From owner-freebsd-security@freebsd.org Mon Nov 27 20:42:47 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5F4A7DE790F for ; Mon, 27 Nov 2017 20:42:47 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 257FC636E1 for ; Mon, 27 Nov 2017 20:42:47 +0000 (UTC) (envelope-from delphij@gmail.com) Received: by mail-it0-x233.google.com with SMTP id n134so22773142itg.1 for ; Mon, 27 Nov 2017 12:42:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tcWPf9ceFI6Z2lo3UkpauFYD0tiP9rMao7rAOycbcDg=; b=Rb/iJnvYpnmRln0GzmQ2LWwtg28JOJq+ZGW/YyB+7V7libRKdGr8YR5Kc50bEvJ0h+ MkVhoJDWXeSKWiNxQIHP0bZ2ePr8qWM8145qeyQBMuW0bSYsW+ZTxc6J2V4b5gWRn0vK G57ETymLrCGooItzCqGarf/BU7sIy3ARmQ4EEI+kwWMB/CU7fPHoHf3DRTWwvSKXRGOI jrJsD8MFq1K6USs4AFeAQJYW6rbhlNtYnrbm3Q2qxeauq8nDLevaC1X2HR3UYqh1AWdn hgLUOvXz+SXLZBO3Is8aOO5Yf8nQgM8WkwnONZ7u8ZFTbcNZCrL1me02orTdngCFJcoj rdjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tcWPf9ceFI6Z2lo3UkpauFYD0tiP9rMao7rAOycbcDg=; b=Vt4wgqc7a8Z40hiz8DoB4SN2wB2D04tuxFeJIQp4XUASwgrcWikZ8159tXAcuJfk2T aPGud1YgmXyU4z+nxrtHeU/8UX5P4QrYKz3bgEz6VMiaJtx8z+sx6oQ7HCPigcCQnJMz MCiPiBk1PP9y7GKMB9TvNYlVf/oJzLV3WhC8Cr8YZms4s0u/8WKMvRWjrI6IUJPie2Lb q1dFixIcv8KNBuKVKN5H+PkY9rMCPepcR1aXNGlEY1XnCOa/3ZrpxU23ih8DAJCN3B1E 21Vrx94Ed7pIrZIvxSQhDbH595GHfKxGHpLsH+K9QquApvgvRNoGscEfS+qr8umwYaF7 4K3A== X-Gm-Message-State: AJaThX5ZJBQcMCTOSDj5CBr4fn9aEcR2DOiAQrYwRE6EZ5eCScoYj+0a vG8hpK6EjaWOeXnsVQM1ce4gQ20XDRejwatVvS2Ldw== X-Google-Smtp-Source: AGs4zMZ3uJMkMlnUuyN9lt5hDrCUbO1vZsRN0eF/zlOF9qiemGqMjxfygae38YXojveCqQCCd8Tl2n0fcXzVrioLPIA= X-Received: by 10.36.115.133 with SMTP id y127mr31603896itb.83.1511815366205; Mon, 27 Nov 2017 12:42:46 -0800 (PST) MIME-Version: 1.0 Received: by 10.79.36.10 with HTTP; Mon, 27 Nov 2017 12:42:45 -0800 (PST) In-Reply-To: <5ACFF7B8-460E-473F-ADA0-D9200587FC55@lastsummer.de> References: <5ACFF7B8-460E-473F-ADA0-D9200587FC55@lastsummer.de> From: Xin LI Date: Mon, 27 Nov 2017 12:42:45 -0800 Message-ID: Subject: Re: freebsd-update EoL "warning" prevents installing latest SAs To: Franco Fichtner Cc: User , freebsd-security Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Nov 2017 20:42:47 -0000 We will soon (this Tuesday) issue another SA that would be used as a vehicle to deliver a new EoL date to 11.0, but since it's EoL is really close, please consider upgrading to 11.1-RELEASE at your earliest convenience. On Mon, Nov 20, 2017 at 10:36 PM, Franco Fichtner wrote: > >> On 21. Nov 2017, at 7:31 AM, User wrote: >> >> The updates install fine here even if the eol warning is showing. The uname >> only updates if the kernel updates for patch levels. > > I find that hard to believe unless there is a caching issue with > the EoL date, the return clearly uses "1" which means fail in > the fetch phase. > > Ah, but then again this is more likely a side effect of using: > > # freebsd-update fetch install > > In any case, fetch should now fail if it fetched updates... > > > Cheers, > Franco > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Tue Nov 28 08:08:37 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61595DFD243 for ; Tue, 28 Nov 2017 08:08:37 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 25B077AA61 for ; Tue, 28 Nov 2017 08:08:36 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from [10.41.201.18] (fwext.boll.ch [194.191.86.3]) by host64.shmhost.net (Postfix) with ESMTPSA id 4704C15FD28; Tue, 28 Nov 2017 09:08:28 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: freebsd-update EoL "warning" prevents installing latest SAs From: Franco Fichtner