Re: Prefer pkgsrc OpenSSL after 2016Q1.

["J. Lewis Muir" <jlmuir%imca-cat.org@localhost>]

On 3/10/16 2:25 AM, Martin Husemann wrote:
> On Thu, Mar 10, 2016 at 01:27:24AM +0100, Kamil Rytarowski wrote:
>> We are coming to the conclusion.
> 
> Well, the netbsd-7 openssh has been patched on Feb 22:
> 
> crypto/external/bsd/openssh/dist/readconf.c     patch
> crypto/external/bsd/openssh/dist/ssh.c          patch
> 
>         Fix CVE CVE-2016-0777 by disabling roaming completely.
>         [christos, ticket #1075]
> 
> and openssl earlier this week:
> 
>         Import openssl-1.0.1s, fixing various CVEs:
>         CVE-2015-0293 CVE-2015-1794 CVE-2015-3193 CVE-2015-3194
>         CVE-2015-3195 CVE-2015-3196 CVE-2015-3197 CVE-2016-0702
>         CVE-2016-0703 CVE-2016-0704 CVE-2016-0705 CVE-2016-0797
>         CVE-2016-0798 CVE-2016-0799 CVE-2016-0800
>         This includes "DROWN". Backward binary compatibility has been
>         preserved, but no SSLv2 code is available.
>         [spz, ticket #1127]
> 
> And of course there will be SAs for both.
> 
> Martin

Kamil, so maybe you're saying that you would like for security
advisories to be released more promptly after a CVE is released?

Lewis