From owner-freebsd-security@FreeBSD.ORG Mon Mar 16 19:57:14 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D0F77556 for ; Mon, 16 Mar 2015 19:57:14 +0000 (UTC) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id B7D7BA85 for ; Mon, 16 Mar 2015 19:57:14 +0000 (UTC) Received: from yuri.doctorlan.com (c-50-184-63-128.hsd1.ca.comcast.net [50.184.63.128]) (authenticated bits=0) by shell1.rawbw.com (8.14.9/8.14.9) with ESMTP id t2GJv8FR064104 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Mon, 16 Mar 2015 12:57:08 -0700 (PDT) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-50-184-63-128.hsd1.ca.comcast.net [50.184.63.128] claimed to be yuri.doctorlan.com Message-ID: <55073593.50108@rawbw.com> Date: Mon, 16 Mar 2015 12:57:07 -0700 From: Yuri User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: npm doesn't check package signatures, should www/npm print security alert? Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Mar 2015 19:57:14 -0000 www/npm downloads and installs packages without having signature checking in place. There is the discussion about package security https://github.com/node-forward/discussions/issues/29 , but actual checking isn't currently done. Additionally, npm allows direct downloads of GitHub projects without any authenticity checking or maintainer review, see documentation https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install githubname/reponame' can also be easily confused with the official package name. Random GitHub projects can contain code without any guarantees. I think there is the risk that some malicious JavaScript code can be injected through the MITM attack, and server side JavaScript is a fully functional language. Shouldn't www/npm at least print a security alert about this? It probably shouldn't be used on production systems until package authentication is in place. Yuri From owner-freebsd-security@FreeBSD.ORG Mon Mar 16 20:05:54 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4DF7AA1F for ; Mon, 16 Mar 2015 20:05:54 +0000 (UTC) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1E024C1B for ; Mon, 16 Mar 2015 20:05:53 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 1058C211A3 for ; Mon, 16 Mar 2015 16:05:51 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Mon, 16 Mar 2015 16:05:53 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=36982QP9z3myea1+ZgtUxGqp w+g=; b=R46z33suQ2pihaTjPEyxbznVGCOaJ7cFCT8SlRsBEJl7HeULGBYsHONO vSsGkoSdXhWhG60Po2abidgVWkAcODhshBjtijXOEZXzn335tp5ftcCIRarEj4ZV QC6g0yhwULNnMgh31hvKjmah9HWMPnnWnMTl3Ptkh9631JdvyRg= Received: by web3.nyi.internal (Postfix, from userid 99) id DCFCF10A097; Mon, 16 Mar 2015 16:05:52 -0400 (EDT) Message-Id: <1426536352.4157462.241176113.7D625599@webmail.messagingengine.com> X-Sasl-Enc: MB+lWWSGLWzp9aJOXckhnADWoczHSMVzBXstlAA8ISfg 1426536352 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-15db86eb In-Reply-To: <55073593.50108@rawbw.com> References: <55073593.50108@rawbw.com> Subject: Re: npm doesn't check package signatures, should www/npm print security alert? Date: Mon, 16 Mar 2015 15:05:52 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Mar 2015 20:05:54 -0000 On Mon, Mar 16, 2015, at 14:57, Yuri wrote: > www/npm downloads and installs packages without having signature > checking in place. > There is the discussion about package security > https://github.com/node-forward/discussions/issues/29 , but actual > checking isn't currently done. > > Additionally, npm allows direct downloads of GitHub projects without any > authenticity checking or maintainer review, see documentation > https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install > githubname/reponame' can also be easily confused with the official > package name. Random GitHub projects can contain code without any > guarantees. > > I think there is the risk that some malicious JavaScript code can be > injected through the MITM attack, and server side JavaScript is a fully > functional language. > > Shouldn't www/npm at least print a security alert about this? It > probably shouldn't be used on production systems until package > authentication is in place. > > Yuri > This would require FreeBSD to modify npm code to inject this message, correct? Or do you just want a post-install message when the package is installed to remind FreeBSD users about it? It seems to me a scary warning patch should be sent upstream. From owner-freebsd-security@FreeBSD.ORG Mon Mar 16 20:10:34 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 69DF5CD0; Mon, 16 Mar 2015 20:10:34 +0000 (UTC) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 51229C75; Mon, 16 Mar 2015 20:10:34 +0000 (UTC) Received: from yuri.doctorlan.com (c-50-184-63-128.hsd1.ca.comcast.net [50.184.63.128]) (authenticated bits=0) by shell1.rawbw.com (8.14.9/8.14.9) with ESMTP id t2GKAX0E066950 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 16 Mar 2015 13:10:34 -0700 (PDT) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-50-184-63-128.hsd1.ca.comcast.net [50.184.63.128] claimed to be yuri.doctorlan.com Message-ID: <550738B8.7010704@rawbw.com> Date: Mon, 16 Mar 2015 13:10:32 -0700 From: Yuri User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Mark Felder , freebsd-security@freebsd.org Subject: Re: npm doesn't check package signatures, should www/npm print security alert? References: <55073593.50108@rawbw.com> <1426536352.4157462.241176113.7D625599@webmail.messagingengine.com> In-Reply-To: <1426536352.4157462.241176113.7D625599@webmail.messagingengine.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Mar 2015 20:10:34 -0000 On 03/16/2015 13:05, Mark Felder wrote: > This would require FreeBSD to modify npm code to inject this message, > correct? Or do you just want a post-install message when the package is > installed to remind FreeBSD users about it? > > It seems to me a scary warning patch should be sent upstream. I meant post-install message. pkg and ports nicely check package signatures or fingerprints, but then npm defeats this outright, if installed. Yuri From owner-freebsd-security@FreeBSD.ORG Mon Mar 16 20:28:29 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5E00C571; Mon, 16 Mar 2015 20:28:29 +0000 (UTC) Received: from zim.gshapiro.net (zim.gshapiro.net [IPv6:2001:4f8:3:36::224]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.gshapiro.net", Issuer "Certificate Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 17878EA4; Mon, 16 Mar 2015 20:28:28 +0000 (UTC) Received: from C02KM089FFRR.corp.proofpoint.com (mx2.proofpoint.com [208.86.202.10]) (authenticated bits=0) by zim.gshapiro.net (8.14.9/8.14.9) with ESMTP id t2GKSQDb045524 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 16 Mar 2015 13:28:28 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gshapiro.net; s=gatsby.dkim; t=1426537708; bh=j3Isyk8ZPeA6pfr/i8M8/WqaA7NiroS2RJtj1AY6JVI=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=DLX1gTXbHnHvNhWOOR8abk+//8wg+eGCTrXHR9RBLHHQP0rEpHddLkZIaMdWY3DLG Y/0uuQu1x5MmTTtzM5X3peXfoMAtNl+w74BhFMwiR7LMMA8N/tfby7MNEUr86hr+JH BPHjYbubsdlPLSNXkizEbLQM+ccfDlqymmOUKiCw= Date: Mon, 16 Mar 2015 13:28:26 -0700 From: Gregory Shapiro To: Julian Elischer Subject: Re: sendmail broken by libssl in current Message-ID: <20150316202826.GT66903@C02KM089FFRR.corp.proofpoint.com> References: <54FFE774.50103@freebsd.org> <20150311161549.GB16749@C02KM089FFRR.corp.proofpoint.com> <5500950E.9070905@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="5gxpn/Q6ypwruk0T" Content-Disposition: inline In-Reply-To: <5500950E.9070905@freebsd.