From owner-freebsd-security@FreeBSD.ORG Sun Sep 7 14:01:06 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 72017A28 for ; Sun, 7 Sep 2014 14:01:06 +0000 (UTC) Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4A7F81A7C for ; Sun, 7 Sep 2014 14:01:05 +0000 (UTC) Received: from [10.20.30.90] (142-254-17-22.dsl.dynamic.fusionbroadband.com [142.254.17.22]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id s87E0uaI083809 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sun, 7 Sep 2014 07:00:58 -0700 (MST) (envelope-from phoffman@proper.com) X-Authentication-Warning: proper.com: Host 142-254-17-22.dsl.dynamic.fusionbroadband.com [142.254.17.22] claimed to be [10.20.30.90] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: deprecating old ciphers from OpenCrypto... From: Paul Hoffman In-Reply-To: <20140905222559.GO82175@funkthat.com> Date: Sun, 7 Sep 2014 07:00:55 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <68CF8E05-735F-48D4-9030-A213C09C54F3@proper.com> References: <20140905222559.GO82175@funkthat.com> To: John-Mark Gurney X-Mailer: Apple Mail (2.1878.6) Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2014 14:01:06 -0000 On Sep 5, 2014, at 3:25 PM, John-Mark Gurney wrote: > Skipjack: already removed by OpenBSD and recommend not for use by NIST > after 2010, key size is 80 bits Yes, nuke. > CAST: key size is 40 to 128 bits CAST 128 is not weak. Having said that, it is also not used much, and = has minor (if any) value over AES-128. I can't tell from your message if = you are leaving CAST >128 in; if so, you should leave CAST 128 in as = well. If CAST 128 is the max in the module, you can either remove all of = CAST or leave CAST 128 in, it doesn't matter. --Paul Hoffman= From owner-freebsd-security@FreeBSD.ORG Sun Sep 7 23:49:50 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8AD192A4 for ; Sun, 7 Sep 2014 23:49:50 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48CC71C6C for ; Sun, 7 Sep 2014 23:49:49 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s87Nnm3j084582 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 7 Sep 2014 16:49:49 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s87NnmwN084581; Sun, 7 Sep 2014 16:49:48 -0700 (PDT) (envelope-from jmg) Date: Sun, 7 Sep 2014 16:49:48 -0700 From: John-Mark Gurney To: Paul Hoffman Subject: Re: deprecating old ciphers from OpenCrypto... Message-ID: <20140907234948.GZ82175@funkthat.com> Mail-Followup-To: Paul Hoffman , freebsd-security@FreeBSD.org References: <20140905222559.GO82175@funkthat.com> <68CF8E05-735F-48D4-9030-A213C09C54F3@proper.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <68CF8E05-735F-48D4-9030-A213C09C54F3@proper.com> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Sun, 07 Sep 2014 16:49:49 -0700 (PDT) Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2014 23:49:50 -0000 Paul Hoffman wrote this message on Sun, Sep 07, 2014 at 07:00 -0700: > On Sep 5, 2014, at 3:25 PM, John-Mark Gurney wrote: > > > Skipjack: already removed by OpenBSD and recommend not for use by NIST > > after 2010, key size is 80 bits > > Yes, nuke. > > > CAST: key size is 40 to 128 bits > > CAST 128 is not weak. Having said that, it is also not used much, and has minor (if any) value over AES-128. I can't tell from your message if you are leaving CAST >128 in; if so, you should leave CAST 128 in as well. If CAST 128 is the max in the module, you can either remove all of CAST or leave CAST 128 in, it doesn't matter. True about the CAST 128 not being weak... Our implementation maxes out at 128bits, so I can't see a good reason to leave just 128bit CAST in, so, I plan to remove CAST entirely... Ahh, I just read a bit more on CAST, our implementation is CAST-128 which has a 64 bit block size, if we want to support CAST >128bit, we'd need to implement CAST-256 which is a different algorithm, as it uses a block size of 128bits... Also, the other thing I forgot to include is that it'll be around three years before the first release of FreeBSD that will be w/o these algorithms, which is the reason why I'm planning now... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 11:04:56 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5234A43C; Tue, 9 Sep 2014 11:04:56 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 33E5F773; Tue, 9 Sep 2014 11:04:56 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s89B4ug4067537; Tue, 9 Sep 2014 11:04:56 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s89B4uhi067535; Tue, 9 Sep 2014 11:04:56 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 9 Sep 2014 11:04:56 GMT Message-Id: <201409091104.s89B4uhi067535@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2014 11:04:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:18.openssl Security Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2014-09-09 Affects: All supported versions of FreeBSD. Corrected: 2014-08-07 21:04:42 UTC (stable/10, 10.0-STABLE) 2014-09-09 10:09:46 UTC (releng/10.0, 10.0-RELEASE-p8) 2014-08-07 21:06:34 UTC (stable/9, 9.3-STABLE) 2014-09-09 10:13:46 UTC (releng/9.3, 9.3-RELEASE-p1) 2014-09-09 10:13:46 UTC (releng/9.2, 9.2-RELEASE-p11) 2014-09-09 10:13:46 UTC (releng/9.1, 9.1-RELEASE-p18) 2014-08-07 21:06:34 UTC (stable/8, 8.4-STABLE) 2014-09-09 10:13:46 UTC (releng/8.4, 8.4-RELEASE-p15) CVE Name: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3510, CVE-2014-3509, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description The receipt of a specifically crafted DTLS handshake message may cause OpenSSL to consume large amounts of memory. [CVE-2014-3506] The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak memory. [CVE-2014-3507] A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. [CVE-2014-3508] OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. [CVE-2014-3510] The following problems affect FreeBSD 10.0-RELEASE and later: If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension it could write up to 255 bytes to freed memory. [CVE-2014-3509] A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. [CVE-2014-3511] A malicious client or server can send invalid SRP parameters and overrun an internal buffer. [CVE-2014-3512] A malicious server can crash the client with a NULL pointer dereference by specifying a SRP ciphersuite even though it was not properly negotiated with the client. [CVE-2014-5139] III. Impact A remote attacker may be able to cause a denial of service (application crash, large memory consumption), obtain additional information, cause protocol downgrade. Additionally, a remote attacker may be able to run arbitrary code on a vulnerable system if the application has been set up for SRP. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch.asc # gpg --verify openssl-10.0.patch.asc [FreeBSD 9.3] # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch.asc # gpg --verify openssl-9.3.patch.asc [FreeBSD 9.2, 9.1, 8.4] # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch.asc # gpg --verify openssl-9.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r269687 releng/8.4/ r271305 stable/9/ r269687 releng/9.1/ r271305 releng/9.2/ r271305 releng/9.3/ r271305 stable/10/ r269686 releng/10.0/ r271304 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUDtUBAAoJEO1n7NZdz2rnOUoP/jNoEEPVt1RoVPQoOQc6vno5 2HXcCDsu0ql3kCNIIZ7E6TddfduzV04EMzBrIgulg7eXft+Lnx6HlEgJOo7QLImc aWLWxjcbyby6wrbYOc+FLK11yx9/uZJF0VCdSeyzhy0EFD3tOZPsDMXKZmG7FRkg 6A7ENJU25Mx8V1myzHw/VfDwAHCtXHliFVVE0CUku55pYnlhMeetu/wuB6KYbmgV 1WUamiHEGl4Dh4Up7nGHYYm32kqZLaE+cf1Ovc2VGT98ZyXmCgDB4+8kkA/HZxxp DRgQlojeQhahee5MmzD+wMJXlq6dekoo+JVf22+Nb+oNmlKT6/UxtUhCwW11MLUV