In-Reply-To: Date: Tue, 28 Nov 2017 09:08:27 +0100 Cc: User , freebsd-security Content-Transfer-Encoding: 7bit Message-Id: <53AFA488-6CD7-4273-BDC9-09137AAB6A91@lastsummer.de> References: <5ACFF7B8-460E-473F-ADA0-D9200587FC55@lastsummer.de> To: Xin LI X-Mailer: Apple Mail (2.3273) X-Virus-Scanned: clamav-milter 0.99.2 at host64.shmhost.net X-Virus-Status: Clean X-Spam-Flag: NO X-Spam-Score: -1.0 X-Spam-Status: No score=-1.0 tagged_above=10.0 required=10.0 tests=[ALL_TRUSTED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Nov 2017 08:08:37 -0000 > On 27. Nov 2017, at 9:42 PM, Xin LI wrote: > > We will soon (this Tuesday) issue another SA that would be used as a > vehicle to deliver a new EoL date to 11.0, but since it's EoL is > really close, please consider upgrading to 11.1-RELEASE at your > earliest convenience. For vendors the model "3 months and move" on is not really an option, but that is besides the point here. It's not even that EoL is upon us. It's that fetching updates for a system that still has updates but ran into EoL before fetching those updates will inevitably indicate a failure during fetch: # freebsd-update fetch && freebsd-update install # freebsd-update fetch install This will not work, even though updates are fetched / pending. In contrast, this works fine: # freebsd-update fetch; freebsd-update install I don't know how this is useful for scripting if we are supposed to check errors, but in this case can't check for errors because we require available updates to be installed. Cheers, Franco From owner-freebsd-security@freebsd.org Wed Nov 29 06:16:00 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 00774DF9A76 for ; Wed, 29 Nov 2017 06:16:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D720F67096; Wed, 29 Nov 2017 06:15:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 38CB8C999; Wed, 29 Nov 2017 06:15:59 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-17:11.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20171129061559.38CB8C999@freefall.freebsd.org> Date: Wed, 29 Nov 2017 06:15:59 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Nov 2017 06:16:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-17:11.openssl Security Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2017-11-29 Affects: All supported versions of FreeBSD. Corrected: 2017-11-02 18:30:41 UTC (stable/11, 11.1-STABLE) 2017-11-29 05:59:12 UTC (releng/11.1, 11.1-RELEASE-p5) 2017-11-29 05:59:12 UTC (releng/11.0, 11.0-RELEASE-p16) 2017-11-29 05:35:28 UTC (stable/10, 10.4-STABLE) 2017-11-29 05:59:50 UTC (releng/10.4, 10.4-RELEASE-p4) 2017-11-29 05:59:50 UTC (releng/10.3, 10.3-RELEASE-p25) CVE Name: CVE-2017-3735, CVE-2017-3736 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a full-strength general purpose cryptography library. II. Problem Description If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL could do a one-byte buffer overread. [CVE-2017-3735] There is a carry propagating bug in the x86_64 Montgomery squaring procedure. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. [CVE-2017-3736] This bug only affects FreeBSD 11.x. III. Impact Application using OpenSSL may display erroneous certificate in text format. [CVE-2017-3735] Mishandling of carry propagation will produce incorrect output, and make it easier for a remote attacker to obtain sensitive private-key information. No EC algorithms are affected, analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. [CVE-2017-3736] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all daemons that use the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons that use the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/SA-17:11/openssl-10.patch # fetch https://security.FreeBSD.org/patches/SA-17:11/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-17:11/openssl.patch # fetch https://security.FreeBSD.org/patches/SA-17:11/openssl.patch.asc # gpg --verify openssl.