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-Mailman-Approved-At: Mon, 16 Mar 2015 20:38:05 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Mar 2015 20:28:29 -0000 --5gxpn/Q6ypwruk0T Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I've made the change in HEAD to turn off SSL padding (see attached mail message). Julian, can you test to see if it addresses the issue before I MFC? --5gxpn/Q6ypwruk0T Content-Type: message/rfc822 Content-Disposition: inline Return-Path: Received: from deliver ([unix socket]) by imap.gshapiro.net (Cyrus v2.4.17) with LMTPA; Mon, 16 Mar 2015 13:24:45 -0700 X-Sieve: CMU Sieve 2.4 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on zim.gshapiro.net X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_PASS,T_RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0 Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116]) by zim.gshapiro.net (8.14.9/8.14.9) with ESMTP id t2GKOe7a045460 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Mon, 16 Mar 2015 13:24:43 -0700 (PDT) (envelope-from owner-src-committers@freebsd.org) Received: from hub.freebsd.org (hub.freebsd.org [8.8.178.136]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.freebsd.org (Postfix) with ESMTPS id 862443710; Mon, 16 Mar 2015 20:24:40 +0000 (UTC) Received: by hub.freebsd.org (Postfix, from userid 538) id 7F63330A; Mon, 16 Mar 2015 20:24:40 +0000 (UTC) Delivered-To: src-committers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 242B0308; Mon, 16 Mar 2015 20:24:39 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0E984E6A; Mon, 16 Mar 2015 20:24:39 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t2GKOcwW014428; Mon, 16 Mar 2015 20:24:38 GMT (envelope-from gshapiro@FreeBSD.org) Received: (from gshapiro@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t2GKOcGj014427; Mon, 16 Mar 2015 20:24:38 GMT (envelope-from gshapiro@FreeBSD.org) Message-Id: <201503162024.t2GKOcGj014427@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: gshapiro set sender to gshapiro@FreeBSD.org using -f From: Gregory Neil Shapiro Date: Mon, 16 Mar 2015 20:24:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r280155 - head/contrib/sendmail/src X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk X-Loop: FreeBSD.org Sender: owner-src-committers@freebsd.org Author: gshapiro Date: Mon Mar 16 20:24:37 2015 New Revision: 280155 URL: https://svnweb.freebsd.org/changeset/base/280155 Log: Default to turning off OpenSSL SSL_OP_TLSEXT_PADDING as it breaks compatibility with some sites This change comes from 8.15 but is being backported to FreeBSD releases not yet using 8.15. MFC after: 3 days Noted by: julian@ Modified: head/contrib/sendmail/src/readcf.c Modified: head/contrib/sendmail/src/readcf.c ============================================================================== --- head/contrib/sendmail/src/readcf.c Mon Mar 16 20:13:25 2015 (r280154) +++ head/contrib/sendmail/src/readcf.c Mon Mar 16 20:24:37 2015 (r280155) @@ -124,6 +124,11 @@ readcf(cfname, safe, e) | SSL_OP_NO_TICKET #endif ; +# ifdef SSL_OP_TLSEXT_PADDING + /* SSL_OP_TLSEXT_PADDING breaks compatibility with some sites */ + Srv_SSL_Options &= ~SSL_OP_TLSEXT_PADDING; + Clt_SSL_Options &= ~SSL_OP_TLSEXT_PADDING; +# endif /* SSL_OP_TLSEXT_PADDING */ #endif /* STARTTLS */ if (DontLockReadFiles) sff |= SFF_NOLOCK; @@ -2406,6 +2411,9 @@ static struct ssl_options #ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG { "SSL_OP_CRYPTOPRO_TLSEXT_BUG", SSL_OP_CRYPTOPRO_TLSEXT_BUG }, #endif +#ifdef SSL_OP_TLSEXT_PADDING + { "SSL_OP_TLSEXT_PADDING", SSL_OP_TLSEXT_PADDING }, +#endif { NULL, 0 } }; #endif /* STARTTLS && _FFR_TLS_1 */ --5gxpn/Q6ypwruk0T-- From owner-freebsd-security@FreeBSD.ORG Tue Mar 17 09:16:02 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D919F85A; Tue, 17 Mar 2015 09:16:02 +0000 (UTC) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id AA178C71; Tue, 17 Mar 2015 09:16:02 +0000 (UTC) Received: from yuri.doctorlan.com (c-50-184-63-128.hsd1.ca.comcast.net [50.184.63.128]) (authenticated bits=0) by shell1.rawbw.com (8.14.9/8.14.9) with ESMTP id t2H9G1iT044993 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 17 Mar 2015 02:16:01 -0700 (PDT) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-50-184-63-128.hsd1.ca.comcast.net [50.184.63.128] claimed to be yuri.doctorlan.com Message-ID: <5507F0D0.2020002@rawbw.com> Date: Tue, 17 Mar 2015 02:16:00 -0700 From: Yuri User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: npm doesn't check package signatures, should www/npm print security alert? References: <55073593.50108@rawbw.com> In-Reply-To: <55073593.50108@rawbw.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2015 09:16:02 -0000 On 03/16/2015 12:57, Yuri wrote: > www/npm downloads and installs packages without having signature > checking in place. > There is the discussion about package security > https://github.com/node-forward/discussions/issues/29 , but actual > checking isn't currently done. I added the pkg-message with security advisories about this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198653 Yuri From owner-freebsd-security@FreeBSD.ORG Thu Mar 19 14:35:00 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 890302F1 for ; Thu, 19 Mar 2015 14:35:00 +0000 (UTC) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3B3129F9 for ; Thu, 19 Mar 2015 14:35:00 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id t2JEYwRP010825 for ; Thu, 19 Mar 2015 10:34:58 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <550ADE80.8000005@sentex.net> Date: Thu, 19 Mar 2015 10:34:40 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: "freebsd-security@freebsd.org" Subject: latest OpenSSL advisory Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.75 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2015 14:35:00 -0000 Could be worse, could be better https://www.openssl.org/news/secadv_20150319.txt ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Thu Mar 19 17:55:40 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 014A0498; Thu, 19 Mar 2015 17:55:39 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D809A993; Thu, 19 Mar 2015 17:55:39 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t2JHtdq8042602; Thu, 19 Mar 2015 17:55:39 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t2JHtdaU042600; Thu, 19 Mar 2015 17:55:39 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 19 Mar 2015 17:55:39 GMT Message-Id: <201503191755.t2JHtdaU042600@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2015 17:55:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:06.openssl Security Advisory The FreeBSD Project Topic: Multiple OpenSSL vulnerabilities Category: contrib Module: openssl Announced: 2015-03-19 Affects: All supported versions of FreeBSD. Corrected: 2015-03-19 17:40:43 UTC (stable/10, 10.1-STABLE) 2015-03-19 17:42:38 UTC (releng/10.1, 10.1-RELEASE-p7) 2015-03-19 17:40:43 UTC (stable/9, 9.3-STABLE) 2015-03-19 17:42:38 UTC (releng/9.3, 9.3-RELEASE-p11) 2015-03-19 17:40:43 UTC (stable/8, 8.4-STABLE) 2015-03-19 17:42:38 UTC (releng/8.4, 8.4-RELEASE-p25) CVE Name: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0293 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Abstract Syntax Notation One (ASN.1) is a standard and notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking, which enables