Date: Sun, 6 Apr 2008 04:24:07 GMT From: "M. Kozuka" <ma-kun@kozuka.jp> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/122479: In the systems subsequent to FreeBSD7, openssl is older than 0.9.8g. Message-ID: <200804060424.m364O7St005160@www.freebsd.org> Resent-Message-ID: <200804060430.m364U1JT059338@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 122479 >Category: misc >Synopsis: In the systems subsequent to FreeBSD7, openssl is older than 0.9.8g. >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sun Apr 06 04:30:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: M. Kozuka >Release: 7.0-RELEASE >Organization: Kyoto University >Environment: FreeBSD sctp3.sctp.jp 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: In all versions of 0.9.8 prior to 0.9.8f, openssl has a vulnerability around DTLS1 processing. However, FreeBSD 7.0-RELEASE includes 0.9.8e. >How-To-Repeat: Using openssl command, you can use DTLS1. % /usr/bin/openssl s_server -dtls1 -accept 8080 -cert /usr/src/crypto/openssl/demos/sign/cert.pem -key /usr/src/crypto/openssl/demos/sign/key.pem % /usr/bin/openssl s_client -dtls1 -connect 127.0.0.1:8080 You cannot communicate each other using DTLS1. And sometimes, you will meet a SEGV. If you install 0.9.8g through ports (security/openssl) and use it, you will communicate correctly. >Fix: Upgrade to 0.9.8g or disable DTLS1 support. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804060424.m364O7St005160>