Date: Thu, 28 Mar 2024 08:51:58 -0600 From: Alan Somers <asomers@freebsd.org> To: freebsd-stable@freebsd.org Subject: Re: FreeBSD Errata Notice FreeBSD-EN-24:08.kerberos Message-ID: <CAOtMX2imf-mfFYvOvH3pDmCVUNrKePF0STNKU7rw-pE_V09nvg@mail.gmail.com> In-Reply-To: <20240328075045.EFBA13437@freefall.freebsd.org> References: <20240328075045.EFBA13437@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 28, 2024 at 1:56=E2=80=AFAM FreeBSD Errata Notices <errata-notices@freebsd.org> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-EN-24:08.kerberos Errata No= tice > The FreeBSD Pro= ject > > Topic: Kerberos segfaults when using weak crypto > > Category: contrib > Module: heimdal > Announced: 2024-03-28 > Affects: FreeBSD 14.0 > Corrected: 2024-01-22 15:49:24 UTC (stable/14, 14.0-STABLE) > 2024-03-28 05:06:25 UTC (releng/14.0, 14.0-RELEASE-p6) > > For general information regarding FreeBSD Errata Notices and Security > Advisories, including descriptions of the fields above, security > branches, and the following sections, please visit > <URL:https://security.FreeBSD.org/>. > > I. Background > > FreeBSD includes Heimdal, an implementation of ASN.1/DER, PKIX, and Kerbe= ros. > It uses OpenSSL to provide a number of cryptographic routines. > > II. Problem Description > > Weak crypto is provided by the openssl "legacy" provider which is not loa= ded > by default. > > III. Impact > > Attempting to use weak crypto routines when the legacy provider is not lo= aded > results in the application crashing. > > IV. Workaround > > Edit /etc/ssl/openssl.cnf to load the legacy provider unconditionally. > > V. Solution > > Upgrade your system to a supported FreeBSD stable or release / security > branch (releng) dated after the correction date. > > Perform one of the following: > > 1) To update your system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platfo= rms, > or the i386 platform on FreeBSD 13, can be updated via the freebsd-update= (8) > utility: > > # freebsd-update fetch > # freebsd-update install > > 2) To update your system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/EN-24:08/kerberos.patch > # fetch https://security.FreeBSD.org/patches/EN-24:08/kerberos.patch.asc > # gpg --verify kerberos.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. > > Restart all daemons that use the library, or reboot the system. > > VI. Correction details > > This issue is corrected as of the corresponding Git commit hash in the > following stable and release branches: > > Branch/path Hash Revision > - -----------------------------------------------------------------------= -- > stable/14/ c7db2e15e404 stable/14-n266467 > releng/14.0/ c48fe39ad139 releng/14.0-n265415 > - -----------------------------------------------------------------------= -- > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat <commit hash> > > Or visit the following URL, replacing NNNNNN with the hash: > > <URL:https://cgit.freebsd.org/src/commit/?id=3DNNNNNN>; > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > VII. References > > <other info on the problem> > > <URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272835>; > > The latest revision of this advisory is available at > <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:08.kerberos.as= c> > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGawACgkQbljekB8A > Gu9Euw/+LX8qcrGUvA11MNOVemD+SEH/Ol97L4gLHhzGlWSf3VMq5F1KtY0VRwGK > ykM3VsSAk3PoYHLn+jbHPuAMjJVym+MLg27ZZWlqnx2Z7/wk2KuAb9RVCUl4FnPy > eTXzBNt3tCSYa2ZCRWEH+uN6dZh4o8VP0DWfrNdaazH7R7ezRmTzirvcQ39MXTcE > 8wI+zQedVZG4OSuqOSFY21d70nlzqgs6ThY3K6KrtcaQGfenYBSQgFmjMJlBqtrb > Mr1Yvgc+wE66Ara/Hz+/2L11bwjyFwT1dpO57DKrcyTaGTnSYiDQiDscUIAW0gCh > bUMCgWCHq+kk7pAyUIMlRbdrA/6N/wmvwP/iO6GGxYmN0lNX8udxeZWz3OPPnbif > anM5OGnvKFkkTzCqnpHumljolvJL0/VeD7XCNBBgWa1I46gFmmNZ7R2esm7UEdU8 > IR4Hk9EqGhfl+EwU7OW04/Hq3br667kXbVsq1TTVM4ht39K+WhVoxzirp7QzOGTJ > WjRq6DK+44PyhQgnnAJgM/4gOGr5O/Y3ezRx4uj1S9L9faXTC5xlT8Vw78xU2wXq > BjG7vXi5r9d4POjtRcNiaMVKXQPF/saGjHcPGrGnuBLC8AFG54bFycmvM5QzWqng > AeRFOg+O8lkxLoQMDqJsNt8OMIk7vZHguwL7pt0tRtouuoaszU0=3D > =3DUnED > -----END PGP SIGNATURE----- Cherry-picking the suggested hash doesn't work. It produces a merge conflict. It looks like a second change is needed too: aaf2c7fdb81a1dd9de9fc77c9313f4e60e68fa76 . Should we update the advisory to include both?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2imf-mfFYvOvH3pDmCVUNrKePF0STNKU7rw-pE_V09nvg>