representation of objects that are independent of machine-specific encoding technique. II. Problem Description A malformed elliptic curve private key file could cause a use-after-free condition in the d2i_ECPrivateKey function. [CVE-2015-0209] An attempt to compare ASN.1 boolean types will cause the ASN1_TYPE_cmp function to crash with an invalid read. [CVE-2015-0286] Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. [CVE-2015-0287] The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. [CVE-2015-0288] The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. [CVE-2015-0289] A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. [CVE-2015-0293] III. Impact A malformed elliptic curve private key file can cause server daemons using OpenSSL to crash, resulting in a Denial of Service. [CVE-2015-0209] A remote attacker who is able to send specifically crafted certificates may be able to crash an OpenSSL client or server. [CVE-2015-0286] An attacker who can cause invalid writes with applications that parse structures containing CHOICE or ANY DEFINED BY components and reusing the structures may be able to cause them to crash. Such reuse is believed to be rare. OpenSSL clients and servers are not affected. [CVE-2015-0287] An attacker may be able to crash applications that create a new certificate request with subject name the same as in an existing, specifically crafted certificate. This usage is rare in practice. [CVE-2015-0288] An attacker may be able to crash applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures with specifically crafted certificates. [CVE-2015-0289] A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a carefully crafted SSLv2 CLIENT-MASTER-KEY message, resulting in a Denial of Service. [CVE-2015-0293] Note that two issues in the original OpenSSL advisory, CVE-2015-0204 and CVE-2015-0292, were already addressed by FreeBSD-SA-15:01.openssl and FreeBSD-EN-15:02.openssl. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8.4 and FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8.patch # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8.patch.asc # gpg --verify openssl-0.9.8.patch.asc [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-1.0.1.patch # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-1.0.1.patch.asc # gpg --verify openssl-1.0.1.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all deamons using the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r280266 releng/8.4/ r280268 stable/9/ r280266 releng/9.3/ r280268 stable/10/ r280266 releng/10.1/ r280268 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.2 (FreeBSD) iQIcBAEBCgAGBQJVCwr1AAoJEO1n7NZdz2rnayEP/0w3Pba5k/1G0mJ1T9APNAns hhXm0YuR/rNJ1XBooWEOctrijlsVChcIt8KvJCU9apOZWjDvm/nvaQ077GCi5RSp jhQBs8MLVfXzwMbJ0/uBpp6ChF8uafk5O+gr8ulb2jG6VIaLkGOWPYv61aRYSGxy R7+6FxD8M0lLbGOQGETy1HxKzeWztA2p0ILORNAsi+bF8GSJpxGhSxqDDi4+ic/C 3oEw0zT/E6DhxJovOPebKq0eGcRbv7ETqDmtNQdqbOddV+0FY1E+nHtrAo6B/Kln rL+meBJHmLeEREROFk4OvCynuROUJGmXJGKwjN3uOVM05qcEZS4NkVhFNrxt6S5H t3wQ02SesbA3pbmce5OuXmlJgdL57DVlMb5sQjkqPeoJ6pn6Rz7VLSgLNfXDUSxs x/Lgx0+qLQUubMud7zT97UIvZmDqFTWXfJu5S/0Qt8BPFunmoNJttJ5Cr+brzEtu 5RLjcvkC1giVCpSXS96QbeT67uqSkMZa8gtII8bA77HBGA0Ky8AOwTAXbCiUovuH sLwsI8KUC3lsKUh7eyLsSm2+wRHn0e6dZ1PE0JRazCnCRboTvMWK2d4R7ANdrwsq CgtCWLRz6vbB9J4XTNupcEoZGhIA4RuOBqx43eQmaRw1HoV3vn85QP94oL5jzXBd UQg3YfrXHDlxCsqEzN7o =wi0T -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Mar 19 18:08:49 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5A9F3773 for ; Thu, 19 Mar 2015 18:08:49 +0000 (UTC) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EA43ACB3 for ; Thu, 19 Mar 2015 18:08:48 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id t2JI8lUi043714 for ; Thu, 19 Mar 2015 14:08:47 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <550B109C.4050704@sentex.net> Date: Thu, 19 Mar 2015 14:08:28 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl References: <201503191755.t2JHtdaU042600@freefall.freebsd.org> In-Reply-To: <201503191755.t2JHtdaU042600@freefall.freebsd.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.75 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2015 18:08:49 -0000 Wow, thanks for the quick fix/commit Xin!! ---Mike On 3/19/2015 1:55 PM, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-15:06.openssl Security Advisory > The FreeBSD Project > > Topic: Multiple OpenSSL vulnerabilities > > Category: contrib > Module: openssl > Announced: 2015-03-19 > Affects: All supported versions of FreeBSD. > Corrected: 2015-03-19 17:40:43 UTC (stable/10, 10.1-STABLE) > 2015-03-19 17:42:38 UTC (releng/10.1, 10.1-RELEASE-p7) > 2015-03-19 17:40:43 UTC (stable/9, 9.3-STABLE) > 2015-03-19 17:42:38 UTC (releng/9.3, 9.3-RELEASE-p11) > 2015-03-19 17:40:43 UTC (stable/8, 8.4-STABLE) > 2015-03-19 17:42:38 UTC (releng/8.4, 8.4-RELEASE-p25) > CVE Name: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, > CVE-2015-0289, CVE-2015-0293 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is > a collaborative effort to develop a robust, commercial-grade, full-featured > Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) > and Transport Layer Security (TLS v1) protocols as well as a full-strength > general purpose cryptography library. > > Abstract Syntax Notation One (ASN.1) is a standard and notation that > describes rules and structures for representing, encoding, transmitting, > and decoding data in telecommunications and computer networking, which > enables representation of objects that are independent of machine-specific > encoding technique. > > II. Problem Description > > A malformed elliptic curve private key file could cause a use-after-free > condition in the d2i_ECPrivateKey function. [CVE-2015-0209] > > An attempt to compare ASN.1 boolean types will cause the ASN1_TYPE_cmp > function to crash with an invalid read. [CVE-2015-0286] > > Reusing a structure in ASN.1 parsing may allow an attacker to cause memory > corruption via an invalid write. [CVE-2015-0287] > > The function X509_to_X509_REQ will crash with a NULL pointer dereference if > the certificate key is invalid. [CVE-2015-0288] > > The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. > [CVE-2015-0289] > > A malicious client can trigger an OPENSSL_assert in servers that both support > SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 > CLIENT-MASTER-KEY message. [CVE-2015-0293] > > III. Impact > > A malformed elliptic curve private key file can cause server daemons using > OpenSSL to crash, resulting in a Denial of Service. [CVE-2015-0209] > > A remote attacker who is able to send specifically crafted certificates > may be able to crash an OpenSSL client or server. [CVE-2015-0286] > > An attacker who can cause invalid writes with applications that parse > structures containing CHOICE or ANY DEFINED BY components and reusing > the structures may be able to cause them to crash. Such reuse is believed > to be rare. OpenSSL clients and servers are not affected. [CVE-2015-0287] > > An attacker may be able to crash applications that create a new certificate > request with subject name the same as in an existing, specifically crafted > certificate. This usage is rare in practice. [CVE-2015-0288] > > An attacker may be able to crash applications that verify PKCS#7 signatures, > decrypt PKCS#7 data or otherwise parse PKCS#7 structures with specifically > crafted certificates. [CVE-2015-0289] > > A malicious client can trigger an OPENSSL_assert in servers that both support > SSLv2 and enable export cipher suites by sending a carefully crafted SSLv2 > CLIENT-MASTER-KEY message, resulting in a Denial of Service. [CVE-2015-0293] > > Note that two issues in the original OpenSSL advisory, CVE-2015-0204 and > CVE-2015-0292, were already addressed by FreeBSD-SA-15:01.openssl and > FreeBSD-EN-15:02.openssl. > > IV. Workaround > > No workaround is available. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > 2) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 8.4 and FreeBSD 9.3] > # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8.patch > # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8.patch.asc > # gpg --verify openssl-0.9.8.patch.asc > > [FreeBSD 10.1] > # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-1.0.1.patch > # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-1.0.1.patch.asc > # gpg --verify openssl-1.0.1.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in . > > Restart all deamons using the library, or reboot the system. > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/8/ r280266 > releng/8.4/ r280268 > stable/9/ r280266 > releng/9.3/ r280268 > stable/10/ r280266 > releng/10.1/ r280268 > - ------------------------------------------------------------------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > > > > > > > > > > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.1.2 (FreeBSD) > > iQIcBAEBCgAGBQJVCwr1AAoJEO1n7NZdz2rnayEP/0w3Pba5k/1G0mJ1T9APNAns > hhXm0YuR/rNJ1XBooWEOctrijlsVChcIt8KvJCU9apOZWjDvm/nvaQ077GCi5RSp > jhQBs8MLVfXzwMbJ0/uBpp6ChF8uafk5O+gr8ulb2jG6VIaLkGOWPYv61aRYSGxy > R7+6FxD8M0lLbGOQGETy1HxKzeWztA2p0ILORNAsi+bF8GSJpxGhSxqDDi4+ic/C > 3oEw0zT/E6DhxJovOPebKq0eGcRbv7ETqDmtNQdqbOddV+0FY1E+nHtrAo6B/Kln > rL+meBJHmLeEREROFk4OvCynuROUJGmXJGKwjN3uOVM05qcEZS4NkVhFNrxt6S5H > t3wQ02SesbA3pbmce5OuXmlJgdL57DVlMb5sQjkqPeoJ6pn6Rz7VLSgLNfXDUSxs > x/Lgx0+qLQUubMud7zT97UIvZmDqFTWXfJu5S/0Qt8BPFunmoNJttJ5Cr+brzEtu > 5RLjcvkC1giVCpSXS96QbeT67uqSkMZa8gtII8bA77HBGA0Ky8AOwTAXbCiUovuH > sLwsI8KUC3lsKUh7eyLsSm2+wRHn0e6dZ1PE0JRazCnCRboTvMWK2d4R7ANdrwsq > CgtCWLRz6vbB9J4XTNupcEoZGhIA4RuOBqx43eQmaRw1HoV3vn85QP94oL5jzXBd > UQg3YfrXHDlxCsqEzN7o > =wi0T > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Thu Mar 19 22:18:34 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 074A9D40 for ; Thu, 19 Mar 2015 22:18:34 +0000 (UTC) Received: from lena.kiev.ua (lena.kiev.ua [64.247.20.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BF2E2A2 for ; Thu, 19 Mar 2015 22:18:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lena.kiev.ua; s=3; h=In-Reply-To:Content-Type:Mime-Version:References:Message-ID:Subject:To:From:Date; bh=0bQalY8QTlpU3umCZmcqmEWHv8QKJkpqJgO8NFrnCz4=; b=cN2q0BsjwMNwU2wqrPDRu/U78SHGPT3rmNjv+380K5FrcI1RkPfvulpufN4M5nClZ+i9OKQ7a6hSJ7MB4JgGz5+zijXF0wf10hC+8fEqn/1MQoyqcgcUKKMboLZPa4cA4CB43/EXgzXXUHphqov03TSoEYmjdsi3CzD1SKYytSo=; Received: from ip-384c.rusanovka-net.kiev.ua ([94.244.56.76] helo=bedside.lena.kiev.ua) by lena.kiev.ua with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85 (FreeBSD)) (envelope-from ) id 1YYilo-000LDj-Fp for freebsd-security@freebsd.org; Fri, 20 Mar 2015 00:18:31 +0200 Received: from bedside.lena.kiev.ua (localhost.lena.kiev.ua [127.0.0.1]) by bedside.lena.kiev.ua (8.15.1/8.14.9) with ESMTP id t2JMIIKB029317 for ; Fri, 20 Mar 2015 00:18:18 +0200 (EET) (envelope-from Lena@lena.kiev.ua) Received: (from lena@localhost) by bedside.lena.kiev.ua (8.15.1/8.14.9/Submit) id t2JMIIDM029316 for freebsd-security@freebsd.org; Fri, 20 Mar 2015 00:18:18 +0200 (EET) (envelope-from Lena@lena.kiev.ua) Date: Fri, 20 Mar 2015 00:18:18 +0200 From: Lena@lena.kiev.ua To: freebsd-security@freebsd.org Subject: Re: Security Advisory FreeBSD-SA-15:06.openssl Message-ID: <20150319221817.GB807@lena.kiev> Mail-Followup-To: freebsd-security@freebsd.org References: <201503191755.t2JHtdfl042593@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201503191755.t2JHtdfl042593@freefall.freebsd.org> User-Agent: Mutt/1.4.2.3i X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2015 22:18:34 -0000 > No workaround is available. Isn't using OpenSSL from ports a workaround? From owner-freebsd-security@FreeBSD.ORG Thu Mar 19 22:19:52 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E407DF11 for ; Thu, 19 Mar 2015 22:19:52 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C9B6ACE for ; Thu, 19 Mar 2015 22:19:52 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 41D7A11F55; Thu, 19 Mar 2015 15:19:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1426803592; x=1426817992; bh=VLEAxS98ch+vhRFA2CtRYyF9o+j+rHDp10i4Wv46XLk=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=PAJnEtLLbI01kW6m5hFWmhfidNllBElK+2NxdUaAKiAcn03l3VlmlabOwMnA5hKMx 8hoF0ogcsUNX3aaj/bR0KOj8vBVn4sqhbcXCh4U3n2YF8HjwVpFQIPFpDHnOvN/WIC iWGqU8zjuGur9AoBl55OztFwh64yrEMNHBhH0CgI= Message-ID: <550B4B87.1010402@delphij.net> Date: Thu, 19 Mar 2015 15:19:51 -0700 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Security Advisory FreeBSD-SA-15:06.openssl References: <201503191755.t2JHtdfl042593@freefall.freebsd.org> <20150319221817.GB807@lena.kiev> In-Reply-To: <20150319221817.GB807@lena.kiev> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2015 22:19:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/19/15 15:18, Lena@lena.kiev.ua wrote: >> No workaround is available. > > Isn't using OpenSSL from ports a workaround? Not really as that does not solve problem for applications shipped with base system. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.2 (FreeBSD) iQIcBAEBCgAGBQJVC0uFAAoJEJW2GBstM+ns8NoP/Rtp/QlT2+asjUTFHmU7qvWB eI1aL/DMlbJz8C7G3piHDmKW5TRW6WV2PkwDJWghoYEtgF0oMasHhfcHrRnk4vid eWqHK/E60MVOaoVA7Ika04dwic+hNyQe0BkQANqo7tPyHfmHsZ2Kl8lutymXyaRF Vq3NIH6E2J+STYQip2wK/S8T4qm+cmUiBIIQfRR48/3NSTWSUXsGr+BSgLF4CW4j HrFStar4u2RciB/bgQPwy9adzKv2ETKQ1u4mgDwmVmZeFPlajIHAOO9fOuQh+/Vc uTlyHYPm9RDNrO8JKHZFxwQVjInkq9keeeX8WU56Z0kbsoNaq5wObBnJGEYxiZnW PCGdL0VMMgMCJ1UO6ORG36KyhUAZge9VD7gAvOBqEqdwyJlebsfxMZJLmtQvplwi FyQd24vIuR3P2E17Ba7QRuerqj2GsEtvaAa+d4D27laX7dKUDfRQWSXkEOo0d0o2 QSCZSAU3FO+yn28hem0IcQfCBWXZmoDUnlEQrvfGHpMlpuv0tA0r8eb16kNV7sN6 R0KvDeAFBoKKPej3kXvLtV9c48S5ohq6v7nT9w//CdWXErBWfZjqYpDzpJA8Dz7h ouQr92QTL7Yul80pAYwKhtScP54SjqGlYwZdlXgEjoBeLCcxjhvOjQoC8wuqjo0x 8DK6UoHDwk1oLrG2k6KJ =aqdY -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Mar 19 22:11:47 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2D6A9AE2 for ; Thu, 19 Mar 2015 22:11:47 +0000 (UTC) Received: from ox.tedunangst.com (ox.tedunangst.com [208.82.130.