From owner-freebsd-security@freebsd.org Wed Dec 9 05:58:59 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7F3D64B7E16; Wed, 9 Dec 2020 05:58:59 +0000 (UTC) (envelope-from ohartmann@walstatt.org) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CrRFG22kLz4SQD; Wed, 9 Dec 2020 05:58:57 +0000 (UTC) (envelope-from ohartmann@walstatt.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1607493536; bh=xa7epE2HxSt7bRHcWvZwWyphDRYc8rkzY0tdnQp7b6s=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject; b=KVel+22/w2nOBgJQ4ZeHyw6xkHDao5fK9N17lmbrE4yjZpxcmXJUqU53Oil3hGs63 ua22HmU7ZdmtOmWzi/YGPw+yQCXjYVZNA4pxJL/oDjhwexuFRNatYssuxvxRU8QuvE xcK5y/lZEQS4Wh3qKb6ZgP9yQ6XKN/y1Y0tel5N0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from hermann.fritz.box ([78.55.136.150]) by mail.gmx.com (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1M5wPh-1klWf50Det-007RnN; Wed, 09 Dec 2020 06:58:56 +0100 Date: Wed, 9 Dec 2020 06:58:49 +0100 From: "Hartmann, O." To: freebsd-security@freebsd.org Cc: freebsd-current@freebsd.org Subject: AMNESIA:33 and FreeBSD TCP/IP stack involvement Message-ID: <20201209065849.47a51561@hermann.fritz.box> Organization: walstatt.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/p4UgV9VdW26edeMGse4Ev0Y"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Provags-ID: V03:K1:kUHffiu4rdwsu9Lx12cZJmq6q7Nyavv0Qq3zhjBTpJSmwacp39s Ua/Xj4Diq1FpDAfEtMP2z0NGpQpJpxCtAxcpuYrUTOv6EoC5zAdEyG+2A43A7XKhbaoyQx7 vYS9t1iXZuVcG6Pq/jFGQvFvyJvwnzCfavmB6gbXjtxh0Z7pYUMVEte7dzhT0AJx5do8dSZ Od1N0dpP6OK6nGJPQkQgA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:UJxcJWy7Ob4=:fDDUZ435jIB8oviciPXItb 33OwiRbaCghEL+asAh0gKm2dD5dUbnTI5qX1Z0MaevjjLXyekosFlFDenuszkFNJs+myLSQiZ eCh91EBqMDp19KEmp3kumu2jd9/54zkgzRXGgC5yYNgNSDdKroDpnViJpN35uTm5fSdQziXPf zDVuT/qcCBgK1FALBFlIlqn1blQWJnt/QwDUjiNwy/Av/9/e6S+y9t15pbAzTyFyZcvB7psaY 1pR9iRCsvfRUkHBGHZU5FqowJw9PUjUxHuJ/TWsi1qoYAfg9OWSCfMnMObPlOW1xKblN3MV5M hmKdAw+/l0nLnWZih2jcdcpZDCqHCvbIfh7YhO+bBbjC8Y1ZpPlIPZxcgybLGzARF28HZYa7f jZWDSTtYhg+0jMA3aN6seG1qtUPjQc/XtBfrFo5XEnXaOtwqTNeYwvoj/Zt9DTwe/XYN2gNSF G1DF342fUuYUXW3IN5GAKqI/dxDMyIM+U5HRbn/e8ZzXUFB71K5Bxk2XeH6zP1r2eXRqzPe+S xI8yttd8P121akoKhutgLL5ORrSH9VWx5Y5ZabJfxdHw2cmWPOmkJcprwIJ6531S0DnoCI3g3 DO9n/5W50SpriQJV279KwpWSN1FeK57LbeSPoahh26Hy1bH2NwLvJ8j2RiZVQ8DFmVQyPQWgq LG1+js15igke/HIBSWAKOcouGxwhiCHyljGt1FBLdSQnniKp1uQKuFc+jiSZOVYxEfHIybdcn RCKyCP8h3D6EjSgsDMctzmfPpdYiNRyVRlEMTFUpO7E6g0XyCnE9MgwW76jI4IiW8ZIquHqMp eSxWR9jDVzJ+Iie/xp6NBozN9xlz2mFAQx4HNmFmBUkkAhWGBCe8JCN/CwrZeZl60opz5CjpE WqninHjn1CSu9sBkBqCg== X-Rspamd-Queue-Id: 4CrRFG22kLz4SQD X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=KVel+22/; dmarc=none; spf=none (mx1.freebsd.org: domain of ohartmann@walstatt.org has no SPF policy when checking 212.227.15.18) smtp.mailfrom=ohartmann@walstatt.org X-Spamd-Result: default: False [-1.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_NONE(0.00)[]; HAS_ORG_HEADER(0.00)[]; DKIM_TRACE(0.00)[gmx.net:+]; RCPT_COUNT_TWO(0.00)[2]; RECEIVED_SPAMHAUS_PBL(0.00)[78.55.136.150:received]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[212.227.15.18:from]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.15.18:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[walstatt.org]; NEURAL_SPAM_SHORT(1.00)[1.000]; SPAMHAUS_ZRD(0.00)[212.227.15.18:from:127.0.2.255]; R_SPF_NA(0.00)[no SPF record]; RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.15.18:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-current,freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2020 05:58:59 -0000 --Sig_/p4UgV9VdW26edeMGse4Ev0Y Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hello, I've got a question about recently discovered serious vulnerabilities in certain TCP stack implementations, designated as AMNESIA:33 (as far as I could follow the recently made announcements and statements, please see, for instance, https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-= smart-and-industrial-devices/). All mentioned open-source TCP stacks seem not to be related in any way with freeBSD or any derivative of the FreeBSD project, but I do not dare to make a statement about that. My question is very simple and aimes towards calming down my employees requests: is FreeBSD potentially vulnerable to this newly discovered flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT, latest incarnations, of course, should be least vulnerable ...). Thanks in advance, O. Hartmann --Sig_/p4UgV9VdW26edeMGse4Ev0Y Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQSy8IBxAPDkqVBaTJ44N1ZZPba5RwUCX9BnmQAKCRA4N1ZZPba5 R3D0AQCdbA0rXdbl2ORRPPhicxy/ZVaVyRrQllLEY0/tyK/hFQEAp1+2NdHltrb3 E+XslRg3/arN9Azw6ntUdwhmHu1v9QQ= =4xpe -----END PGP SIGNATURE----- --Sig_/p4UgV9VdW26edeMGse4Ev0Y-- From owner-freebsd-security@freebsd.org Wed Dec 9 15:29:42 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1537047FF51 for ; Wed, 9 Dec 2020 15:29:42 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on20610.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d05::610]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Crgvn10xfz3JL8; Wed, 9 Dec 2020 15:29:40 +0000 (UTC) (envelope-from stephen.wall@redcom.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h5+49HBUsvnsPjjzYMWreI+3PFdTWzSAyNqM8oUtszxU/AfpB22NnM3dSTlcnjoNbL/s78Je1wTdeuozgb3Ho2+Kw6fdZZmVvasNbilejFVJj9hU8BWBPP5M5PdMjbJuoN62mIF9JzBfU1hA+j65pRQ6w+BJgU+zpR3eTQBuGlJk8kTRVh5+aoZ18FdCZAIILsxa9Gac6tQ0HMLVuqmAHLxXQVYHLz/9mbyPA0mv0/8nzQ+f2PGzKPSu4xdgBuKDI6pk5Y7vJwrSHtjC8d6NZkLjEgQR3ZkE1CUtVZciteNd66+3zvviDfQOvX28eHpkLojFnOohF5uKW0RVqOI/uw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Tbx05DhGJEr161dG1W6kSEWSWVnqpiwUGP935YCJwMQ=; b=ahmnON32rEZGmXC21HVAmoedS7lLA9VckeP0lxnhGnU3RUAp8EZchhC8iywo3xWU9PsEUxlZ4S0BpAaCYqZpRvsKjSf/KjZylKgQ2HnRR6+7dxBAXkAWEALNFJmYLt81lRvo/bm/oJRISe02kiXgTd+O9NiMOHotCNi2w2NrfwFvXxnlLUUsTKaqVKVWn2Cdm5ttscki64kMCKp8JRE4NWrR9zMIghScDZ1xbFMQeFLIKeH8a8HcK2pt1khvSazHMPafURH+PIDISgPxOoueYdua7JUydVZVa+pro7FtA/AssU8staSNcTXwLx1epUz76DIqigHa5t/EQxvuA0BrXQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=redcom.com; dmarc=pass action=none header.from=redcom.com; dkim=pass header.d=redcom.