On 2016/05/01 21:29, Elmar Stellnberger wrote: > > > Am 2016-04-26 um 17:04 schrieb Stuart Henderson: > > > When will that bug be fixed for the ftp program? > > > > Well, it's a tricky area - OpenSSL introduced a vulnerability when they > > fixed it in their code (post-libressl-fork). So it won't be fixed until > > libressl people find a sane way to do it. > > > > What vulnerability did they introduce? I am still heavily relying on > OpenSSL since not all my planned OpenBSD systems are in productive use yet.
"Alternative chains certificate forgery" (CVE-2015-1793). > Will it be sufficient to subscribe to annou...@openbsd.org in order to > receive a message when libressl should be as far as to accept any > descendants of intermediate certificates? I imagine it will probably be included in release notes if this is implemented in libressl. > btw.: do you know since what version that is enabled for OpenSSL? They introduced this in 1.0.2b / 1.0.1n and fixed the vuln in 1.0.2d / 1.0.1p.