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BD3F2FE7 for ; Thu, 19 Mar 2015 22:11:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]); by ox.tedunangst.com (OpenSMTPD) with ESMTP id 92644697; for ; Thu, 19 Mar 2015 18:05:06 -0400 (EDT) From: "Ted Unangst" Message-ID: To: freebsd-security@freebsd.org Date: Thu, 19 Mar 2015 18:04:44 -0400 Subject: bad patch for openssl Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=utf-8 X-Mailman-Approved-At: Thu, 19 Mar 2015 22:31:08 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2015 22:11:47 -0000 I notice the posted patch includes a change to tasn_dec.c that doesn't work. - if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) - return *pval; + if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE) + ptmpval = *pval; + if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) { This will, among other things, prevent nginx 1.6 from loading keys. The diff was included in the preannouncement material, but is not part of the any of the final openssl releases. From owner-freebsd-security@FreeBSD.ORG Fri Mar 20 01:24:13 2015 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 201D4902; Fri, 20 Mar 2015 01:24:13 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 018DA89C; Fri, 20 Mar 2015 01:24:13 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id BF61E125D9; Thu, 19 Mar 2015 18:24:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1426814652; x=1426829052; bh=/JXovibgxcm1MWi6snrMP8Sl7NcAGpdHDN6cpXvXyo4=; h=Date:From:Reply-To:To:Subject; b=qBS1Cz0rHUqbPxWOW3aq9WkuyDquFD0peMbGQehCH7nZCHmdijiUkLuyel4IbVug+ s4i2NjuboO/t1DXlyxWNhNNW82Yp5E2nNTEnuZmGCzmWsc7ljBu8/OXOUAabvXxCah yltUZcSS6t4NzMftGIdWWU0SChMCn0Kbu1/Xq3HE= Message-ID: <550B76BC.4010605@delphij.net> Date: Thu, 19 Mar 2015 18:24:12 -0700 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG, FreeBSD Stable Mailing List Subject: HEADSUP -- issues with SA-15:06.openssl Content-Type: multipart/mixed; boundary="------------010900000507010806080301" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2015 01:24:13 -0000 This is a multi-part message in MIME format. --------------010900000507010806080301 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, Please be advised that we have noticed some issues with SA-15:06.openssl and are actively working on validating the fix. A copy of draft errata patches is attached. My apologies for this mess. Revised advisories would be announced once we have made sure that everything is correct. Cheers, -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.2 (FreeBSD) iQIcBAEBCgAGBQJVC3a5AAoJEJW2GBstM+ns+s4P/A+M1xdhycNvo0qsSTfLcah1 uAvZnWLo7gobBM8CxlrgtrXkRsYwGp7Q6bzW63PA+8qE4FIht7/fgMpXNHufK8bz 1b/h0KrnPs7rEBe3K13RJEI5ufVb/Xj1mOVY59GCJ76QuekN9nEGbYRE2Fbg8yhE iOWLpNWKsQBPdDhMfqmayUZmuZf8pPhgIEwzEsSefnZhe1XrN5kX8s4T00aWieSz MbEkLRfOlVn+qeXlZOp6R96vEoNYaGeTnX7AN16wKg+0Sipk9AJBDFUODjPQgzIr 4BbL8TpW3DvC0cOOpJnYb4KVy7o+54QMFoDr0Gt0R/HZQj3lzdtOBbTFfNs82KDl wWPZB3G4CY5l2d1CYQjUQtXmuRnro3JrslBbx00RcLAs9deDtIoJVqHQv0wiLSlZ jv1lWZbyUhVw/9cY4A8c1QRs01YWGGPZV4cuO0RN56zs6ipIK/0XkzYrY+b2yWku U5slMwqhuREZ1ypLcfUwQHgnyX094wTXkuJQ2l+4dMiO8wV6gW5x3C2lOe/0OHYP L0Atb84aYvMG9RlFCTF6CB2226tRjqxuFhI+x2d0choVJpMt5SJ2cfBi5E3e9Ooy roPVTlOwB1tsYVi3fjYjwJZ5TiPDq3ekcByTmIrasrsFB5+9tBDBnRC5nERNITM4 o69NYExg60dSJ8p5RTeE =wG30 -----END PGP SIGNATURE----- --------------010900000507010806080301 Content-Type: text/plain; charset=UTF-8; name="openssl-1.0.1-errata.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="openssl-1.0.1-errata.patch" SW5kZXg6IGNyeXB0by9vcGVuc3NsL2NyeXB0by9hc24xL3Rhc25fZGVjLmMKPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQotLS0gY3J5cHRvL29wZW5zc2wvY3J5cHRvL2FzbjEvdGFzbl9kZWMuYwkocmV2aXNp b24gMjgwMjcyKQorKysgY3J5cHRvL29wZW5zc2wvY3J5cHRvL2FzbjEvdGFzbl9kZWMuYwko d29ya2luZyBjb3B5KQpAQCAtMTI3LDIyICsxMjcsMTYgQEAgdW5zaWduZWQgbG9uZyBBU04x X3RhZzJiaXQoaW50IHRhZykKIAogQVNOMV9WQUxVRSAqQVNOMV9pdGVtX2QyaShBU04xX1ZB TFVFICoqcHZhbCwKIAkJY29uc3QgdW5zaWduZWQgY2hhciAqKmluLCBsb25nIGxlbiwgY29u c3QgQVNOMV9JVEVNICppdCkKLXsKKwl7CiAJQVNOMV9UTEMgYzsKIAlBU04xX1ZBTFVFICpw dG1wdmFsID0gTlVMTDsKKwlpZiAoIXB2YWwpCisJCXB2YWwgPSAmcHRtcHZhbDsKIAlhc24x X3RsY19jbGVhcl9uYygmYyk7Ci0JaWYgKHB2YWwgJiYgKnB2YWwgJiYgaXQtPml0eXBlID09 IEFTTjFfSVRZUEVfUFJJTUlUSVZFKQotCQlwdG1wdmFsID0gKnB2YWw7Ci0JaWYgKEFTTjFf aXRlbV9leF9kMmkoJnB0bXB2YWwsIGluLCBsZW4sIGl0LCAtMSwgMCwgMCwgJmMpID4gMCkg ewotCQlpZiAocHZhbCAmJiBpdC0+aXR5cGUgIT0gQVNOMV9JVFlQRV9QUklNSVRJVkUpIHsK LQkJCWlmICgqcHZhbCkKLQkJCQlBU04xX2l0ZW1fZnJlZSgqcHZhbCwgaXQpOwotCQkJKnB2 YWwgPSBwdG1wdmFsOwotCQl9Ci0JCXJldHVybiBwdG1wdmFsOworCWlmIChBU04xX2l0ZW1f ZXhfZDJpKHB2YWwsIGluLCBsZW4sIGl0LCAtMSwgMCwgMCwgJmMpID4gMCkgCisJCXJldHVy biAqcHZhbDsKKwlyZXR1cm4gTlVMTDsKIAl9Ci0JcmV0dXJuIE5VTEw7Ci19CiAKIGludCBB U04xX3RlbXBsYXRlX2QyaShBU04xX1ZBTFVFICoqcHZhbCwKIAkJY29uc3QgdW5zaWduZWQg Y2hhciAqKmluLCBsb25nIGxlbiwgY29uc3QgQVNOMV9URU1QTEFURSAqdHQpCkluZGV4OiBj cnlwdG8vb3BlbnNzbC9jcnlwdG8vZWMvZWNfYXNuMS5jCj09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIGNy eXB0by9vcGVuc3NsL2NyeXB0by9lYy9lY19hc24xLmMJKHJldmlzaW9uIDI4MDI3MikKKysr IGNyeXB0by9vcGVuc3NsL2NyeXB0by9lYy9lY19hc24xLmMJKHdvcmtpbmcgY29weSkKQEAg LTExNDIsOCArMTE0Miw2IEBAIEVDX0tFWSAqZDJpX0VDUHJpdmF0ZUtleShFQ19LRVkgKiph LCBjb25zdCB1bnNpZ25lCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFUlJf Ul9NQUxMT0NfRkFJTFVSRSk7CiAJCQlnb3RvIGVycjsKIAkJCX0KLQkJaWYgKGEpCi0JCQkq YSA9IHJldDsKIAkJfQogCWVsc2UKIAkJcmV0ID0gKmE7CkBAIC0xMjI1LDExICsxMjIzLDEz IEBAIEVDX0tFWSAqZDJpX0VDUHJpdmF0ZUtleShFQ19LRVkgKiphLCBjb25zdCB1bnNpZ25l CiAJCXJldC0+ZW5jX2ZsYWcgfD0gRUNfUEtFWV9OT19QVUJLRVk7CiAJCX0KIAorCWlmIChh KQorCQkqYSA9IHJldDsKIAlvayA9IDE7CiBlcnI6CiAJaWYgKCFvaykKIAkJewotCQlpZiAo cmV0KQorCQlpZiAocmV0ICYmIChhID09IE5VTEwgfHwgKmEgIT0gcmV0KSkKIAkJCUVDX0tF WV9mcmVlKHJldCk7CiAJCXJldCA9IE5VTEw7CiAJCX0KSW5kZXg6IGNyeXB0by9vcGVuc3Ns L2NyeXB0by94NTA5L3g1MDlfcmVxLmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gY3J5cHRvL29wZW5z c2wvY3J5cHRvL3g1MDkveDUwOV9yZXEuYwkocmV2aXNpb24gMjgwMjcyKQorKysgY3J5cHRv L29wZW5zc2wvY3J5cHRvL3g1MDkveDUwOV9yZXEuYwkod29ya2luZyBjb3B5KQpAQCAtOTIs NiArOTIsOCBAQCBYNTA5X1JFUSAqWDUwOV90b19YNTA5X1JFUShYNTA5ICp4LCBFVlBfUEtF WSAqcGtleQogCQlnb3RvIGVycjsKIAogCXBrdG1wID0gWDUwOV9nZXRfcHVia2V5KHgpOwor CWlmIChwa3RtcCA9PSBOVUxMKQorCQlnb3RvIGVycjsKIAlpPVg1MDlfUkVRX3NldF9wdWJr ZXkocmV0LHBrdG1wKTsKIAlFVlBfUEtFWV9mcmVlKHBrdG1wKTsKIAlpZiAoIWkpIGdvdG8g ZXJyOwo= --------------010900000507010806080301 Content-Type: text/plain; charset=UTF-8; name="openssl-0.9.8-errata.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="openssl-0.9.8-errata.patch" SW5kZXg6IGNyeXB0by9vcGVuc3NsL2NyeXB0by9hc24xL3Rhc25fZGVjLmMKPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQotLS0gY3J5cHRvL29wZW5zc2wvY3J5cHRvL2FzbjEvdGFzbl9kZWMuYwkocmV2aXNp b24gMjgwMjcyKQorKysgY3J5cHRvL29wZW5zc2wvY3J5cHRvL2FzbjEvdGFzbl9kZWMuYwko d29ya2luZyBjb3B5KQpAQCAtMTI1LDIzICsxMjUsMTYgQEAgdW5zaWduZWQgbG9uZyBBU04x X3RhZzJiaXQoaW50IHRhZykKIAogQVNOMV9WQUxVRSAqQVNOMV9pdGVtX2QyaShBU04xX1ZB TFVFICoqcHZhbCwKIAkJY29uc3QgdW5zaWduZWQgY2hhciAqKmluLCBsb25nIGxlbiwgY29u c3QgQVNOMV9JVEVNICppdCkKLXsKKwl7CiAJQVNOMV9UTEMgYzsKIAlBU04xX1ZBTFVFICpw dG1wdmFsID0gTlVMTDsKKwlpZiAoIXB2YWwpCisJCXB2YWwgPSAmcHRtcHZhbDsKIAljLnZh bGlkID0gMDsKLQlpZiAocHZhbCAmJiAqcHZhbCAmJiBpdC0+aXR5cGUgPT0gQVNOMV9JVFlQ RV9QUklNSVRJVkUpCi0JCXB0bXB2YWwgPSAqcHZhbDsKLQotCWlmIChBU04xX2l0ZW1fZXhf ZDJpKCZwdG1wdmFsLCBpbiwgbGVuLCBpdCwgLTEsIDAsIDAsICZjKSA+IDApIHsKLQkJaWYg KHB2YWwgJiYgaXQtPml0eXBlICE9IEFTTjFfSVRZUEVfUFJJTUlUSVZFKSB7Ci0JCQlpZiAo KnB2YWwpCi0JCQkJQVNOMV9pdGVtX2ZyZWUoKnB2YWwsIGl0KTsKLQkJCSpwdmFsID0gcHRt cHZhbDsKLQkJfQotCQlyZXR1cm4gcHRtcHZhbDsKKwlpZiAoQVNOMV9pdGVtX2V4X2QyaShw dmFsLCBpbiwgbGVuLCBpdCwgLTEsIDAsIDAsICZjKSA+IDApIAorCQlyZXR1cm4gKnB2YWw7 CisJcmV0dXJuIE5VTEw7CiAJfQotCXJldHVybiBOVUxMOwotfQogCiBpbnQgQVNOMV90ZW1w bGF0ZV9kMmkoQVNOMV9WQUxVRSAqKnB2YWwsCiAJCWNvbnN0IHVuc2lnbmVkIGNoYXIgKipp biwgbG9uZyBsZW4sIGNvbnN0IEFTTjFfVEVNUExBVEUgKnR0KQpJbmRleDogY3J5cHRvL29w ZW5zc2wvY3J5cHRvL2VjL2VjX2FzbjEuYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBjcnlwdG8vb3Bl bnNzbC9jcnlwdG8vZWMvZWNfYXNuMS5jCShyZXZpc2lvbiAyODAyNzIpCisrKyBjcnlwdG8v b3BlbnNzbC9jcnlwdG8vZWMvZWNfYXNuMS5jCSh3b3JraW5nIGNvcHkpCkBAIC0xMTI2LDgg KzExMjYsNiBAQCBFQ19LRVkgKmQyaV9FQ1ByaXZhdGVLZXkoRUNfS0VZICoqYSwgY29uc3Qg dW5zaWduZQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVJSX1JfTUFMTE9D X0ZBSUxVUkUpOwogCQkJZ290byBlcnI7CiAJCQl9Ci0JCWlmIChhKQotCQkJKmEgPSByZXQ7 