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redcomlaboratories.onmicrosoft.com; s=selector1-redcomlaboratories-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Tbx05DhGJEr161dG1W6kSEWSWVnqpiwUGP935YCJwMQ=; b=ycSc89TymnUZ77lkXu31DLrTJNuYGLfGqTZ7Nkvkg9tnwI3MM80JhO1HqC/N8udLkd5QPOSxXmX0ov+OqpioJizixVWMp5pMxLk7/2NkkNWm60ig/zI3PivXNwLQ/HOR05Whyy4naBRLMMuphLTg/qR1X9GzN5kp+m2kM5w15A1x/5o5nt88vFXSBdnLD0rqt0DDi5eYz2qnQ5DjJyHlSL9SU/Q/0GOQ7f76gaX5kpxl17LAMjiT9pH/i8eiKRN4pncdxcfWm7HyocfjevSZOxvzs6zF3GHTRUJ9l3qFFiXGQTP7cFMD7YqHJlBZQz6gFsxGRYrBBXUgsD72ZqO/9w== Received: from DM6PR09MB4807.namprd09.prod.outlook.com (2603:10b6:5:260::13) by DM6PR09MB5272.namprd09.prod.outlook.com (2603:10b6:5:269::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.12; Wed, 9 Dec 2020 15:29:39 +0000 Received: from DM6PR09MB4807.namprd09.prod.outlook.com ([fe80::701f:923d:175b:8757]) by DM6PR09MB4807.namprd09.prod.outlook.com ([fe80::701f:923d:175b:8757%5]) with mapi id 15.20.3611.038; Wed, 9 Dec 2020 15:29:39 +0000 From: "Wall, Stephen" To: FreeBSD Security Advisories , "freebsd-security@freebsd.org" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:32.rtsold Thread-Topic: FreeBSD Security Advisory FreeBSD-SA-20:32.rtsold Thread-Index: AQHWyCPyZ1vfSSoiHU+mFhO2Ju6jdqnu7oro Date: Wed, 9 Dec 2020 15:29:39 +0000 Message-ID: References: <20201201204625.8DE8D19E9C@freefall.freebsd.org> In-Reply-To: <20201201204625.8DE8D19E9C@freefall.freebsd.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.48.157.2] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 7a68ee61-fc70-4c8c-c2a1-08d89c573e66 x-ms-traffictypediagnostic: DM6PR09MB5272: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8273; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: IC4G8QbfqVg4TN39ufGkcVBH2Ryw+IC5VVGgwbGPNfg7n3AEQqo/CfCrZulkTB6xY71bWWS2GHZVeKSxBF4/wzMYZDAUZaOZQjp4DKAMZ0ACpUkNqXVzQlxkLtKtr6Ihl2TNJahSA2st9GEpM1r5MF5Ga6/2x+UKd1DtIkHwJmSDqxl6Tf0a0C4xiXa63TcdODnBRQWrNvGjOJ+JV61PnrZIjhIf1sbER/GyS2cIoY9pY/kFeFRWGIQThte6uI0ECS9T7YqBlbHzM0PQ3aX/J0j1Gl+YCsfgIygycFSPorlZNzaiCOipCeEmXeJbehSN x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR09MB4807.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(366004)(136003)(346002)(33656002)(71200400001)(91956017)(26005)(55016002)(8936002)(6506007)(8676002)(52536014)(66946007)(9686003)(64756008)(110136005)(15650500001)(86362001)(66476007)(66556008)(66574015)(7696005)(5660300002)(186003)(19627405001)(76116006)(2906002)(508600001)(83380400001)(4744005)(66446008)(450100002); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?utf-8?B?dUtpZUprM3pkQWR4dmxSUjBlaWJqYm4waGtDcmVkazE4NTFCOVZwUjgrdVFo?= =?utf-8?B?eVNURmRXNklWcUx1ellNV2VYUDJ1SE95NWtBbWlnVC9BTlNoRTRkTGFTUW1j?= =?utf-8?B?MmxvT204VWFWTmVkZDMzVmh5OFhuc21LbGtNb2ZlU1hBS1MrTVE4TVRZOFpW?= =?utf-8?B?ZzBxdGZORC9SQUw3LzlrYmkwb3BjNFArbExDTW42VEJWTjI3Ykkvb0dqRWFB?= =?utf-8?B?YzBERjVvRWU0c3l4QXVoSGRyRmd3M3RVTU1weU5ad1FJT2tUeHZ0NCtxWkpW?= =?utf-8?B?cWVvMWN2UlZQUi9DdXlvTGViZjlieFlZMXNGZGVFRUdDVVVnU2p3MGN4eWxX?= =?utf-8?B?Uzc4WENhZU9kdFArelh6QXY2eFhNb2YwaUZ3Y3NnRDhqY3FkcDFQeEk0U3FG?= =?utf-8?B?cVJmcEpTUkRZVy9MY3YvZnlPSEdpZ3luaG4vVnd1TUZ3cTZ1anlGM01naEpw?= =?utf-8?B?NmhYMjJXOEVTQjRGU1VoQkduTkkveUt6ZHVqWDJvL0htRVVMWGFOalV2djFV?= =?utf-8?B?ZHpJak5wZHN1L1dyWXg5UER6VENOL2dxbzB5NkwrejRVRndhV0F4cXEvMEdo?= =?utf-8?B?aEZUZzl6eXAxVk1nL2wra0lCRjROWk9DcUQzR2NXR25TblJBUmlOWGYvOVQv?= =?utf-8?B?TENRaEdCdURrWVhuVE1Nd0J4NG4rdE5Fay9XUU1RcElXUkN6L3lYam1wNEJq?= =?utf-8?B?SlRrZnVqd2k5R29lTXBCTU9EMmo2eEdWVXFhVUdoZW10SFRsNmZvZmt1Y01Q?= =?utf-8?B?VXNVMmhDay94UHFEeWxlbEdxM0FOOHJ3UHRiTC9Db010cWJDdnpsbGtvaGFy?= =?utf-8?B?Y2hoUlJ0anNiYTVMTlNIdnZ1NUhFQy9wdStsaXpmOGZoWDBFZ1loeHZRZDg1?= =?utf-8?B?SG43enU4SkVYdDhZOHJzYTJ4Zk1EMEZDU3JuSUNDWHZVTVlNZkcwdXcrOVMr?= =?utf-8?B?cUxCSnAvMzFxeGpqbzB6QnhEWnBQd3JLZlExMDgyeUovT2JSQUtsUjVZQmVl?= =?utf-8?B?VHUwbHBaVGxzVDB3SWJLU2VsYkNpemI1aXc4SWNSM1ljNlhQNFJxM21UeHFC?= =?utf-8?B?Zll4WHlJQXdETE9QZm9wM2FEbXpjMUpTd3RKQVZKLzdlRksreUJadzZwcjZU?= =?utf-8?B?SmVOL1BJaEl4U3BTaU9UckZRa0psZUxGbEYwbnVXaWsyQnlBUWlWalpxUEJt?= =?utf-8?B?UE1aK2xza3lENEM4QkVsT0pvZkJoOFJ2V2VuQXNXQTF6cEhnOEZTMzMxUDlL?= =?utf-8?B?N2pweC9PNk1neGwxZnhPOStzRzVnUCtYS0l0c3E0WElHSVlTZG1Ib0xTNFJS?= =?utf-8?Q?uiTj9Bam7ZCrM=3D?= x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: redcom.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR09MB4807.namprd09.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7a68ee61-fc70-4c8c-c2a1-08d89c573e66 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2020 15:29:39.4640 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 86200ba5-6348-4d6f-bdd7-96f43e8d9247 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: wOhvB32NmNaAn46KHY5ddWDYeMOH/G7PcoemXFtX/utfdWIMWuCBCgn4pbcfe/zRIiOgG2HR83JK8HDvIqaklg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB5272 X-Rspamd-Queue-Id: 4Crgvn10xfz3JL8 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=redcomlaboratories.onmicrosoft.com header.s=selector1-redcomlaboratories-onmicrosoft-com header.b=ycSc89Ty; arc=pass (microsoft.com:s=arcselector9901:i=1); dmarc=none; spf=pass (mx1.freebsd.org: domain of stephen.wall@redcom.com designates 2a01:111:f400:7d05::610 as permitted sender) smtp.mailfrom=stephen.wall@redcom.com X-Spamd-Result: default: False [-4.40 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a01:111:f400:7d05::610:from]; R_DKIM_ALLOW(-0.20)[redcomlaboratories.onmicrosoft.com:s=selector1-redcomlaboratories-onmicrosoft-com]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_NA(0.00)[redcom.com]; NEURAL_HAM_LONG(-1.00)[-1.000]; SPAMHAUS_ZRD(0.00)[2a01:111:f400:7d05::610:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DKIM_TRACE(0.00)[redcomlaboratories.onmicrosoft.com:+]; MIME_BASE64_TEXT(0.10)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; MAILMAN_DEST(0.00)[freebsd-security] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2020 15:29:42 -0000 UmVnYXJkaW5nIEZyZWVCU0QtU0EtMjA6MzIucnRzb2xkLCBkb2VzIHRoaXMgbGluZSBpbmRpY2F0 ZSB0aGF0IHRoZSBtZXNzYWdlcyBtdXN0IGNvbWUgZnJvbSBkaXJlY3RseSBjb25uZWN0ZWQgZXF1 aXBtZW50LCBvciBjb3VsZCBpdCBjb21lIHRocm91Z2ggYSBodWIgb3Igcm91dGVyIGFzIHdlbGw/ DQoNCj4gTm90ZSB0aGF0IHJ0c29sZCg4KSBvbmx5IHByb2Nlc3NlcyBtZXNzYWdlcyByZWNlaXZl ZCBmcm9tIGhvc3RzIGF0dGFjaGVkIHRvIHRoZSBzYW1lIHBoeXNpY2FsIGxpbmsgYXMgdGhlIGlu dGVyZmFjZShzKSBvbiB3aGljaCBydHNvbGQoOCkgaXMgbGlzdGVuaW5nLg0KDQpUaGFuayB5b3Uu 4oCLDQo= From owner-freebsd-security@freebsd.org Wed Dec 9 15:45:17 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 02BC44A863E for ; Wed, 9 Dec 2020 15:45:17 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on20608.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d05::608]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CrhFl5ZSGz3Jtj; Wed, 9 Dec 2020 15:45:15 +0000 (UTC) (envelope-from stephen.wall@redcom.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=czqe/JnF+g6wbpAEm1skMlhf+L2dgAuPM3Rd/LkbO6DmZg2pn63VSwfO5Hasfgd9OBb7DXHwq14EpZghcEStVaeUatvv/YXTNakdOBmfL0EAQ7ry2mW/ZbWbVvWuQTkx48XkweHPfsQfopjJxt+W/zTpRV6qgDYaiu6J6DB3MxdCjxmphVt9JYJtd98aRM2AEC7C9g0oTyDJj+MUe92JWX8hdxqTsD8xEPZeLofwzQUjKQ744Q1ESM8FNphfqcJwN4KA6z8gUWlXZNBY9jYjulm8fKIP3aYEuIh01sL0wJqmFBxzeyYIGgiEN+3XtdRa8Pnm1nzW4gxl4Yc7dq1B4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kQQiNNWktQ2lDKES+Q3oyqludvMQx6J3fbZDoGo7+2o=; b=WA+blvdLY0itJ8/wlQkatBGBK1ZaxBy1+Kbfn6sblI6ZwvWt+lFptQ/ubmuzZ59eGYj9QIOv7AUN6CopJQDEfC4ub76LiV1nlTuaK9d6vSnvwGDj1Z8gIjUAAeWNTJdHanN/xXdXigpNQ6/fQDlfWt/GTP2a2KGIN2qaSl/K2jR81ET2UryJO9a5AK8MK1w85CWeiSt5IzsTQ0rFrxGLxJBLPNK0+kN4caU5dTx521HKSqqwvzjz+BHuwFqoiBub1Aim6JM2Bt1gUUij2R1kZQ/DFjYAXxna5DfsFlDOHNT8lHga+qj/KSTOrk2ONuBgw4ykhc749WRA4LeUNCVP3Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=redcom.com; dmarc=pass action=none header.from=redcom.com; dkim=pass header.d=redcom.