rnOMr3u1JCNvBc+3KroSmtFeEtqh7jx3Ag4w8lS5mJO+wX1/lilbsFxSS/9G65fy LqHUQSxkuDJ1bNzPfKreBPyUmQlG5t/3DonIDCF9r3sefDN+kxqe1+RwjdNRM0ov V7OH/AW1NBQtV/F/h0tKCcskvcJo9Q+inAohheLPnWkFj7F2tLNt5TAxsGy7WvFZ MuQSAXpZkdh7OkhAhBM3Xk+EOv7Qk7zZL5HJ1Lpm6kfJ8wSb4etoUV7oELaDMBz8 +9r+Vr9GtjSsec2a4tjNIixZKV9bzEhgKP5gsWD/JewhAzF+0bYNa9snOWxzpAYb j+eW9IT7pEAJK9DtIsDd =f4To -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 15:18:01 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DA0C71F3 for ; Tue, 9 Sep 2014 15:18:01 +0000 (UTC) Received: from mproxy8.sbb.rs (mproxy8.sbb.rs [89.216.2.99]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smtp.sbb.rs", Issuer "PositiveSSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C5FF9DE for ; Tue, 9 Sep 2014 15:18:00 +0000 (UTC) Received: from faust.localdomain (cable-178-148-114-108.dynamic.sbb.rs [178.148.114.108]) by mproxy8.sbb.rs (8.14.4/8.14.4) with ESMTP id s89FHfeJ011334 for ; Tue, 9 Sep 2014 17:17:42 +0200 X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97.6 at SBB mail Received: by faust.localdomain (Postfix, from userid 1001) id 88CDAA41CEE; Tue, 9 Sep 2014 17:18:23 +0200 (CEST) Date: Tue, 9 Sep 2014 17:18:23 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl Message-ID: <20140909151823.GA825@faust.sbb.rs> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mproxy8.sbb.rs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2014 15:18:01 -0000 I used freebsd-update way on 9.3 amd64. It took 14 patches and 1 second to do the job. Now, I cannot see any difference. Only using fetch again, it says "No updates needed to update system to 9.3-RELEASE-p1". How could I see that p1? I did not recompiled the kernel, as it was not mentioned in advisory. Best regards Zoran From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 19:53:02 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A7E0D748 for ; Tue, 9 Sep 2014 19:53:02 +0000 (UTC) Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 43DE3E3B for ; Tue, 9 Sep 2014 19:53:01 +0000 (UTC) X-AuditID: 1209190e-f79d46d000003643-a0-540f59691e9b Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 47.B6.13891.9695F045; Tue, 9 Sep 2014 15:47:53 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id s89Jlr6n014265; Tue, 9 Sep 2014 15:47:53 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s89JlpfE013247 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 9 Sep 2014 15:47:52 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s89Jlob4015190; Tue, 9 Sep 2014 15:47:50 -0400 (EDT) Date: Tue, 9 Sep 2014 15:47:50 -0400 (EDT) From: Benjamin Kaduk To: Zoran Kolic Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl In-Reply-To: <20140909151823.GA825@faust.sbb.rs> Message-ID: References: <20140909151823.GA825@faust.sbb.rs> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrDIsWRmVeSWpSXmKPExsUixG6nopsZyR9icPK3nkXPpidsFt+W5Dsw ecz4NJ/FY/H0J2wBTFFcNimpOZllqUX6dglcGfsOfWYr6GOpOL58E1MD40zmLkYODgkBE4mD 1026GDmBTDGJC/fWs3UxcnEICcxmkng2aQcjhLOBUWLFpE9MEM5BJokV+5eygbQICdRLbJ7w jRXEZhHQkni17AMjiM0moCIx881GNpANIgLyEq97qkDCzAIKEu8fn2QCsYUF7CVW/fnMDmJz ChhILP92ESzOK+AocX/ea1aI8foSC05+B4uLCuhIrN4/hQWiRlDi5MwnLBAztSSWT9/GMoFR cBaS1CwkqQWMTKsYZVNyq3RzEzNzilOTdYuTE/PyUot0jfVyM0v0UlNKNzGCgpRTkm8H49eD SocYBTgYlXh4M4L5QoRYE8uKK3MPMUpyMCmJ8j4N5Q8R4kvKT6nMSCzOiC8qzUktPsQowcGs JMJr/QKonDclsbIqtSgfJiXNwaIkzrvpB1BKID2xJDU7NbUgtQgmK8PBoSTB+zYcaKhgUWp6 akVaZk4JQpqJgxNkOA/QcJ0IoBre4oLE3OLMdIj8KUZjjpamt71MHOs6v/UzCbHk5eelSonz 9oKMEwApzSjNg5sGSzSvGMWBnhPm/QFSxQNMUnDzXgGtYgJaddAYbFVJIkJKqoFRuO4932c1 vxkn3rw3W55wpZgnbY38vXe8Rm9vObbOENpy1cwlUWD5FbdWhy6uc3udvotOzVjKxZKneYY/ vaZ3LWO//4K6vVNPRLUaLz1wuDLvZ+zhzU6PPs5Tz7E7P/mIWd9Gl84pe/8pKxlGfJmZubSl d3Jb8PWl56KOVghGBm1WcmPhXqamxFKckWioxVxUnAgA674I1w8DAAA= Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2014 19:53:02 -0000 On Tue, 9 Sep 