On Tue, Oct 13, 2015 at 3:20 PM, Nick Lowe <nick.lowe@gmail.com> wrote:
Red Hat have an update available for their affected 6.7 release:
https://rhn.redhat.com/errata/RHBA-2015-1829.html
If you're running CentOS 6.7, you're likely out of luck until 6.8 becomes available:
https://bugs.centos.org/view.php?id=9295
(That bug report has seemingly been ignored.)
As this is making a lot of noise with Android 6.0 (Marshmallow), please consider releasing a 3.x and discretionary, under protest 2.x release sooner rather than later to close the loop of known possible issues:
https://code.google.com/p/android/issues/detail?id=188867
https://code.google.com/p/android-developer-preview/issues/detail?id=2136
I agree that there aren't likely to be many sites using OpenSSL 1.0.2 at this point in time, worth nipping in the bud though.
@Nick: aren't the links you posted a different issues from Alan's original post? Looking at the dates, as well as Arran's comment on https://code.google.com/p/android/issues/detail?id=188867#c63, the bug affecting clients using TLS-1.2 (including android Marshmallow) is fixed in 2.2.9 and 3.0.10. This should also the one addressed with RH's errata. The warning Allan posted was about servers that use openssl-1.0.2, like debian testing and ubuntu wily (which should be released this month). The fix is present in git, and will be present in the next 3.0.11 (whenever that is), but there probably won't be any 2.2.10 due to EOL policy. In which case the "fix" that admins can use is to ensure: - NOT use openssl-1.0.2. Not an issue if they already stick to LTS release anyway. OR - Build their own FR version from git, and later upgrade to 3.0.11 when that is released. I agree with Arran here. Admins wishing to use openssl-1.0.2 on their server should use the git version or 3.0.11+. -- Fajar