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redcomlaboratories.onmicrosoft.com; s=selector1-redcomlaboratories-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kQQiNNWktQ2lDKES+Q3oyqludvMQx6J3fbZDoGo7+2o=; b=c7g6QihaZZGZ8A6CJ5xEpsoZjjEj9AcalYYOwjpJVPpKWiPeQrEPO7BueIL5JdKlTXqAktCo9BvbItLeLQB8n0LZh51CGBpQc2yCEnN7/6ePfFtJaRXoVzKNGc/XmYwjLKqObQ0d5oh3JYV7fu60TeuE6Ot/GDuNC6+QdbeYGxFJsgeYRJk+ZrLdmwkDCpjT4IEWAHdghURaxLyt7OYQ2YdmQnmSkIf1djSoIRCPEHyPfoiTtKv01MzeQVErQ2UcP/W419q/itxiQ+N/U3sY1t5Sz6EQzoesKqd3PYYodBE/JuMBo/9ZH5kVEDyvXU5a6IJtxsdMNHdAUnVIbqF/+w== Received: from DM6PR09MB4807.namprd09.prod.outlook.com (2603:10b6:5:260::13) by DM8PR09MB6855.namprd09.prod.outlook.com (2603:10b6:5:2e2::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.23; Wed, 9 Dec 2020 15:45:13 +0000 Received: from DM6PR09MB4807.namprd09.prod.outlook.com ([fe80::701f:923d:175b:8757]) by DM6PR09MB4807.namprd09.prod.outlook.com ([fe80::701f:923d:175b:8757%5]) with mapi id 15.20.3611.038; Wed, 9 Dec 2020 15:45:13 +0000 From: "Wall, Stephen" To: FreeBSD Security Advisories , "freebsd-security@freebsd.org" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:31.icmp6 Thread-Topic: FreeBSD Security Advisory FreeBSD-SA-20:31.icmp6 Thread-Index: AQHWyCPjnnea6mxZNkCsB0cfhuXYX6nu8xNl Date: Wed, 9 Dec 2020 15:45:13 +0000 Message-ID: References: <20201201204619.F3A3B19D2F@freefall.freebsd.org> In-Reply-To: <20201201204619.F3A3B19D2F@freefall.freebsd.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.48.157.2] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2d88c2bc-9d6e-4527-e449-08d89c596b16 x-ms-traffictypediagnostic: DM8PR09MB6855: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:4303; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 5eWEv8WmiYKOEhRKLhT020IZOWPqtz1M+D5TK71qTzYvYD7DfxpxNHrW8f3/XHS4eR7P6Tx4H1XFVT+s+8TVpGfx/peteyvmcXpzY2yIhiOJNR5l208jXr3j/Va/g/Tz9uY8aFWBPd/B1dn/tX0WdU3i0A26UnTk/LiO+GnBhPx7uJwPs9RFAEPuf8RhI2ev9rmOoncFef9jgb+Xk+XmXTm8LcxH2Iq3Z6aDP4dxDgl6sm+hQr+uGJARwm97SvQvN6zFBIV3Yz15PT1yWJ4SUaXKZekC8BKbaHVM0vOl+LeBHoZqlwENrhGf0/GIEki4 x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR09MB4807.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(346002)(136003)(366004)(186003)(33656002)(450100002)(55016002)(7696005)(508600001)(8676002)(110136005)(6506007)(19627405001)(83380400001)(2906002)(76116006)(64756008)(26005)(558084003)(52536014)(5660300002)(66446008)(8936002)(71200400001)(66476007)(66946007)(9686003)(86362001)(66556008)(91956017); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?PrOMWrGwAdb6BBlkY5MVqFmWFiAaHRlLEwCiqE2lhraSKubJVVkjiMW7si?= =?iso-8859-1?Q?OT8pjOkesjboTv8q/354DP/pUrkjxEVbja81Be+cAuqIlI2ouOc9yEweB4?= =?iso-8859-1?Q?+DJJno5TyYIVTh6UVretEV4yAeNnItT160KihIqV9TE/xR9fhZg6WJFxft?= =?iso-8859-1?Q?tNyWIdRb/q4lkO3eRTvA3iKbgafQTCtHjcXaHVhfFihszS0W/ctAxfIevW?= =?iso-8859-1?Q?Tm/bzxVUbAh2lC7zCKJM7kJuhFIBO7GXHuIJUZbR+DMUgqSHkJ0mvmaWYL?= =?iso-8859-1?Q?jV8/sPoojIcGu/tX3k2a6OZGv96FZKBHlhcnQzcBd49G2ktklWQ2RhssKh?= =?iso-8859-1?Q?OiBuOO/ZLM1qiihflAQHsCbYcHLCN0wz1T9/rLlJuMnfpriFma+WwrzZmN?= =?iso-8859-1?Q?bBA3QiRGmvmsnQdevoNespq/MEIAgM/rQGG4GMncc0nOhk4sJRONCqY0oK?= =?iso-8859-1?Q?1npQw0apTAyvlCSC45pziEcd2tvJRfrL6j8LIzBkW1vacPk/e7mv24uQmG?= =?iso-8859-1?Q?zlUnNoxSmayofYBTrgATV/kp+XD/IFAVjkjC8G9wXJSEEJNpoOkMMqg3Fk?= =?iso-8859-1?Q?hSIsVknCyiEvnls/a/ITyAtTP3vsOXHEn8b8JMohVyPs2cHBbhzYNBN36m?= =?iso-8859-1?Q?cNZPD0htLgCGzieUdc2xt2w35uH0fdwTP2eztBbYDdcpFEkIqGbFcY0No1?= =?iso-8859-1?Q?s04H+2uI/f6PAsXmsOfOHsLrYWjw9JwNvmzsyffOnCMKEdjRziw+WwldT5?= =?iso-8859-1?Q?710Z0T1LUtu3Rs58yGBsuVoYdNhqa5REmUWn+Gfn8nGtfHfPV+Yt7dc+wL?= =?iso-8859-1?Q?StZvBLqMZBTsH43NN7zBnQ1vZgdKAqya/a/k0RSF2TncPDXPnwN+JKC7Ab?= =?iso-8859-1?Q?ystSU+sA/pBft0oS6SomT3NFnwNxzvbm08WF/x/GeeJnIQMq8q8NJo6m07?= =?iso-8859-1?Q?6/9hMGdQ/Es+kjL9i+XZGw6hI+25Ab3h1tgr8Z5ev6ZU1cOH0NggAvkhVC?= =?iso-8859-1?Q?cSIDthcK/bpgGacFY=3D?= x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: redcom.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR09MB4807.namprd09.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2d88c2bc-9d6e-4527-e449-08d89c596b16 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2020 15:45:13.5171 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 86200ba5-6348-4d6f-bdd7-96f43e8d9247 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 3dtP1JGQ8/igG0HkkiJTfl5HxYQnsB9prhzggB8S0nNOcoricqA3y/7taktppCguuLTQA1EbRk11PUo6EZRSaQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR09MB6855 X-Rspamd-Queue-Id: 4CrhFl5ZSGz3Jtj X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=redcomlaboratories.onmicrosoft.com header.s=selector1-redcomlaboratories-onmicrosoft-com header.b=c7g6Qiha; arc=pass (microsoft.com:s=arcselector9901:i=1); dmarc=none; spf=pass (mx1.freebsd.org: domain of stephen.wall@redcom.com designates 2a01:111:f400:7d05::608 as permitted sender) smtp.mailfrom=stephen.wall@redcom.com X-Spamd-Result: default: False [-4.50 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a01:111:f400:7d05::608:from]; R_DKIM_ALLOW(-0.20)[redcomlaboratories.onmicrosoft.com:s=selector1-redcomlaboratories-onmicrosoft-com]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_NA(0.00)[redcom.com]; NEURAL_HAM_LONG(-1.00)[-1.000]; SPAMHAUS_ZRD(0.00)[2a01:111:f400:7d05::608:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DKIM_TRACE(0.00)[redcomlaboratories.onmicrosoft.com:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-0.999]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; MAILMAN_DEST(0.00)[freebsd-security] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2020 15:45:17 -0000 This advisory states "Systems with IPv6 disabled are not affected." What c= onstitutes disabling IPv6 in this context? Would it require disabling it w= hen building the kernel, or is `ipv6_enable=3D"NO"` in `rc.conf` sufficient= ? Thank you. From owner-freebsd-security@freebsd.org Wed Dec 9 23:03:00 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1BE7C4B259D for ; Wed, 9 Dec 2020 23:03:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Crsyr0N2lz4Ts1; Wed, 9 Dec 2020 23:03:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1607554980; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8WrEPQn0unCxDHpmPpvCRLsi/Ue/MRF3BpkY/z0OMNE=; b=FQv/rJAM0N0wha53LUcohHoxNlTsX+4m51LFP0M+tYv8r8LrYXF6Ye//HJ39XPVHSpWN9l IjcT5ysIHA76BNJRx0QM73VbRKEfn30sfy1TdfuY/Cd0DkJPaV7iEhqwWfrK8F4Q+3hszC qWK7YDBdH6IWoHsTk/fb5NI7Pd0h9hDoMjjtUp5CvQD3Edidzy5uQnEbkr45t+AiVWlp6Z