Hi Don;
On 28 Mar, Pedro Giffuni wrote:
> In reply to Don,
>> The versions of openssl and curl badly need updating for the same
>> reason, and there is one CVE for serf.
>
> FreeBSD casually keeps some backported updates for the same openssl
> version AOO uses:
>
> https://svnweb.freebsd.org/base/stable/9/crypto/openssl/?view=log
>
> It should be pretty straightforward to take them from there and use
them
> into
> main/openssl with minor adaptions.
That would fix only part of the problem. The other part of the problem
is that the version of openssl that we currently bundle doesn't
implement the newer and more secure protocols and ciphers. The older
and less secure ones are gradually getting disabled on the server side.
For instance, my only copy of Windows is XP, and the last version of IE
released for XP can no longer connect to some web sites because they
have disabled all of the protocols that IE supports.
That is a valid concern, however I am unsure about what in OpenOffice
uses the new cyphers. I think OpenSSL is used for signing documents:
when we update OpenSSL will AOO automatically accept more signing
options? I would expect browsers will bring their own SSL
implementations.
TBH, when I updated OpenSSL in AOO, I intentionally didn't upgrade it
further because the newer versions have more code but also more
vulnerabilities, therefore the expected maintenance cost would be
higher. The FreeBSD 9.x updates are only a temporary workaround.
Now that upstream is not maintaining the older 0.9.8 version
it probably makes sense to reconsider upgrading.
Pedro.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
