1 |
On 04/03/2016 15:57, walt wrote: |
2 |
> I notice that openssl-1.0.2g-r2 restores SSLv2 as a temporary fix |
3 |
> for the breakage caused by r1 yesterday. |
4 |
> |
5 |
> My machines are working just fine without SSLv2 so I'm going to skip |
6 |
> the update to r2 and keep r1 while waiting for a permanent fix. I'm |
7 |
> not a security expert, so I'd like to hear opinions from people who are. |
8 |
> |
9 |
> Should people who have already installed r1 and are not having any |
10 |
> problems just stay with r1 for now? Or not. |
11 |
> |
12 |
> |
13 |
|
14 |
|
15 |
The relevant bug is here |
16 |
|
17 |
https://bugs.gentoo.org/show_bug.cgi?id=576128 |
18 |
|
19 |
If you have sslv2 enabled, your choices are clear: |
20 |
|
21 |
1. high likelihood of wholesale breakage, or |
22 |
2. wait a little longer for a proper fix |
23 |
|
24 |
Obviously -r1 is ideal as it disables sslv2. If you have it and it |
25 |
works, leave it in place. |
26 |
|
27 |
Everyone else is going to have to make up their own mind, and there's no |
28 |
sane rational advice that can be given for all, considering what the |
29 |
choices are above. |
30 |
|
31 |
FreeBSD is also hit with the same issue for similar reasons, and Fedora |
32 |
has it's own pain. Between them and Gentoo I have every confidence a |
33 |
real fix will come out soon. |
34 |
|
35 |
My choice is to sit tight for now. I can't afford to run the risk of |
36 |
taking the company's vital FreeBSD servers of the air to fix a bug |
37 |
unproven to be exploited in the wild. It's a tough choice. |
38 |
|
39 |
|
40 |
-- |
41 |
Alan McKinnon |
42 |
alan.mckinnon@×××××.com |