SbahC+gfJCJA82sqvhMF6nvGg1YLc6IRqwTEdFtr28FdurIf9mgEZqIZ2svDZ07uXs8z3m nPSatktx+IahEhB2HweD6ziCH6jtDKRylUUozkut5aReY6IDyPjusItKDcsZsA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 03251CA1; Wed, 9 Dec 2020 23:03:00 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20201209230300.03251CA1@freefall.freebsd.org> Date: Wed, 9 Dec 2020 23:03:00 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1607554980; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8WrEPQn0unCxDHpmPpvCRLsi/Ue/MRF3BpkY/z0OMNE=; b=Ts6ovKW7M2Pskdp2SlRK358EQp58vmyow2onGAOHCFrvAkakvzP3n+Voto1HBSzKEf3nfs Xj/qqiiKxa2Ph/fPoZugRt3/9tbUBPMkw90zrfhmHkGGH87JE8R/LOc6K2Xr78+41AHvd1 lmOlHtUrspOap91XnZsVay4VPS3Fl5a1Hy/UzIx6D7mdiP71O4h1QNoNUxc4e/qepHF57X Iygs6SGoTNjz83zOzPFM8lSXc5zGP/xOYSBzXK9erHy3iiXM8bspZFNpyKFD4MzLcMMjrY KEm/2RzRM9DODybX1YzV6/h75UVmj8Z7Ge1hpTPw44NnW0HQa4QHFhvbyHY8Sg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1607554980; a=rsa-sha256; cv=none; b=UnmQy7pMnXt837OeRr8n5E9BArYA6GNPiMbhdutA+YsM2t9txsD5xSIyg5BfEntVng0CPI NetUHAQ1o2GMHqS4Px3qq5a28/FbsQbW6JoQnWwsqjOhJ8ABWjykcncGdhfRSDAUh4QfYq 7GX90d9kmqHH5/uH/CwQOerqBp30RkMKWki3FmUFsMVBoB4B0Ol5bqi0Hw1yNWvLs8s2fe J9kCZ3mcRtZdm95NhTohTQgxJ9ejL6dPO40nEBls0X+hYOkoC13gjJtNkTBxPiknYWweau JWnB15HHQQUZt5mmpBrpO6X3NucgugiBTxxRN6PVBSBTBiP6NTLxmv8+umFj+g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2020 23:03:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:33.openssl Security Advisory The FreeBSD Project Topic: OpenSSL NULL pointer de-reference Category: contrib Module: openssl Announced: 2020-12-08 Affects: All supported versions of FreeBSD. Corrected: 2020-12-08 18:28:49 UTC (stable/12, 12.2-STABLE) 2020-12-08 19:10:40 UTC (releng/12.2, 12.2-RELEASE-p2) 2020-12-08 19:10:40 UTC (releng/12.1, 12.1-RELEASE-p12) CVE Name: CVE-2020-1971 Note: The OpenSSL project has published publicly available patches for versions included in FreeBSD 12.x. This vulnerability is also known to affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL project is only giving patches for that version to premium support contract holders. The FreeBSD project does not have access to these patches and recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project may update this advisory to include FreeBSD 11.4 should patches become publicly available. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. III. Impact An attacker who is able to control both items being compared can trigger a NULL pointer dereference and a crash may occur leading to a possible denial of service attack. As an example, if an attacker can trick a client of server to check a maliciously constructed certificate against a malicious CRL could trigger the NULL dereference. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.patch # fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.patch.asc # gpg --verify openssl.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r368459 releng/12.2/ r368463 releng/12.1/ r368463 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/P6+RfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cI4zQ//dy/tBaAq+kvGkWry74LzvqdZ5c0IIWH1UIrDab0wgmj8H5siP3Rpp7OB GKtpA+gDDmIgbe80fD+L6L5LR59wBU3sfyYPIcKIbPGl4ix2C5HK7reGns1qoX+O BFJd3gyPVeq4FD5/+btynyom8lcR//ta4dKKz2TERfd27iL8fM0AoLl+JI/axzJS d06Z2kA0gRo528DsVRsTbiZFINfhGm8wzeXYpAxwbpnedswOeukOxTsKXrdtSAy+ BCq5BHdBxL/z4A2QLlrsYqpQH0Ty77ueGjqrq4QPFwq7dxSMDkfzz+YeGPKAvGsU lwyE2LlkP+531y4ueeGs5K6zRk8jDn7hJs+HfAtTy7y6d+VX9h7wRSssozC9DsV4 87OWHkXOEj5LeDRDfrEKVLx+QBqRcOOY6mkT3mb5dB7o9bmqxtjf3CaQaA7eV7Y8 a9QJvpO37m1ZpCC/kXACUPwmwbc5q8sjOsAcQiRAVeom6coFwDxs9u+yHX3uCLRJ zorgaLgce/c7yLUoQ/bA1/bfuOE7qIwxK7JosZSxv59CvavAhN/hBUcuL7CPCGrP u9LyYGPoYLXUj4CBKI7FmGkQVhNCLDhUYdvrVyRbTy3hihi1VtbFEZ8Dhipm4nL7 Oko1LxjLb1dJiHEj9kHtNWRmhueuErxkgA+GWLlsJpjlGlC/YAU= =5e1s -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Dec 10 14:51:25 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F19714AD92E for ; Thu, 10 Dec 2020 14:51:25 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CsH192RZgz4YJ1; Thu, 10 Dec 2020 14:51:25 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: by mail-qt1-x82a.google.com with SMTP id c14so3806333qtn.0; Thu, 10 Dec 2020 06:51:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=mTdRjxmk4bRnDOnM/kfUV1aCqBvR80B1VPGcw7f5EPo=; b=DVcCowCnPTWwgZEyxez9Q6QC36dpvtWHanYzGO5bDSA0KETIR9A4gjdF7GlTEMZO98 FAbWVxeY6J37fdQ3GvZvZOxvcCATpyoAEMUEEYOJYxmiHr74O5oPSYoIiHN/aHDbhpYo MnGRRjFbA7jZcnu8xWGvHMtqkdmc7PHjzk8B1V57b3XV6vR2No2919xCj6Fewbgw6wvg sgw/eyF6FzwHWXBhq5RC77sVP6vxuylnPtQUceCNl3PELx8SDOu2IzUPHUWkUJI3sew9 +0R2bRDUm28xDbPytkzeS7Oar+rGV1iBqoYFdk2VkUszuLEFtU3qTlP5CJCQ+iCMoufQ xwyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition :content-transfer-encoding:in-reply-to; bh=mTdRjxmk4bRnDOnM/kfUV1aCqBvR80B1VPGcw7f5EPo=; b=QGTFf6QrWQKxQ1ztXiIhS/KdCtAYpmF6l4TKneoLi+fV8Xx2MQEz0pa3WfP01T+jeY L+7y6TjfdyOmBhp0pd3MYSM1Rr3UzZ/1dmnegTnbLjEteVScnkcwKBvtn+1LrTj73Mc2 3wPdUrmYvAoAvZOoc4/EGpGBDnYusUWNVut4h5y/EdtwHZamN3a3NLwBKdhbQkiTVrVR Y6GgLllydVaVKBF3U5v9myeRY1WiXdxjedaZXi15tJHolNaxIWvUzA5kfUFDUBUTFiRy hQhOOMuzXX9i9D12Z/mR436j2vyoxOqxOimVAVJw9cV/laqnokVW5rENKlSB2gHlxsgU 1nRw== X-Gm-Message-State: AOAM532JYtO72PlGnEcKWtd9hTI2PzOezCLnVsRdJOPI53/0kevvzWVS LSFKA7S1OlOffOemauKZ44baeoM/8Jc= X-Google-Smtp-Source: ABdhPJxqvAm+pLnppaxw3xDuzJCWAdDwcBXSq9uDaeQK7mt1QFUyZZhU6no7JwwCC7UW71TYlyI9tw== X-Received: by 2002:aed:2ae2:: with SMTP id t89mr9440600qtd.82.1607611884277; Thu, 10 Dec 2020 06:51:24 -0800 (PST) Received: from raichu ([142.126.164.150]) by smtp.gmail.com with ESMTPSA id n81sm3544109qka.76.2020.12.10.06.51.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Dec 2020 06:51:23 -0800 (PST) Sender: Mark Johnston Date: Thu, 10 Dec 2020 09:51:19 -0500 From: Mark Johnston To: "Wall, Stephen" Cc: FreeBSD Security Advisories , "freebsd-security@freebsd.org" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:32.rtsold Message-ID: References: <20201201204625.8DE8D19E9C@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Rspamd-Queue-Id: 4CsH192RZgz4YJ1 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=DVcCowCn; dmarc=none; spf=pass (mx1.freebsd.org: domain of markjdb@gmail.com designates 2607:f8b0:4864:20::82a as permitted sender) smtp.mailfrom=markjdb@gmail.com X-Spamd-Result: default: False [-2.70 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[markj@freebsd.org,markjdb@gmail.com]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::82a:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[markj@freebsd.org,markjdb@gmail.com]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::82a:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::82a:from]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2020 14:51:26 -0000 On Wed, Dec 09, 2020 at 03:29:39PM +0000, Wall, Stephen wrote: > Regarding FreeBSD-SA-20:32.rtsold, does this line indicate that the messages must come from directly connected equipment, or could it come through a hub or router as well? > > > Note that rtsold(8) only processes messages received from hosts attached to the same physical link as the interface(s) on which rtsold(8) is listening. The message has to come from a host on the same layer 2 broadcast domain as the recipient. Routers don't forward neighbour solicitation messages but a hub will. > > Thank you.​ > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Thu Dec 10 14:53:07 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 327B64ADC32 for ; Thu, 10 Dec 2020 14:53:07 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CsH361jLBz4YQ4; Thu, 10 Dec 2020 14:53:06 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: by mail-qt1-x835.google.com with SMTP id u21so3779078qtw.11; Thu, 10 Dec 2020 06:53:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=3EPMiSVX9AJXw85b+fcU3toDseGTJegxIwtRQm1Yomg=; b=Tt/tVfwak65vsFBPBjYumrc7L26YRRCXN2j7luwmvtw2ZXwDJK8wYgskgZFdJEx4Kx IrVnKipNdAdNvFn6MWVtQU0yeCu1+DToE34rClID5o5K57HQdpTaAaiGFMuZ4/iIScII H4iajXNK6amejC1BUg6sgJhCD+yzCweUQ223WqG/BfrCrEDT/Bj+sxsIazl3h+wZyLsn r6Itz4ie7uXYGO58CYAsvLvyQB+K9XglkafS524BKmoGFnONjWhE+j1rf0ibAkKeRU/e 4GFtLWRr3LdIXbSIO8T1UZA7xsigMKo1jlDTr1vvRlP6fSu+fwpbq+6NU7/OBbOrOcGh 5bCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to; bh=3EPMiSVX9AJXw85b+fcU3toDseGTJegxIwtRQm1Yomg=; b=a/cMRSsGuItAJcPcqtyrQSHbZPBLOSomQKlq8SJpaeWcnoBHzwdSZEI0xTf0Vt8LoF FNSPqZl0VBlV82+aWVNAbpX9c1rDe+bzp7NGw4LEwfQYCV5NPZnx6NiZwsZhcSP+j8Wl zrtOLywNewjgjCdqmaOCDQZuocAa3NcPdZX6zyZ47+G0mmq4ybuEtgrr90wO09nIWX9K unIhmjJSepF1HwI3ug2M+Dp/dTxVUAB/B+w5411CkhycIz1P5pNpc9uFMZ3qX0+dGQ3Q 5y2zKqIw1EHZAFmv+nZesWv+qi/ekLSdy5x2qTRyVg6oD5Xe9y5pSRDtKqOKFv+kiksQ QNUw== X-Gm-Message-State: AOAM533rg1C5WNJslCC9S4W6BvgEcXTQoGObGEWkx4qfx1hzn2z5LRhh yl3h1o8eLWuYiQaRiz9Ju+zjbHK6usI= X-Google-Smtp-Source: ABdhPJxtcpkoU9ZybYs2jxeuuHxEjndqw5cfDxDQKgs1zdsS89cYz9PmI8XJIUBWVl5vuaS80UUTKg== X-Received: by 2002:ac8:53c2:: with SMTP id c2mr9744363qtq.245.1607611985341; Thu, 10 Dec 2020 06:53:05 -0800 (PST) Received: from raichu ([142.126.164.150]) by smtp.gmail.com with ESMTPSA id b3sm3662648qkf.74.2020.12.10.06.53.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Dec 2020 06:53:04 -0800 (PST) Sender: Mark Johnston Date: Thu, 10 Dec 2020 09:53:02 -0500 From: Mark Johnston To: "Wall, Stephen" Cc: FreeBSD Security Advisories , "freebsd-security@freebsd.org" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:31.icmp6 Message-ID: References: <20201201204619.F3A3B19D2F@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4CsH361jLBz4YQ4 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=Tt/tVfwa; dmarc=none; spf=pass (mx1.freebsd.org: domain of markjdb@gmail.com designates 2607:f8b0:4864:20::835 as permitted sender) smtp.mailfrom=markjdb@gmail.com X-Spamd-Result: default: False [-2.70 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[markj@freebsd.org,markjdb@gmail.com]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::835:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[markj@freebsd.org,markjdb@gmail.com]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::835:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::835:from]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2020 14:53:07 -0000 On Wed, Dec 09, 2020 at 03:45:13PM +0000, Wall, Stephen wrote: > This advisory states "Systems with IPv6 disabled are not affected." What constitutes disabling IPv6 in this context? Would it require disabling it when building the kernel, or is `ipv6_enable="NO"` in `rc.conf` sufficient? The latter should be sufficient. The kernel will drop IPv6 packets received on an interface with the IFDISABLED flag set, and they won't reach the affected code. From owner-freebsd-security@freebsd.org Thu Dec 10 15:29:26 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C8F104AE6B4 for ; Thu, 10 Dec 2020 15:29:26 +0000 (UTC) (envelope-from rb@gid.co.uk) Received: from mx0.gid.co.uk (mx0.gid.co.uk [194.32.164.250]) by mx1.freebsd.org (Postfix) with ESMTP id 4CsHs10rZvz4bL1 for ; Thu, 10 Dec 2020 15:29:24 +0000 (UTC) (envelope-from rb@gid.co.uk) Received: from [194.32.164.25] ([194.32.164.25]) by mx0.gid.co.uk (8.14.2/8.14.2) with ESMTP id 0BAFTH5g091097 for ; Thu, 10 Dec 2020 15:29:17 GMT (envelope-from rb@gid.co.uk) From: Bob Bishop Content-Type: multipart/signed; boundary="Apple-Mail=_8CCD1830-1983-4CFA-B7CC-26319C6EEFC5"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Date: Thu, 10 Dec 2020 15:29:17 +0000 References: <20201209230300.0B50ABCD@freefall.freebsd.org> To: freebsd-security@freebsd.org In-Reply-To: <20201209230300.0B50ABCD@freefall.freebsd.org> Message-Id: X-Mailer: Apple Mail (2.3608.120.23.2.4) X-Rspamd-Queue-Id: 4CsHs10rZvz4bL1 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of rb@gid.co.uk designates 194.32.164.250 as permitted sender) smtp.mailfrom=rb@gid.co.uk X-Spamd-Result: default: False [-4.80 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[194.32.164.250:from]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; HAS_ATTACHMENT(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[194.32.164.250:from:127.0.2.255]; DMARC_NA(0.00)[gid.co.uk]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:42831, ipnet:194.32.164.0/24, country:GB]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2020 15:29:26 -0000 --Apple-Mail=_8CCD1830-1983-4CFA-B7CC-26319C6EEFC5 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi, > On 9 Dec 2020, at 23:03, FreeBSD Security Advisories = wrote: >=20 > Signed PGP part > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > FreeBSD-SA-20:33.openssl Security = Advisory > The FreeBSD = Project >=20 > Topic: OpenSSL NULL pointer de-reference > [etc] A query: am I right that the patch doesn=E2=80=99t bump the OpenSSL = version to 1.1.1.i ? -- Bob Bishop rb@gid.co.uk --Apple-Mail=_8CCD1830-1983-4CFA-B7CC-26319C6EEFC5 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQR+a6Wh87I/iYwcbE+8xpPppLfFvwUCX9I+zQAKCRC8xpPppLfF v1/kAKD+XaPRiOniZH41Lw9ecZvxNWISOQCdHufKN/lvVmNxgcRVFzzBfVnFgCA= =X2oa -----END PGP SIGNATURE----- --Apple-Mail=_8CCD1830-1983-4CFA-B7CC-26319C6EEFC5-- From owner-freebsd-security@freebsd.org Thu Dec 10 15:43:38 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 23E524AF0A7 for ; Thu, 10 Dec 2020 15:43:38 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on2062b.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d05::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CsJ9P0hkVz4cgR for ; Thu, 10 Dec 2020 15:43:36 +0000 (UTC) (envelope-from stephen.wall@redcom.