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r326357 releng/10.3/ r326359 releng/10.4/ r326359 stable/11/ r325337 releng/11.0/ r326358 releng/11.1/ r326358 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.2.3 (FreeBSD) iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloeTmQACgkQ7Wfs1l3P aueQNRAAzUxb6H1JAgmgCRUKzN00FunkUNygvcvJRL9jK6h1TRCGvKk/jhdmakqZ r/x7zjWSWBh3oBg6V3egTRIMcpSDmjKIkf/H/q9eeSlQKfHR5MVadCedghy1nq3c XmpDlKyLp1zuy8gzkJNQCiIqn9BvxBRaUCzPJKFlpmgQwZStZvqpxUScJOX3X4ZC tjlF3kaBE/9IKX8p8vulWWM+vXwsDxVKRulUeFAL75eIwo9YWva1hsUBLruKo1xg CgWPJ4AXa9PL8WdJsYFkOA9R9wqBs1q6A+zuUQQJw5qQnQdg/rMchKsdS8I/dV7F 01qYYfM25q109pnNFEhIZNsZ4mIbBpW0hxzTwaq6f8bd8+7JuP3mH2xFHxIfNUzp jrK1DSn/kOGf0Dun8mrBAsO4y+3F92GbqOHdUzPnTAtHOHwmjIY3ljsbHnTNtUxm 44X2O+6XIGmzUxQMOFqAfe8wRkBhIGMcEpY4NTW6g8hPJBk1o0dQgtDLpg6i+Wj/ p+jDSNgkD4aFzsMoGc1kYsIT7qVBqn8jBydIUyrY5wQMNC+15+cDoF2QwKjGIU2H yWEjaec2dY6YtakMiQV8U0WPRSEj18lrSs7L9uizZSS0UHquP/xY8b6yFrBPvwXQ gVS3ZVKLOvCgGvl9MsJzB/FAR2jdOZdz6QzWchyG0PVZQVCPjBQ= =9Q78 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Nov 29 07:38:05 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B9001DFBCA1 for ; Wed, 29 Nov 2017 07:38:05 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5B7F669A95 for ; Wed, 29 Nov 2017 07:38:04 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from [10.41.201.18] (fwext.boll.ch [194.191.86.3]) by host64.shmhost.net (Postfix) with ESMTPSA id 36A4616CFA1 for ; Wed, 29 Nov 2017 08:38:01 +0100 (CET) From: Franco Fichtner Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-17:11.openssl Date: Wed, 29 Nov 2017 08:38:01 +0100 References: <20171129061559.38CB8C999@freefall.freebsd.org> To: freebsd-security@freebsd.org In-Reply-To: <20171129061559.38CB8C999@freefall.freebsd.org> Message-Id: <3855CF30-0FD4-4F8C-9349-3CA7BEE3E460@lastsummer.de> X-Mailer: Apple Mail (2.3273) X-Virus-Scanned: clamav-milter 0.99.2 at host64.shmhost.net X-Virus-Status: Clean X-Spam-Flag: NO X-Spam-Score: -1.0 X-Spam-Status: No score=-1.0 tagged_above=10.0 required=10.0 tests=[ALL_TRUSTED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Nov 2017 07:38:05 -0000 Hi, releng/11.1 is missing the bump to p5 patch level in sys/conf/newvers.sh Cheers, Franco > On 29. Nov 2017, at 7:15 AM, FreeBSD Security Advisories = wrote: >=20 > Signed PGP part > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > FreeBSD-SA-17:11.openssl Security = Advisory > The FreeBSD = Project >=20 > Topic: OpenSSL multiple vulnerabilities >=20 > Category: contrib > Module: openssl > Announced: 2017-11-29 > Affects: All supported versions of FreeBSD. > Corrected: 2017-11-02 18:30:41 UTC (stable/11, 11.1-STABLE) > 2017-11-29 05:59:12 UTC (releng/11.1, 11.1-RELEASE-p5) > 2017-11-29 05:59:12 UTC (releng/11.0, = 11.0-RELEASE-p16) > 2017-11-29 05:35:28 UTC (stable/10, 10.4-STABLE) > 2017-11-29 05:59:50 UTC (releng/10.4, 10.4-RELEASE-p4) > 2017-11-29 05:59:50 UTC (releng/10.3, = 10.3-RELEASE-p25) > CVE Name: CVE-2017-3735, CVE-2017-3736 >=20 > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . >=20 > I. Background >=20 > FreeBSD includes software from the OpenSSL Project. The OpenSSL = Project is > a collaborative effort to develop a robust, commercial-grade, = full-featured > Open Source toolkit for the Transport Layer Security (TLS) and Secure = Sockets > Layer (SSL) protocols. It is also a full-strength general purpose > cryptography library. >=20 > II. Problem Description >=20 > If an X.509 certificate has a malformed IPAddressFamily extension, = OpenSSL > could do a one-byte buffer overread. [CVE-2017-3735] >=20 > There is a carry propagating bug in the x86_64 Montgomery squaring = procedure. > This only affects processors that support the BMI1, BMI2 and ADX = extensions > like Intel Broadwell (5th generation) and later or AMD Ryzen. = [CVE-2017-3736] > This bug only affects FreeBSD 11.x. >=20 > III. Impact >=20 > Application using OpenSSL may display erroneous certificate in text = format. > [CVE-2017-3735] >=20 > Mishandling of carry propagation will produce incorrect output, and = make it > easier for a remote attacker to obtain sensitive private-key = information. > No EC algorithms are affected, analysis suggests that attacks against = RSA > and DSA as a result of this defect would be very difficult to perform = and > are not believed likely. >=20 > Attacks against DH are considered just feasible (although very = difficult) > because most of the work necessary to deduce information about a = private > key may be performed offline. The amount of resources required for = such > an attack would be very significant and likely only accessible to a = limited > number of attackers. An attacker would additionally need online access = to > an unpatched system using the target private key in a scenario with > persistent DH parameters and a private key that is shared between = multiple > clients. [CVE-2017-3736] >=20 > IV. Workaround >=20 > No workaround is available. >=20 > V. Solution >=20 > Perform one of the following: >=20 > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. >=20 > Restart all daemons that use the library, or reboot the system. >=20 > 2) To update your vulnerable system via a binary patch: >=20 > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: >=20 > # freebsd-update fetch > # freebsd-update install >=20 > Restart all daemons that use the library, or reboot the system. >=20 > 3) To update your vulnerable system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 > [FreeBSD 10.3] > # fetch https://security.FreeBSD.org/patches/SA-17:11/openssl-10.patch > # fetch = https://security.FreeBSD.org/patches/SA-17:11/openssl-10.patch.asc > # gpg --verify openssl-10.patch.asc >=20 > [FreeBSD 11.x] > # fetch https://security.FreeBSD.org/patches/SA-17:11/openssl.patch > # fetch = https://security.FreeBSD.org/patches/SA-17:11/openssl.patch.asc > # gpg --verify openssl.patch.asc >=20 > b) Apply the patch. Execute the following commands as root: >=20 > # cd /usr/src > # patch < /path/to/patch >=20 > c) Recompile the operating system using buildworld and installworld as > described in . >=20 > Restart all daemons that use the library, or reboot the system. >=20 > VI. Correction details >=20 > The following list contains the correction revision numbers for each > affected branch. >=20 > Branch/path = Revision > = ------------------------------------------------------------------------- > stable/10/ = r326357 > releng/10.3/ = r326359 > releng/10.4/ = r326359 > stable/11/ = r325337 > releng/11.0/ = r326358 > releng/11.1/ = r326358 > = ------------------------------------------------------------------------- >=20 > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: >=20 > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >=20 > Or visit the following URL, replacing NNNNNN with the revision number: >=20 > >=20 > VII. References >=20 > >=20 > >=20 > >=20 > The latest revision of this advisory is available at > = = >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Wed Nov 29 16:33:56 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 54164E5D5A6 for ; Wed, 29 Nov 2017 16:33:56 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from echo.brtsvcs.net (echo.brtsvcs.net [IPv6:2607:f740:c::4ae]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 422117B415 for ; Wed, 29 Nov 2017 16:33:56 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from chombo.houseloki.net (unknown [IPv6:2601:1c2:1402:1770:21c:c0ff:fe7f:96ee]) by echo.brtsvcs.net (Postfix) with ESMTPS id D1C8A38D05 for ; Wed, 29 Nov 2017 08:33:55 -0800 (PST) Received: from [IPv6:fe80::4055:e8ed:3d40:2f96] (unknown [IPv6:fe80::4055:e8ed:3d40:2f96]) by chombo.houseloki.net (Postfix) with ESMTPSA id 1B7CB41D for ; Wed, 29 Nov 2017 08:33:55 -0800 (PST) From: Mel Pilgrim Subject: Re: FreeBSD Security Advisory FreeBSD-SA-17:11.openssl To: freebsd-security@freebsd.org References: <20171129061559.38CB8C999@freefall.freebsd.org> Message-ID: <3ec759d2-209b-a4c1-b001-6bfca3cdb9cb@bluerosetech.com> Date: Wed, 29 Nov 2017 08:33:53 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <20171129061559.38CB8C999@freefall.freebsd.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 29 Nov 2017 17:11:11 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Nov 2017 16:33:56 -0000 On 2017-11-28 22:15, FreeBSD Security Advisories wrote: > Corrected: 2017-11-02 18:30:41 UTC (stable/11, 11.1-STABLE) > 2017-11-29 05:59:12 UTC (releng/11.1, 11.1-RELEASE-p5) > 2017-11-29 05:59:12 UTC (releng/11.0, 11.0-RELEASE-p16) 27 days to merge from stable is a long time. What the was cause of the delay? From owner-freebsd-security@freebsd.org Wed Nov 29 17:51:25 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74067E5F269 for ; Wed, 29 Nov 2017 17:51:25 +0000 (UTC) (envelope-from yz@yz.kiev.ua) Received: from nb.yz.kiev.ua (nb.yz.kiev.ua [92.63.99.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2EC727E573 for ; Wed, 29 Nov 2017 17:51:23 +0000 (UTC) (envelope-from yz@yz.kiev.ua) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=yz.kiev.ua; s=dkim; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=dzdktgvIXMQQCjdn8cOMSrGvdTQG8ahj86bsl0KWy9c=; b=DCTSgr4yRVXJTDKbV9mt0rj4DG IcR+p/QPFWJRP8AH7J8oGKpm/ipdeIiawWR5MZ8Pq/uiVkNZ7UQWqEcxsZl7tl/W0aY12zsaUFXB6 2SfLX/K9HXPzDsdzAR3bP4z3/Kkx8SPqaw/5z9TL6Nbko81ABngK+DtyyTwLMAOPXfvI=; Received: from yz by nb.yz.kiev.ua with local (Exim 4.89 (FreeBSD)) (envelope-from ) id 1eK6Vr-0008CN-FE for freebsd-security@freebsd.org; Wed, 29 Nov 2017 19:51:11 +0200 Date: Wed, 29 Nov 2017 19:51:11 +0200 From: "George L. Yermulnik" To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-17:11.openssl Message-ID: <20171129175111.GE9006@yz.kiev.ua> References: <20171129061559.3E4FCC99B@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171129061559.3E4FCC99B@freefall.freebsd.org> Organization: Earth, Europe, Ukraine, Kiev X-Yz-Mark: yz@nb 20171129 19:48:38 User-Agent: Mutt/1.9.1 (2017-09-22) X-Mailman-Approved-At: Wed, 29 Nov 2017 17:57:18 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Nov 2017 17:51:25 -0000 Hello! On Wed, 29 Nov 2017 at 06:15:59 (+0000), FreeBSD Security Advisories wrote: [...] > 3) To update your vulnerable system via a source code patch: > The following patches have been verified to apply to the applicable > FreeBSD release branches. > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > [FreeBSD 10.3] > # fetch https://security.FreeBSD.org/patches/SA-17:11/openssl-10.patch > # fetch https://security.FreeBSD.org/patches/SA-17:11/openssl-10.patch.asc > # gpg --verify openssl-10.patch.asc [...] Is the patch above is indeed FreeBSD_10.3_specific as it might be considered according to the block name ("[FreeBSD 10.3]")? Would it apply cleanly on 10.4? -- George L. Yermulnik [YZ-RIPE] From owner-freebsd-security@freebsd.org Wed Nov 29 18:36:39 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6197AE653FE for ; Wed, 29 Nov 2017 18:36:39 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 24C7B7FE52 for ; Wed, 29 Nov 2017 18:36:39 +0000 (UTC) (envelope-from delphij@gmail.com) Received: by mail-io0-x22c.google.com with SMTP id w127so4703525iow.11 for ; Wed, 29 Nov 2017 10:36:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7t+bGkGZ/InlgWcQ5JmPXO6+SJ1Wps1leOaFFm4uRhA=; b=Ycnf8GRh3rMTQHUDgTXZFvSuO183Cf/sCU9hvkRrm9F9DXEYsu78U1gCE3iVZE5RDe ZmjXlkY4A/y9nmUTd0W1YvMor5GqnIml+Q/NWoeDKP+kt+MNFZHjBc+zNnS/vRE0vdsQ w8c7m1D5b8C7Mmw04tIwe+TrtbNUhS4UtBMagO4A/JyAHMSJGemT9bJYhUGMZC/qzvSx BOeV8m9dRpvz9A6uOXaYRrIcyNHGtJY2o2zmdXFp+lbWJZGvEHvetLCAh0jF0U1fs0tQ e3ux7XjxeSZ/UCgAXwz5EBDqTs1kfewsv39lxdI6qH+KVEHRtSulZ2QyUTW4dLnd9VOu yKeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7t+bGkGZ/InlgWcQ5JmPXO6+SJ1Wps1leOaFFm4uRhA=; b=RuIKsNgL7FH9jQNC69nSJq5KdgsfhnXQ5a/EP9ctyE+870LfB59OOIGkT4m+/cMPy1 KwCEwEB4GutF+gOMZifz/FmEDWeg12ASJE6me8ZzjXgAndReZVOOyG9ToOMIuOxLOltS f2Y96G8Yj6D+HhIVO29IGEK59z1l2o9SG5Hm4xQGTQpaLkH3eB76Qi86D7kW4IiEpExA D+TJqO01CjihzQtZF7/fy7h+LS+4Shv6EMqG3kmBX+uZ+C4EjnEL3I3v+DPWsJtYdKio BbZaa0jD5AlSZhUaC41I5TuhktPAHHMOuhKB3Bat8Yewlbzo9iV/Bh4jZAp8LBv+1s+f SnTA== X-Gm-Message-State: AJaThX6b+ZTMqydqENgGt68xD9jZ4zjA3k80L+v9B7PERDdZPMDNeHy6 HY7FM0w0uhsYnVJ647dx3RwUbaIrHWE+FuPsSmiqlw== X-Google-Smtp-Source: AGs4zMblfrlCFcLbYaPhifOhTnuveQEzQU8Xw/lVGA1oUUC9WGNjZ1JVaU2V5r+E2HaAtQUsc2SeB/JnqvOwvS/yetI= X-Received: by 10.107.137.82 with SMTP id l79mr4402357iod.271.1511980598198; Wed, 29 Nov 2017 10:36:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.79.36.10 with HTTP; Wed, 29 Nov 2017 10:36:37 -0800 (PST) In-Reply-To: <20171129175111.GE9006@yz.kiev.ua> References: <20171129061559.3E4FCC99B@freefall.freebsd.org> <20171129175111.GE9006@yz.kiev.ua> From: Xin LI Date: Wed, 29 Nov 2017 10:36:37 -0800 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-17:11.openssl To: "George L. Yermulnik" Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Nov 2017 18:36:39 -0000 On Wed, Nov 29, 2017 at 9:51 AM, George L. Yermulnik wrote: > Hello! > > On Wed, 29 Nov 2017 at 06:15:59 (+0000), FreeBSD Security Advisories wrote: > > [...] >> 3) To update your vulnerable system via a source code patch: > >> The following patches have been verified to apply to the applicable >> FreeBSD release branches. > >> a) Download the relevant patch from the location below, and verify the >> detached PGP signature using your PGP utility. > >> [FreeBSD 10.3] >> # fetch https://security.FreeBSD.org/patches/SA-17:11/openssl-10.patch >> # fetch https://security.FreeBSD.org/patches/SA-17:11/openssl-10.patch.asc >> # gpg --verify openssl-10.patch.asc > [...] > > Is the patch above is indeed FreeBSD_10.3_specific as it might be > considered according to the block name ("[FreeBSD 10.3]")? > Would it apply cleanly on 10.4? Yes it would apply cleanly on 10.4.