Closed zx2c4 closed 8 years ago
We can not update the patch every time there is a minor change in OpenSSL version.
"We can not update the patch every time there is a minor change in OpenSSL version."
That's pretty disheartening. I would think Cloudflare would want to update their publicly released code to adjust to version releases that address major top priority critical security vulnerabilities. This decision here flies in the face of everything Cloudflare tries to promote. What a shame.
@zx2c4 I am afraid you misinterpreted me. You can see that we do care and do post updates. By "minor" changes, I mean that the relevant parts of OpenSSL where changed in a minor way. Although the patch does not apply cleanly anymore, it does apply, and it does work functionally.
In addition if you use the configuration that we advertise, you would not be vulnerable to the high priority vulnerabilities anyway.
patch -p1
barfs. It doesn't apply. The issue appears to be tests/Makefile
, which requires manual merging. The fixes to the buildsystem also have not been applied yet from #22. Nonetheless, I have taken the time to sort this out myself, and attached to this message is a patch that works well on 1.0.2g. Perhaps you'll add it to the repo.
In addition if you use the configuration that we advertise, you would not be vulnerable to the high priority vulnerabilities anyway.
Yes, but other services on the same host may be using SSLv2 inadvertently, which is the real fear of the recent vulnerability. Being able to update the system openssl library to block SSLv2 is important.
Patch doesnt apply cleanly here either, since 1.0.2g. Also thanks to zx2c4 for fixing it.
Works for me on Debian Jessie (own openssl-1.0.2g backport with removed chacha tests, see #23) and Gentoo's dev-libs/openssl-1.0.2g via
euser_patch
with the required sanity fixes from your issue #22).I am using 3afa6467ad3b15db2f678f8b5a1f817e56874602