CiAJCX0KIAllbHNlCiAJCXJldCA9ICphOwpAQCAtMTE5MiwxMSArMTE5MCwxMyBAQCBFQ19L RVkgKmQyaV9FQ1ByaXZhdGVLZXkoRUNfS0VZICoqYSwgY29uc3QgdW5zaWduZQogCQkJfQog CQl9CiAKKwlpZiAoYSkKKwkJKmEgPSByZXQ7CiAJb2sgPSAxOwogZXJyOgogCWlmICghb2sp CiAJCXsKLQkJaWYgKHJldCkKKwkJaWYgKHJldCAmJiAoYSA9PSBOVUxMIHx8ICphICE9IHJl dCkpCiAJCQlFQ19LRVlfZnJlZShyZXQpOwogCQlyZXQgPSBOVUxMOwogCQl9CkluZGV4OiBj cnlwdG8vb3BlbnNzbC9jcnlwdG8veDUwOS94NTA5X3JlcS5jCj09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0t IGNyeXB0by9vcGVuc3NsL2NyeXB0by94NTA5L3g1MDlfcmVxLmMJKHJldmlzaW9uIDI4MDI3 MikKKysrIGNyeXB0by9vcGVuc3NsL2NyeXB0by94NTA5L3g1MDlfcmVxLmMJKHdvcmtpbmcg Y29weSkKQEAgLTkxLDYgKzkxLDggQEAgWDUwOV9SRVEgKlg1MDlfdG9fWDUwOV9SRVEoWDUw OSAqeCwgRVZQX1BLRVkgKnBrZXkKIAkJZ290byBlcnI7CiAKIAlwa3RtcCA9IFg1MDlfZ2V0 X3B1YmtleSh4KTsKKwlpZiAocGt0bXAgPT0gTlVMTCkKKwkJZ290byBlcnI7CiAJaT1YNTA5 X1JFUV9zZXRfcHVia2V5KHJldCxwa3RtcCk7CiAJRVZQX1BLRVlfZnJlZShwa3RtcCk7CiAJ aWYgKCFpKSBnb3RvIGVycjsK --------------010900000507010806080301-- From owner-freebsd-security@FreeBSD.ORG Fri Mar 20 07:29:44 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AB12296A; Fri, 20 Mar 2015 07:29:44 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 94923EC8; Fri, 20 Mar 2015 07:29:44 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t2K7Ti9w023434; Fri, 20 Mar 2015 07:29:44 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t2K7TipS023432; Fri, 20 Mar 2015 07:29:44 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 20 Mar 2015 07:29:44 GMT Message-Id: <201503200729.t2K7TipS023432@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2015 07:29:44 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:06.openssl Security Advisory The FreeBSD Project Topic: Multiple OpenSSL vulnerabilities Category: contrib Module: openssl Announced: 2015-03-19; Last revised on 2015-03-20. Affects: All supported versions of FreeBSD. Corrected: 2015-03-20 07:11:20 UTC (stable/10, 10.1-STABLE) 2015-03-20 07:12:02 UTC (releng/10.1, 10.1-RELEASE-p8) 2015-03-20 07:11:20 UTC (stable/9, 9.3-STABLE) 2015-03-20 07:12:02 UTC (releng/9.3, 9.3-RELEASE-p12) 2015-03-20 07:11:20 UTC (stable/8, 8.4-STABLE) 2015-03-20 07:12:02 UTC (releng/8.4, 8.4-RELEASE-p26) CVE Name: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0293 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision history v1.0 2015-03-19 Initial release. v1.1 2015-03-20 Reverted a portion of change that should not belong to the advisory and did not end up in the final OpenSSL release. The patch is also revised to include fixes for CVE-2015-0209 and CVE-2015-0288. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Abstract Syntax Notation One (ASN.1) is a standard and notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking, which enables representation of objects that are independent of machine-specific encoding technique. II. Problem Description A malformed elliptic curve private key file could cause a use-after-free condition in the d2i_ECPrivateKey function. [CVE-2015-0209] An attempt to compare ASN.1 boolean types will cause the ASN1_TYPE_cmp function to crash with an invalid read. [CVE-2015-0286] Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. [CVE-2015-0287] The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. [CVE-2015-0288] The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. [CVE-2015-0289] A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. [CVE-2015-0293] III. Impact A malformed elliptic curve private key file can cause server daemons using OpenSSL to crash, resulting in a Denial of Service. [CVE-2015-0209] A remote attacker who is able to send specifically crafted certificates may be able to crash an OpenSSL client or server. [CVE-2015-0286] An attacker who can cause invalid writes with applications that parse structures containing CHOICE or ANY DEFINED BY components and reusing the structures may be able to cause them to crash. Such reuse is believed to be rare. OpenSSL clients and servers are not affected. [CVE-2015-0287] An attacker may be able to crash applications that create a new certificate request with subject name the same as in an existing, specifically crafted certificate. This usage is rare in practice. [CVE-2015-0288] An attacker may be able to crash applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures with specifically crafted certificates. [CVE-2015-0289] A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a carefully crafted SSLv2 CLIENT-MASTER-KEY message, resulting in a Denial of Service. [CVE-2015-0293] Note that two issues in the original OpenSSL advisory, CVE-2015-0204 and CVE-2015-0292, were already addressed by FreeBSD-SA-15:01.openssl and FreeBSD-EN-15:02.openssl. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8.4 and FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8.patch # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8.patch.asc # gpg --verify openssl-0.9.8.patch.asc # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8-errata.patch # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8-errata.patch.asc # gpg --verify openssl-0.9.8-errata.patch.asc [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-1.0.1.patch # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-1.0.1.patch.asc # gpg --verify openssl-1.0.1.patch.asc # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-1.0.1-errata.patch # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-1.0.1-errata.patch.asc # gpg --verify openssl-1.0.1-errata.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all deamons using the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r280274 releng/8.4/ r280275 stable/9/ r280274 releng/9.3/ r280275 stable/10/ r280274 releng/10.1/ r280275 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.2 (FreeBSD) iQIcBAEBCgAGBQJVC8m8AAoJEO1n7NZdz2rn/lQP/1ZrUSnxaoaZxQbLrBZlg7Jr dAgjo4JTSPwyJM3gQY+WD1WPChxIJvbndR/NQux9grrn6N06kD+q0DUHOXi6MAL0 TqMEGxAqVlIUVdn18xZJaIwEzcx5HJKQz2UOMk3UGjy3WSh93p25oewF/cIcaryN FKAmpXmmPm77Qv5Vr1st8OyjnP7XiMmerSEWVGqFLsJPye5lvHcPOZrzQkRQRQJf 1b896UaOezw4v8C2HJvJMrQLN4l/ahCV6NsuQnN1/yzo8cS75OxMsooo8VgA8k0G ADuNFb1oZIygoin6ZOxlSHeeh+A6mdhitU4hNNy2rBNTC9IwijCg/dx/x1rutAxb 3MHUcCmF0sNewTkDwdzSvVCR4pYAAPI3yG0gUlXMTepQpH6Ozjf77OPW5KQPVGzf ijqOS32hprqVklDu2yREUv1AY0srboES5b9XQyfkFCFyNF8VX3OaDL8jHdfQezSx njF8UVUydmC7szDCW+MmQoNo4NaPCLd2m3l25RRD8SAdR9jB8WIox59E1k2O+LP/ rgO6wial36CUiTc5SdbCzVom9K/KhKXeBWAlCnK9R9DCNaUaiBIvTBngtGdfjxxi bJxoSqXSnfVwhGE565cwtODR/qMfRxY6Z8g4JEkSQN5SmzezmyLCdmXCpktHkC21 XQG0M1dIh8m3m67rEyE6 =C2Zp -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Mar 20 07:48:40 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A762E393 for ; Fri, 20 Mar 2015 07:48:40 +0000 (UTC) Received: from david.siemens.de (david.siemens.de [192.35.17.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "david.siemens.de", Issuer "savelogs.saacon.