 13 |
|
| 14 |
|
| 15 |
The relevant bug is here |
| 16 |
|
| 17 |
https://bugs.gentoo.org/show_bug.cgi?id=576128 |
| 18 |
|
| 19 |
If you have sslv2 enabled, your choices are clear: |
| 20 |
|
| 21 |
1. high likelihood of wholesale breakage, or |
| 22 |
2. wait a little longer for a proper fix |
| 23 |
|
| 24 |
Obviously -r1 is ideal as it disables sslv2. If you have it and it |
| 25 |
works, leave it in place. |
| 26 |
|
| 27 |
Everyone else is going to have to make up their own mind, and there's no |
| 28 |
sane rational advice that can be given for all, considering what the |
| 29 |
choices are above. |
| 30 |
|
| 31 |
FreeBSD is also hit with the same issue for similar reasons, and Fedora |
| 32 |
has it's own pain. Between them and Gentoo I have every confidence a |
| 33 |
real fix will come out soon. |
| 34 |
|
| 35 |
My choice is to sit tight for now. I can't afford to run the risk of |
| 36 |
taking the company's vital FreeBSD servers of the air to fix a bug |
| 37 |
unproven to be exploited in the wild. It's a tough choice. |
| 38 |
|
| 39 |
|
| 40 |
-- |
| 41 |
Alan McKinnon |
| 42 |
alan.mckinnon@×××××.com |
Archives