2014, Zoran Kolic wrote: > I used freebsd-update way on 9.3 amd64. > It took 14 patches and 1 second to do the job. Now, > I cannot see any difference. Only using fetch again, > it says "No updates needed to update system to > 9.3-RELEASE-p1". > How could I see that p1? I did not recompiled the > kernel, as it was not mentioned in advisory. This is known behavior; the -pN will not change unless the kernel is updated by freebsd-update. If fetch says "no updates needed", listen to it. -Ben From owner-freebsd-security@FreeBSD.ORG Wed Sep 10 05:28:58 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B2A8F49D for ; Wed, 10 Sep 2014 05:28:58 +0000 (UTC) Received: from smtp-4-out.integrity.hu (smtp-4-out.integrity.hu [212.52.165.214]) by mx1.freebsd.org (Postfix) with ESMTP id 6D86D85B for ; Wed, 10 Sep 2014 05:28:57 +0000 (UTC) Received: from webmail.integrity.hu (mail-fe-1.integrity.hu [10.1.64.120]) by mail-smtp.integrity.hu (Postfix) with ESMTPA id 407C241C9A for ; Wed, 10 Sep 2014 06:10:18 +0200 (CEST) Received: from RWfMsvKunm/hLCLGL+2HQK6arBtxVwl7mJt5EqMlFjyWiHUHKmT2Qg== (5osIDHunq5118ZR7qGTxaK/2bBSaEOfX) by webmail.integrity.hu with HTTP (HTTP/1.1 POST); Wed, 10 Sep 2014 06:10:18 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Wed, 10 Sep 2014 06:10:18 +0200 From: gabor@zahemszky.hu To: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl In-Reply-To: References: <20140909151823.GA825@faust.sbb.rs> Message-ID: <8b689eedaede931365f4b7ec0d24f185@zahemszky.hu> X-Sender: gabor@zahemszky.hu User-Agent: Roundcube Webmail/0.8.4 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2014 05:28:58 -0000 2014-09-09 21:47 időpontban Benjamin Kaduk ezt írta: > On Tue, 9 Sep 2014, Zoran Kolic wrote: > >> I used freebsd-update way on 9.3 amd64. >> It took 14 patches and 1 second to do the job. Now, >> I cannot see any difference. Only using fetch again, >> it says "No updates needed to update system to >> 9.3-RELEASE-p1". >> How could I see that p1? I did not recompiled the >> kernel, as it was not mentioned in advisory. > > This is known behavior; the -pN will not change unless the kernel is > updated by freebsd-update. If fetch says "no updates needed", listen > to > it. $ freebsd-version -k # means: kernel 10.0-RELEASE-p7 $ freebsd-version -u # means: userland 10.0-RELEASE-p8 $ freebsd-version # no option means: userland 10.0-RELEASE-p8 Bye, Gábor < Gabor at Zahemszky dot HU > From owner-freebsd-security@FreeBSD.ORG Wed Sep 10 15:56:37 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 98729E8E for ; Wed, 10 Sep 2014 15:56:37 +0000 (UTC) Received: from mproxy19.sbb.rs (mproxy19.sbb.rs [89.216.2.104]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smtp.sbb.rs", Issuer "PositiveSSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0C6AD16B9 for ; Wed, 10 Sep 2014 15:56:36 +0000 (UTC) Received: from knossos (cable-178-148-111-205.dynamic.sbb.rs [178.148.111.205]) by mproxy19.sbb.rs (8.14.4/8.14.4) with ESMTP id s8AFuRfF030853 for ; Wed, 10 Sep 2014 17:56:27 +0200 X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97.6 at SBB mail Received: from localhost (1000@localhost [local]); by localhost (OpenSMTPD) with ESMTPA id 657c165d; for ; Wed, 10 Sep 2014 17:56:11 +0200 (CEST) Date: Wed, 10 Sep 2014 17:56:11 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl Message-ID: <20140910155611.GA10690@knossos> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mproxy19.sbb.rs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2014 15:56:37 -0000 > $ freebsd-version -k # means: kernel > 10.0-RELEASE-p7 > $ freebsd-version -u # means: userland > 10.0-RELEASE-p8 > $ freebsd-version # no option means: userland > 10.0-RELEASE-p8 I have no freebsd-version on 9.3. Something on 10 only? Uname has -K and -U, but it is not it. Best regards Zoran