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id ACB2324A for ; Fri, 20 Mar 2015 07:48:38 +0000 (UTC) Received: from mail3.siemens.de (localhost [127.0.0.1]) by david.siemens.de (8.14.3/8.14.3) with ESMTP id t2K7dxbD004016 for ; Fri, 20 Mar 2015 08:40:00 +0100 Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.40.130]) by mail3.siemens.de (8.14.3/8.14.3) with ESMTP id t2K7dx1U032106 for ; Fri, 20 Mar 2015 08:39:59 +0100 Received: (from user@localhost) by curry.mchp.siemens.de (8.14.9/8.14.9) id t2K7dxoF060215 for freebsd-security@freebsd.org; Fri, 20 Mar 2015 08:39:59 +0100 (CET) Date: Fri, 20 Mar 2015 08:39:59 +0100 From: Andre Albsmeier To: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED] Message-ID: <20150320073959.GA53754@bali> References: <201503200729.t2K7Tiko023425@freefall.freebsd.org> MIME-Version: 1.0 In-Reply-To: <201503200729.t2K7Tiko023425@freefall.freebsd.org> X-Echelon: X-Advice: Drop that crappy M$-Outlook, I'm tired of your viruses! User-Agent: Mutt/1.5.21 (2010-09-15) Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2015 07:48:40 -0000 On Fri, 20-Mar-2015 at 07:29:44 +0000, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-15:06.openssl Security Advisory > The FreeBSD Project > ... > > # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8-errata.patch Page not found, see attachment. Regards, -Andre From owner-freebsd-security@FreeBSD.ORG Fri Mar 20 15:26:48 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 56B1DB45 for ; Fri, 20 Mar 2015 15:26:48 +0000 (UTC) Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 320F2BE5 for ; Fri, 20 Mar 2015 15:26:47 +0000 (UTC) Received: from [10.20.30.101] (50-1-51-95.dsl.dynamic.fusionbroadband.com [50.1.51.95]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t2KFLpaf031488 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 20 Mar 2015 08:21:52 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: proper.com: Host 50-1-51-95.dsl.dynamic.fusionbroadband.com [50.1.51.95] claimed to be [10.20.30.101] Content-Type: multipart/signed; boundary="Apple-Mail=_D364B4D6-B596-4AF0-85F5-F6D1B390ABE1"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Subject: Failure on 10.0? Re: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED] X-Pgp-Agent: GPGMail 2.5b6 From: Paul Hoffman In-Reply-To: <201503200729.t2K7TipS023432@freefall.freebsd.org> Date: Fri, 20 Mar 2015 08:21:51 -0700 Message-Id: <29606747-8C51-4EF3-B507-46A75661E738@vpnc.org> References: <201503200729.t2K7TipS023432@freefall.freebsd.org> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.2070.6) X-Mailman-Approved-At: Fri, 20 Mar 2015 16:23:05 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2015 15:26:48 -0000 --Apple-Mail=_D364B4D6-B596-4AF0-85F5-F6D1B390ABE1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii # sudo freebsd-update fetch Looking up update.FreeBSD.org mirrors... 5 mirrors found. Fetching metadata signature for 10.0-RELEASE from update6.freebsd.org... = done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. The following files will be added as part of updating to = 10.0-RELEASE-p18: /usr/src/contrib/tzdata/zone1970.tab /usr/src/crypto/openssl/crypto/constant_time_locl.h /usr/src/crypto/openssl/crypto/constant_time_test.c /usr/src/crypto/openssl/doc/apps/c_rehash.pod /usr/src/crypto/openssl/doc/crypto/CMS_add1_signer.pod /usr/src/crypto/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod /usr/src/crypto/openssl/ssl/heartbeat_test.c /usr/src/crypto/openssl/ssl/ssl_utst.c /usr/src/crypto/openssl/util/mkbuildinf.pl /usr/src/secure/lib/libcrypto/man/CMS_add1_signer.3 /usr/src/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 /usr/src/secure/usr.bin/openssl/man/c_rehash.1 WARNING: FreeBSD 10.0-RELEASE-p18 HAS PASSED ITS END-OF-LIFE DATE. Any security issues discovered after Sat Feb 28 19:00:00 EST 2015 will not have been corrected. # sudo freebsd-update install Installing updates...install: ///usr/src/contrib/tzdata/zone1970.tab: No = such file or directory install: ///usr/src/crypto/openssl/crypto/constant_time_locl.h: No such = file or directory install: ///usr/src/crypto/openssl/crypto/constant_time_test.c: No such = file or directory install: ///usr/src/crypto/openssl/doc/apps/c_rehash.pod: No such file = or directory install: ///usr/src/crypto/openssl/doc/crypto/CMS_add1_signer.pod: No = such file or directory install: = ///usr/src/crypto/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod: = No such file or directory install: ///usr/src/crypto/openssl/ssl/heartbeat_test.c: No such file or = directory install: ///usr/src/crypto/openssl/ssl/ssl_utst.c: No such file or = directory install: ///usr/src/crypto/openssl/util/mkbuildinf.pl: No such file or = directory install: ///usr/src/secure/lib/libcrypto/man/CMS_add1_signer.3: No such = file or directory install: = ///usr/src/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3: No = such file or directory install: ///usr/src/secure/usr.bin/openssl/man/c_rehash.1: No such file = or directory done. It doesn't look like OpenSSL got updated, and it looks like a bunch of = the attempted updates failed. Was this advisory tested on 10.0? --Paul Hoffman --Apple-Mail=_D364B4D6-B596-4AF0-85F5-F6D1B390ABE1 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJVDDsPAAoJEJz/fXByZmLZzVIH/AgFRIjez8UT/VviEDpBJzu7 tPabVAV50+GRloFC+QoMuwA+ds9b13kF7fA1IN+h0I0tRNukIr6j+yMZK0U/coZt L/PUzXL3XiRyJyp0tWi+7pBBVioVNXMwhVEOc05kETC5zfYCbdJiUIwKLERLtcpt pPwU747/WnnYoN5iw/b7bsvcIaMl3Vai4tRVsaWurTpj4TxOtKzZF9vFUEfikVPG 2Ic1Yow5TrW+7wLKgEbpNoPVs1yN6JQHZuFbGhaymixpj8hLUjTBQjmpdEtZF7Ge P8hE3U2Xo4OoVPGYTr1jMMV0TYA9P5SpNhsE1x0X04AnSUZd2uQFNPHAb0Svtew= =2tpW -----END PGP SIGNATURE----- --Apple-Mail=_D364B4D6-B596-4AF0-85F5-F6D1B390ABE1-- From owner-freebsd-security@FreeBSD.ORG Fri Mar 20 18:42:25 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4274DC3A for ; Fri, 20 Mar 2015 18:42:25 +0000 (UTC) Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B4214782 for ; Fri, 20 Mar 2015 18:42:24 +0000 (UTC) Received: by labjg1 with SMTP id jg1so93875611lab.2 for ; Fri, 20 Mar 2015 11:42:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1ndFk7c92oAsuwsqcUBdr/IY6qAwB7C2yPBsb52eJIc=; b=aslthGzElj5TVBD3muKOlYmzi5nqthIwA+IU+qMJFvXlURR/QCIlA8ruTP+EvMOMRx uJoTUqGU3X36b+5trpRVbtFZiMY+Fw9jT4p1Z5eXM8ypyER3Jrvj67DouQmwpag8xrfa 2iN3TYKGcNHoT+87u/2+LWjwE23aGyq1kx+zP2MM1SI3+qEWlpSzW4Ig0rx02Ak6Qc2E 1j56wXXxd55vEo6sYCX/6H/HHhuLVuAiSA/aLbI8g5F1c1cG/wMQZ1/wnWEKiTN2Ym5k LZ5QBD0cMI7YHSBX7RkleEX74FMV8Uv9p5+9hvUA1AU5ViHIKQs+yHrcSisDgxtAxdGn Glrw== MIME-Version: 1.0 X-Received: by 10.152.4.39 with SMTP id h7mr75811178lah.58.1426876942684; Fri, 20 Mar 2015 11:42:22 -0700 (PDT) Received: by 10.152.18.226 with HTTP; Fri, 20 Mar 2015 11:42:22 -0700 (PDT) In-Reply-To: <29606747-8C51-4EF3-B507-46A75661E738@vpnc.org> References: <201503200729.t2K7TipS023432@freefall.freebsd.org> <29606747-8C51-4EF3-B507-46A75661E738@vpnc.org> Date: Fri, 20 Mar 2015 20:42:22 +0200 Message-ID: Subject: Re: Failure on 10.0? Re: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED] From: Kimmo Paasiala To: Paul Hoffman Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2015 18:42:25 -0000 On Fri, Mar 20, 2015 at 5:21 PM, Paul Hoffman wrote: > # sudo freebsd-update fetch > Looking up update.FreeBSD.org mirrors... 