2016-03-02 09:45 AEST by Arthur Barrett - Also see bug 6994 for two security issues discovered in OpenSSL shipped with CVS Suite 2009.

A third issue has been discovered in 0.9.8zf - but since that release is no longer 'supported' there is 
no patch for it (yet - I rather think someone may backport the fix).  This issue is known as DROWN 
(CVE-2016-0800) Cross-protocol attack on TLS using SSLv2 .

We definitely should upgrade the included OpenSSL to 0.9.8zf for the windows builds due to bug 
6994.  

Wether we need to do something about DROWN (CVE-2016-0800) is moot, since they don't even 
seem to have 'fixed' in it 1.01 or 1.02 - instead they have just disabled SSLv2 by default, and if you 
enable it, they have removed all the 'weak' ciphers (export ciphers):

   SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed.
   Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no
   longer available.

By default CVS Suite 2009R2 disables the 'weak' ciphers (both the client and the server), see bug 
6820: enh: sserver and sync protocols - user specified ciphers.  

We should update the web site 'security' section to explain this to customers.

2016-05-30 11:57 AEST by Arthur Barrett - CVS Suite (CVSNT) does explicitly disable SSLv2 using 

    SSL_CTX_set_options(ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2);

We then further restrict the ciphers depending on the default or the user 
specified cipher list:

    SSL_CTX_set_cipher_list(ctx,client_ciphers)

So I'm fairly confident that means we do not need to take any specific steps to 
address 'DROWN' in CVS Suite.

2016-12-03 13:01 AEST by Arthur Barrett - Do I mark this as fixed in 2009-6145 because we've upgraded OpenSSL (bug6746)?

It doesn't fix it on non-windows platforms - because all the Linux and mac 
platforms we compile in use older openssl.

So until we ship Linux / Mac builds that link to openssl 1.x then I think we 
can't really mark this as fixed.  Note: that probably means RH7/SuSE11/MacOS 
10.10