5 mirrors found. > Fetching metadata signature for 10.0-RELEASE from update6.freebsd.org... done. > Fetching metadata index... done. > Inspecting system... done. > Preparing to download files... done. > > The following files will be added as part of updating to 10.0-RELEASE-p18: > /usr/src/contrib/tzdata/zone1970.tab > /usr/src/crypto/openssl/crypto/constant_time_locl.h > /usr/src/crypto/openssl/crypto/constant_time_test.c > /usr/src/crypto/openssl/doc/apps/c_rehash.pod > /usr/src/crypto/openssl/doc/crypto/CMS_add1_signer.pod > /usr/src/crypto/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod > /usr/src/crypto/openssl/ssl/heartbeat_test.c > /usr/src/crypto/openssl/ssl/ssl_utst.c > /usr/src/crypto/openssl/util/mkbuildinf.pl > /usr/src/secure/lib/libcrypto/man/CMS_add1_signer.3 > /usr/src/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 > /usr/src/secure/usr.bin/openssl/man/c_rehash.1 > > WARNING: FreeBSD 10.0-RELEASE-p18 HAS PASSED ITS END-OF-LIFE DATE. > Any security issues discovered after Sat Feb 28 19:00:00 EST 2015 > will not have been corrected. > > # sudo freebsd-update install > Installing updates...install: ///usr/src/contrib/tzdata/zone1970.tab: No such file or directory > install: ///usr/src/crypto/openssl/crypto/constant_time_locl.h: No such file or directory > install: ///usr/src/crypto/openssl/crypto/constant_time_test.c: No such file or directory > install: ///usr/src/crypto/openssl/doc/apps/c_rehash.pod: No such file or directory > install: ///usr/src/crypto/openssl/doc/crypto/CMS_add1_signer.pod: No such file or directory > install: ///usr/src/crypto/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod: No such file or directory > install: ///usr/src/crypto/openssl/ssl/heartbeat_test.c: No such file or directory > install: ///usr/src/crypto/openssl/ssl/ssl_utst.c: No such file or directory > install: ///usr/src/crypto/openssl/util/mkbuildinf.pl: No such file or directory > install: ///usr/src/secure/lib/libcrypto/man/CMS_add1_signer.3: No such file or directory > install: ///usr/src/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3: No such file or directory > install: ///usr/src/secure/usr.bin/openssl/man/c_rehash.1: No such file or directory > done. > > It doesn't look like OpenSSL got updated, and it looks like a bunch of the attempted updates failed. Was this advisory tested on 10.0? > > --Paul Hoffman 10.0-RELEASE is not a supported release anymore, upgrade to 10.1. "WARNING: FreeBSD 10.0-RELEASE-p18 HAS PASSED ITS END-OF-LIFE DATE. Any security issues discovered after Sat Feb 28 19:00:00 EST 2015 will not have been corrected." https://www.freebsd.org/security/unsupported.html -Kimmo From owner-freebsd-security@FreeBSD.ORG Fri Mar 20 18:42:32 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 19CB6D06 for ; Fri, 20 Mar 2015 18:42:32 +0000 (UTC) Received: from lordcow.org (lordcow.org [41.203.5.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "devaux.za.net", Issuer "devaux.za.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 60AB0783 for ; Fri, 20 Mar 2015 18:42:31 +0000 (UTC) Received: from lordcow.org (localhost [127.0.0.1]) by lordcow.org (8.14.5/8.14.5) with ESMTP id t2KIEFkB008897 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 20 Mar 2015 20:14:15 +0200 (SAST) (envelope-from lordcow@lordcow.org) Received: (from lordcow@localhost) by lordcow.org (8.14.5/8.14.5/Submit) id t2KIEAXK008896 for freebsd-security@freebsd.org; Fri, 20 Mar 2015 20:14:10 +0200 (SAST) (envelope-from lordcow) Date: Fri, 20 Mar 2015 20:14:10 +0200 From: Gareth de Vaux To: freebsd-security@freebsd.org Subject: Re: Failure on 10.0? Re: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED] Message-ID: <20150320181410.GA8790@lordcow.org> References: <201503200729.t2K7TipS023432@freefall.freebsd.org> <29606747-8C51-4EF3-B507-46A75661E738@vpnc.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <29606747-8C51-4EF3-B507-46A75661E738@vpnc.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lordcow.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2015 18:42:32 -0000 On Fri 2015-03-20 (08:21), Paul Hoffman wrote: > It doesn't look like OpenSSL got updated, and it looks like a bunch of the attempted updates failed. Was this advisory tested on 10.0? I'm guessing this is pertinent: WARNING: FreeBSD 10.0-RELEASE-p18 HAS PASSED ITS END-OF-LIFE DATE. Need to run: freebsd-update -r 10.1-RELEASE upgrade From owner-freebsd-security@FreeBSD.ORG Fri Mar 20 18:46:38 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ABC44118 for ; Fri, 20 Mar 2015 18:46:38 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 426667F5 for ; Fri, 20 Mar 2015 18:46:37 +0000 (UTC) Received: from [192.168.0.143] ([95.91.226.238]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0LoE4f-1ZAqfK2bXN-00gJoD for ; Fri, 20 Mar 2015 19:46:35 +0100 Message-ID: <550C6B0A.7000504@gmx.de> Date: Fri, 20 Mar 2015 19:46:34 +0100 From: "lokadamus@gmx.de" User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Failure on 10.0? Re: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED] References: <201503200729.t2K7TipS023432@freefall.freebsd.org> <29606747-8C51-4EF3-B507-46A75661E738@vpnc.org> <20150320181410.GA8790@lordcow.org> In-Reply-To: <20150320181410.GA8790@lordcow.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:8sMrANf4CZHBEUYBcWKtoX3UOO+QAwoW8h9xIbDOq8HUZBJaaMP EY9GRDbFXvbdbCXKQH4oWjiDvbF6YG+alJLb9fd4u3Au6RXvbkbvaRgsXbymMo+8uJ5BxDY LXDIQUx6giIcSQUUo7qFegq3Bv2hC73DygM8Slxba+lSE4oLFm8S16yZ7cImlpVMGZtdSYh c+dXFY78ER3i3FrFuyR/w== X-UI-Out-Filterresults: notjunk:1; X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2015 18:46:38 -0000 On 03/20/15 19:14, Gareth de Vaux wrote: > On Fri 2015-03-20 (08:21), Paul Hoffman wrote: >> It doesn't look like OpenSSL got updated, and it looks like a >> bunch of the attempted updates failed. Was this advisory tested >> on 10.0? > > I'm guessing this is pertinent: > > WARNING: FreeBSD 10.0-RELEASE-p18 HAS PASSED ITS END-OF-LIFE DATE. > > Need to run: > > freebsd-update -r 10.1-RELEASE upgrade > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security To > unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > Where is the problem to upgrade? type as root "freebsd-update -r 10.1-RELEASE upgrade" to get to 10.1. I'm not sure where the problem is. Greeting From owner-freebsd-security@FreeBSD.ORG Sat Mar 21 15:53:33 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BE4F0501 for ; Sat, 21 Mar 2015 15:53:33 +0000 (UTC) Received: from new2-smtp.messagingengine.com (new2-smtp.messagingengine.com [66.111.4.224]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8D9486D3 for ; Sat, 21 Mar 2015 15:53:33 +0000 (UTC) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailnew.nyi.internal (Postfix) with ESMTP id 50C5CB05 for ; Sat, 21 Mar 2015 11:53:24 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Sat, 21 Mar 2015 11:53:26 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=P0h/bMvDM5C+7O2sgZIo5bDH Aag=; b=eRkhaTIOurvaXKQP0Tg+OD2GlX0aRrTG1ms3j56lWM3t1Bz0VSL2EKl/ o/CT9w2iwPBg2Eli7PcEf+qYZIfs+wjLOE7hEvbkVgnTgVYHcghZsAdJki3cJqQ1 g3+7JNifH+3wTAB3CHJFDyhPU9MlSrSOn3eETZw7Ala5Ewbr15A= Received: by web3.nyi.internal (Postfix, from userid 99) id 5323211D423; Sat, 21 Mar 2015 11:53:26 -0400 (EDT) Message-Id: <1426953206.3582932.243403710.625BD052@webmail.messagingengine.com> X-Sasl-Enc: pL/9Av4j9n3x0UNIxOCXR/1yBbZBDfpmE3hQ6i3Q6yp9 1426953206 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-15db86eb In-Reply-To: <29606747-8C51-4EF3-B507-46A75661E738@vpnc.org> References: <201503200729.t2K7TipS023432@freefall.freebsd.org> <29606747-8C51-4EF3-B507-46A75661E738@vpnc.org> Subject: Re: Failure on 10.0? Re: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED] Date: Sat, 21 Mar 2015 10:53:26 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Mar 2015 15:53:33 -0000 On Fri, Mar 20, 2015, at 10:21, Paul Hoffman wrote: > > It doesn't look like OpenSSL got updated, and it looks like a bunch of > the attempted updates failed. Was this advisory tested on 10.0? > Those failures are for files in /usr/src. If you don't have the source code in /usr/src the updates to those files will fail. It is harmless. But as others have stated -- 10.0-RELEASE is End of Life.