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IQ6tn1gc1ZceCl5starZKAIuWMrtSreNoOSgUUqtlRt2TDNd6EwRlx5KvGLhwAHVykDHV9JIpX54DYxkY529OcG+6iYK0D2gB7vpqhMmeNWQO8tBP/DBCb8culol7gIiEH0dsunMFKkmGjUFJi++KZZd7mRh54+oBdVAntzAgpgk9xfeWOtpiDjq3gbjzJRTnlhwGj731mPAsrybCbNT2ZZn2vCi1/hLir6EB8FWGEKQt9/tmFt03vJOQ8WNX1oV/NtgKMxl8ATHMWxFIAlh33btuXbF3qlqlN6M+yACEakzGrQW10maw7imMXCbBRLrkDwmWEvlm8uAOapoJbjt9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=X9mrvWXYB35d7eH8z8tUIYiVIUAfaVVBoz/JbqhgjwU=; b=l0HxJeIr4Ll1c3QP7nkeBu3OdpPX0p9XGsi+BpbIshNH2In8lVKt3tVIHBrrn5zk8C7Ea3Yxs9ZTYQoHzZlx1/YiNVEhCPwqczGRipcsWWxFBV+U++U5AIm8uKBHuRqc8/Q52jJggTEgdk2qLlPjpQsaHknqgb5X6s6/zD+WvQJ6n1EetjB3ImRG2MEcbMUZOsKc3qr/s+/T6gv1GrYC4ISlCKIzsYjuTPjzECaYJdJlKZQkwDswxzYNmwFMeYJW1xltqf4kDM+u76vT27Um8Bypwgby/V0BVwX7iFvVb3Ye0SgPgwFI4WYXLfbj7GWaADG/hW6Eeas6UxgXO+lKNw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=redcom.com; dmarc=pass action=none header.from=redcom.com; dkim=pass header.d=redcom.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redcomlaboratories.onmicrosoft.com; s=selector1-redcomlaboratories-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=X9mrvWXYB35d7eH8z8tUIYiVIUAfaVVBoz/JbqhgjwU=; b=z9ZUlxeIndWKtNufqrzB9Aekb8erXSXF/Cp/D/C8q1oY6FQxw6cFO+h0duSz28aWNjv2atLqZ6Pndih0xl7vXR82r4urxn67sBzU2qgHTfgb+WcIojxF1CtSlJ94iY1FKgBnUs3Bh3SbMX4ApHfrtRNe6hPS/1W9BT8JLACpBs+TLKnm/pfkHRv+XpdM3LvI4e/o1FrWpNiJpMu1T9cnQ+9o/OU5nPo9dBStj3nODnnR1/28FrsZkkFZ7PLL9M8qd/tPQ7guTyee5GbYy1vscgcmGp+SWI0P+BEbQpUgcA6x9HIB0BsWtM5lAYrOJTurmZXH6LzSxTTS3e6GQrHSig== Received: from DM6PR09MB4807.namprd09.prod.outlook.com (2603:10b6:5:260::13) by DM6PR09MB4951.namprd09.prod.outlook.com (2603:10b6:5:261::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.13; Thu, 10 Dec 2020 15:43:35 +0000 Received: from DM6PR09MB4807.namprd09.prod.outlook.com ([fe80::701f:923d:175b:8757]) by DM6PR09MB4807.namprd09.prod.outlook.com ([fe80::701f:923d:175b:8757%5]) with mapi id 15.20.3611.038; Thu, 10 Dec 2020 15:43:35 +0000 From: "Wall, Stephen" To: Bob Bishop , "freebsd-security@freebsd.org" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Thread-Topic: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Thread-Index: AQHWzwsQh6XHLqMH+UGzHenC/ur53w== Date: Thu, 10 Dec 2020 15:43:35 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.48.157.2] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: cfec6109-5d37-417b-e590-08d89d225adf x-ms-traffictypediagnostic: DM6PR09MB4951: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:3968; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: W13kp4lvDQIzi6kpgEXIXLDSHCZb8E1tj+tT+ghzj5CdoEf0Uq/qzq8pSKep3pVbAWiyuLXu5TDBnUvEeJc4dz5BcMbtsuXsgxqIv2W1CQon4jYg2ttLU8OUmhRjblkanUy3/dpLMorSMUeaYn/AVX5Pymcx8SlY7mWA2xOXMhx8E2BnGYcByt559XUhLR2OcAEvMuLq5rupicnad6XF7yICzW5lFFuQUFVSJbENwMqmpeiSkPf/Ltzj+8XDYdGq0cDEoKPFoHMTaRR3xFl9Qe9BKfatO6eFE4u6v4BJ3C8aAjiwwD5+VSUZAkd5OTo1lVopFdBn5NxGxruhf53goA== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR09MB4807.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(366004)(376002)(346002)(33656002)(52536014)(86362001)(64756008)(5660300002)(7696005)(66556008)(66476007)(6506007)(110136005)(66446008)(26005)(91956017)(76116006)(71200400001)(9686003)(558084003)(19627405001)(186003)(8676002)(55016002)(66946007)(8936002)(2906002)(508600001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?3QuSZ8nMalqpbVgjcucugBmAm39R64qc8bdb+WaPotXYxF3iUuL5cPu+?= =?Windows-1252?Q?LUIbrKagXdl/Uh5k/NDjIP6lOGOBfamqWkduWOwYjMwdE4q0pJOHNOoX?= =?Windows-1252?Q?jeTLBT6I4MX6qLnkvKBHL0+dv11CKjIdoaYsNkMC0v5Sq3GrCRgsPFEc?= =?Windows-1252?Q?aq8TU73sJnI3ZGrmx8jQpTngtAxS6yUYn6+iDDSmVbilWz/Yu7/1jPHh?= =?Windows-1252?Q?gSkgPMXOHyXa7ZpIkWW9Gt14eX67E64a0QJn0hktacUQaanMRBCncC6B?= =?Windows-1252?Q?niQb5VU7K42LiZt/RjH8Nx+enmPlpPMTyVp+Yy2F078JFXNlrBzY34Sd?= =?Windows-1252?Q?Br28BTw6VBoc+hAiJC86M++S6XogyzSyUu5P78l+xeH/zrdY/Cimt/47?= =?Windows-1252?Q?p4iKkyXN3T/aTAh2Pv25+KCc8lrxfsnBCA+KQ2k396wYly+//Heg718L?= =?Windows-1252?Q?J9YRGM2U82PDWvb+gZyMDixXYQ8c+AUTDZ4TxNtfqVt193DLV7wV7fqr?= =?Windows-1252?Q?LBA048AiWY4fw+KL5HCGjQ+9XUOOrtKbaiFRf8s+vO7v4wAZctvxreGx?= =?Windows-1252?Q?HY8TufDrLdI1qCTIkYZ9l3YePSLaww+iPkdOHvma7WweSIv6oZhTCy9p?= =?Windows-1252?Q?zs2uRwAGUVk8d9pHWHXXeAwvnBWuEK3cUafT38lPfOksf7gnIn5gBHeV?= =?Windows-1252?Q?bwpPXsfmiXSRR8BmLhEcATf3rW0pbISXUbB6qXrxRCZvH66tKI0d53M3?= =?Windows-1252?Q?x+EOZ0Ss8UrfqQFdcWTjs+iETz0jZD6RwlyzXx+Kk6g9V3LTnaZpTWEl?= =?Windows-1252?Q?uQZvZo8UQjTp730AMIAq1dEd+kH3A9PZ0s8MENXpnshYLW+7ukB4tVNt?= =?Windows-1252?Q?lRrhN3P/iW4jqyBz40UHCxV2RVoJbG3CLsWdrEGI0kjgvqQlpz89NjOt?= =?Windows-1252?Q?V3BIlWK7GsvwPLDExw2kTrNDY4Sq11gijsYod2eZOK83xVTNYHtevzDO?= =?Windows-1252?Q?yKA7wN26ebboYNyv48l8D2kJlLMSVKMxeaZEXhZxlH4m2/bBzFw=3D?= x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: redcom.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR09MB4807.namprd09.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: cfec6109-5d37-417b-e590-08d89d225adf X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Dec 2020 15:43:35.1011 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 86200ba5-6348-4d6f-bdd7-96f43e8d9247 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: sjMBwZWMRi0dmCFL7gf6Kt6Pa+y6/FbQg0wdDkNL0HGvzDzvj6GvItU9oQhgO6ltUMxVY5us17cU/ZVJprPhBQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB4951 X-Rspamd-Queue-Id: 4CsJ9P0hkVz4cgR X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=redcomlaboratories.onmicrosoft.com header.s=selector1-redcomlaboratories-onmicrosoft-com header.b=z9ZUlxeI; arc=pass (microsoft.com:s=arcselector9901:i=1); dmarc=none; spf=pass (mx1.freebsd.org: domain of stephen.wall@redcom.com designates 2a01:111:f400:7d05::62b as permitted sender) smtp.mailfrom=stephen.wall@redcom.com X-Spamd-Result: default: False [-1.50 / 15.00]; FAKE_REPLY(1.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; R_DKIM_ALLOW(-0.20)[redcomlaboratories.onmicrosoft.com:s=selector1-redcomlaboratories-onmicrosoft-com]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_NA(0.00)[redcom.com]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a01:111:f400:7d05::62b:from]; NEURAL_SPAM_SHORT(1.00)[1.000]; SPAMHAUS_ZRD(0.00)[2a01:111:f400:7d05::62b:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[redcomlaboratories.onmicrosoft.com:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; MAILMAN_DEST(0.00)[freebsd-security] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2020 15:43:38 -0000 > A query: am I right that the patch doesn=92t bump the OpenSSL version to = 1.1.1.i ? That is correct. - Steve Wall From owner-freebsd-security@freebsd.org Thu Dec 10 20:02:53 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 66C274B4A6A; Thu, 10 Dec 2020 20:02:53 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CsPwX46Jcz4v0Y; Thu, 10 Dec 2020 20:02:52 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 0BAK2o6m054010 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 10 Dec 2020 12:02:51 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 0BAK2o93054009; Thu, 10 Dec 2020 12:02:50 -0800 (PST) (envelope-from jmg) Date: Thu, 10 Dec 2020 12:02:50 -0800 From: John-Mark Gurney To: "Hartmann, O." Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: AMNESIA:33 and FreeBSD TCP/IP stack involvement Message-ID: <20201210200250.GJ31099@funkthat.com> Mail-Followup-To: "Hartmann, O." , freebsd-security@freebsd.org, freebsd-current@freebsd.org References: <20201209065849.47a51561@hermann.fritz.box> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="lc9FT7cWel8HagAv" Content-Disposition: inline In-Reply-To: <20201209065849.47a51561@hermann.fritz.box> X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Thu, 10 Dec 2020 12:02:51 -0800 (PST) X-Rspamd-Queue-Id: 4CsPwX46Jcz4v0Y X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [-1.90 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[funkthat.com]; RBL_DBL_DONT_QUERY_IPS(0.00)[208.87.223.18:from]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[208.87.223.18:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_SPF_NA(0.00)[no SPF record]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[freebsd-security,freebsd-current]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2020 20:02:53 -0000 --lc9FT7cWel8HagAv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hartmann, O. wrote this message on Wed, Dec 09, 2020 at 06:58 +0100: > I've got a question about recently discovered serious vulnerabilities > in certain TCP stack implementations, designated as AMNESIA:33 (as far > as I could follow the recently made announcements and statements, > please see, for instance, > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-o= f-smart-and-industrial-devices/). >=20 > All mentioned open-source TCP stacks seem not to be related in any way > with freeBSD or any derivative of the FreeBSD project, but I do not > dare to make a statement about that. >=20 > My question is very simple and aimes towards calming down my employees > requests: is FreeBSD potentially vulnerable to this newly discovered > flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT, > latest incarnations, of course, should be least vulnerable ...). I'd be surprised if FreeBSD is vulnerable to those flaws, but I cannot make any official statement as there are too many to even start to investigate them. Also of note is that there were three other IP stacks that were NOT vulnerable to ANY new security issues in that report as well, so it isn't like the report found security vulnerability in every TCP/IP stack they tested. The best way to have confidence is to pay people to analyize and verify that the FreeBSD TCP/IP stack is secure, just as it is w/ any critical code that a company runs. --=20 John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." --lc9FT7cWel8HagAv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJf0n7pXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MEI1RTRGMTNDNzYyMDZDNjEyMDBCNjAy MDVGMEIzM0REMDA2QURBAAoJECBfCzPdAGraZMgQALCbs+t2NLfROQq4sNHSsQRr OwzBmU+fKQI24SqfafaPDc8RuxIKP7luyjrFdK2DfSAMBn1A7YaM2YCHHifczfFX aBhHSdlzGThLme18Cd8ckAQuULEJ7afGN1twDCVQ/8OC6fKBSl9S3ehv5XYGeveB sMeb28qeCEWzd9sYpR9AV0B4FK3I+pVeeMiArtkpXwzXINsnuYL5EExZtbIWyz9V L0DB5oiMp4sOFbXxqbxzcVLm3teWDpG8tqpEmPy3RNFOatfr7KFujb70A7mk2Fqg 6fKvRR4oDtiKlysF8Ql75tQISPfsTnwpbTnzEzk9KSge4tP7vQg4lXWASkoOG58T N64FseVD4uFW6JN2mqRL+WInv28Rl5ohTe5ePLBuW/VivnNgwRNdqt4WhjArrq+Z 87G/7UVvz1pZ3UDtzLpqZSo2c3Um3Z/4T64pJOoxU9aUPOMtXt6e0Ml5t8tJO3bv YBz49/JcHezLPWxY7SQx8lpU70aUipD6UJfhHJHKa5qO7DPRzEkPITRh6xVmvOnx DlZQkb5nt0GCqSTPBwhMH/xg+Yuxt0fQevrss+F7Rzf8Ip0vki9hb/bk0nC4ztCJ 0hpmJBggIXSpcW6ie83AI05cnsSE6lAbjqQlUT8kPEWjoCJ/xAsfyW8x/5j1DLV3 2wxG/qrWycPy684OecVW =9Y7G -----END PGP SIGNATURE----- --lc9FT7cWel8HagAv-- From owner-freebsd-security@freebsd.org Fri Dec 11 06:46:31 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3C3DB47D555 for ; Fri, 11 Dec 2020 06:46:31 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CshCB1JPvz4scf for ; Fri, 11 Dec 2020 06:46:29 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 0BB6kSWL078472 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 10 Dec 2020 22:46:28 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 0BB6kSMB078471 for freebsd-security@freebsd.org; Thu, 10 Dec 2020 22:46:28 -0800 (PST) (envelope-from jmg) Date: Thu, 10 Dec 2020 22:46:28 -0800 From: John-Mark Gurney To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201211064628.GM31099@funkthat.com> Mail-Followup-To: freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201209230300.03251CA1@freefall.freebsd.org> X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Thu, 10 Dec 2020 22:46:28 -0800 (PST) X-Rspamd-Queue-Id: 4CshCB1JPvz4scf X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [2.20 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[208.87.223.18:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[208.87.223.18:from:127.0.2.255]; DMARC_NA(0.00)[funkthat.com]; NEURAL_SPAM_SHORT(1.00)[1.000]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 06:46:31 -0000 FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at 23:03 +0000: > versions included in FreeBSD 12.x. This vulnerability is also known to > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > project is only giving patches for that version to premium support contract > holders. The FreeBSD project does not have access to these patches and > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > may update this advisory to include FreeBSD 11.4 should patches become > publicly available. FreeBSD needs to reevaluate the continued reliance on OpenSSL for our crypto/TLS library. 1.0.2 which is in 11-stable has not had support for almost a year, and 11 is going to have almost another year of support during which time if there's another vuln, we'll again be leaving the users in a bad place. I have not heard if OpenSSL has bother to address the breakage of /dev/crypto that also recently came up, but it does appear that they are no longer a good fit for FreeBSD. Even as it stands, FreeBSD has committed to supporting 12 for close to a year longer than OpenSSL has for 1.1.1 meaning we will be in the same situation we are w/ 11 in a few years. Assuming 13 releases w/ OpenSSL, we'll be even in a worse situation than we are now. OpenSSL 3.0.0 has no support commitment announced yet, and sticking with 1.1.1 for 13 will put us even in a worse situation than we are today. What are peoples thoughts on how to address the support mismatch between FreeBSD and OpenSSL? And how to address it? IMO, FreeBSD does need to do something, and staying w/ OpenSSL does not look like a viable option. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Fri Dec 11 09:14:05 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F3CF64A9784 for ; Fri, 11 Dec 2020 09:14:05 +0000 (UTC) (envelope-from rs@bytecamp.net) Received: from mxout01.bytecamp.net (mxout01.bytecamp.net [212.204.60.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CslTT063nz3HyT for ; Fri, 11 Dec 2020 09:14:04 +0000 (UTC) (envelope-from rs@bytecamp.net) Received: by mxout01.bytecamp.net (Postfix, from userid 1001) id 42AE580DAC; Fri, 11 Dec 2020 10:14:02 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=bytecamp.net; h=subject:to:references:from:message-id:date:mime-version:in-reply-to:content-type:content-transfer-encoding; s=20140709; bh=1lGdIGty7+fKwFGwLf26KidXrlI=; b=SAox4strlyD1RNN7jTWJtHvRGceKJyD4epCQyFk5l7jxPROgyKK0cgSqhBIhkEF/5BQphK211ddysL/3G0Io9Pr+y76UEpvcxJCqEMG1dkLNLoh2Lsv1bheWXBMwsUHr2cV9obKg1geokITSEV+K0lqyv6KU/kUK7FKITpvjiAc= Received: from mail.bytecamp.net (mail.bytecamp.net [212.204.60.9]) by mxout01.bytecamp.net (Postfix) with ESMTP id 0BFCE80DA7 for ; Fri, 11 Dec 2020 10:14:02 +0100 (CET) Received: (qmail 34021 invoked from network); 11 Dec 2020 10:14:01 +0100 Received: from unknown (HELO ?192.168.3.59?) (rs%bytecamp.net@80.84.212.123) by mail.bytecamp.net with ESMTPS (DHE-RSA-AES128-SHA encrypted); 11 Dec 2020 10:14:01 +0100 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> From: Robert Schulze Organization: bytecamp GmbH Message-ID: <72f2110e-8f1b-76ca-4dd8-2d7283b951d6@bytecamp.net> Date: Fri, 11 Dec 2020 10:14:01 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20201211064628.GM31099@funkthat.com> Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4CslTT063nz3HyT X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bytecamp.net header.s=20140709 header.b=SAox4str; dmarc=none; spf=pass (mx1.freebsd.org: domain of rs@bytecamp.net designates 212.204.60.217 as permitted sender) smtp.mailfrom=rs@bytecamp.net X-Spamd-Result: default: False [-1.45 / 15.00]; R_SPF_ALLOW(-0.20)[+ip4:212.204.60.0/24]; TO_DN_NONE(0.00)[]; HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[bytecamp.net:+]; NEURAL_HAM_SHORT(-0.85)[-0.846]; RCVD_IN_DNSWL_LOW(-0.10)[212.204.60.217:from]; RCVD_TLS_LAST(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[212.204.60.217:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[bytecamp.net:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[bytecamp.net:s=20140709]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:12693, ipnet:212.204.32.0/19, country:DE]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[bytecamp.net]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[212.204.60.217:from:127.0.2.255]; NEURAL_SPAM_LONG(1.00)[1.000]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 09:14:06 -0000 Hi, Am 11.12.20 um 07:46 schrieb John-Mark Gurney: > > Assuming 13 releases w/ OpenSSL, we'll be even in a worse situation > than we are now. OpenSSL 3.0.0 has no support commitment announced > yet, and sticking with 1.1.1 for 13 will put us even in a worse > situation than we are today. > > What are peoples thoughts on how to address the support mismatch between > FreeBSD and OpenSSL? And how to address it? > > IMO, FreeBSD does need to do something, and staying w/ OpenSSL does > not look like a viable option. > you may install a current OpenSSL via ports if you like to. I don't see any OpenSSL fork to be more reliable than its predecessor but there has been done much work in the portstree to enable the system administrator to switch. There is not much left (if anything) to be done in FreeBSD itself regarding the standard crypto library. regards, Robert Schulze From owner-freebsd-security@freebsd.org Fri Dec 11 10:12:04 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 54AF14AA472 for ; Fri, 11 Dec 2020 10:12:04 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (mailserver.netfence.it [78.134.96.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CsmmM2TWFz3LsB for ; Fri, 11 Dec 2020 10:12:02 +0000 (UTC) (envelope-from ml@netfence.it) Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18]) (authenticated bits=0) by soth.netfence.it (8.16.1/8.16.1) with ESMTPSA id 0BBABs5V023051 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Fri, 11 Dec 2020 11:11:55 +0100 (CET) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it [10.1.2.18] claimed to be alamar.ventu Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> From: Andrea Venturoli Message-ID: <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> Date: Fri, 11 Dec 2020 11:11:54 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1 MIME-Version: 1.0 In-Reply-To: <20201209230300.03251CA1@freefall.freebsd.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4CsmmM2TWFz3LsB X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=netfence.it; spf=pass (mx1.freebsd.org: domain of ml@netfence.it designates 78.134.96.152 as permitted sender) smtp.mailfrom=ml@netfence.it X-Spamd-Result: default: False [-1.11 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[78.134.96.152:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:78.134.96.152]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[78.134.96.152:from:127.0.2.255]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_SHORT(-0.31)[-0.306]; DMARC_POLICY_ALLOW(-0.50)[netfence.it,none]; NEURAL_SPAM_LONG(1.00)[1.000]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:35612, ipnet:78.134.0.0/17, country:IT]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 10:12:04 -0000 On 12/10/20 12:03 AM, FreeBSD Security Advisories wrote: > Note: The OpenSSL project has published publicly available patches for > versions included in FreeBSD 12.x. This vulnerability is also known to > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > project is only giving patches for that version to premium support contract > holders. The FreeBSD project does not have access to these patches and > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > may update this advisory to include FreeBSD 11.4 should patches become > publicly available. So I'm looking for suggestion on how to handle this. I guess I'll just upgrade some 11.4 to 12.2 and that'll be it. However there are a few boxes I can't or don't want to upgrade and I'm thinking about using openssl from ports. If I'm correct, I'll need to put "DEFAULT_VERSIONS= ssl=openssl" either in /etc/make.conf and/or in /usr/local/etc/poudriere.d/114amd64-make.conf. I started with the latter, but a bulk run ended up in some port failing (and a lot being skipped) due to kerberos support: AFAICT I cannot use base's kerberos with ports' openssl. Which is a better replacement: MIT or HEIMDAL? Then I think I'll just need "pkg upgrade -f", where I'm using packages. I still have some systems, however, that are using portupgrade: perhaps I can convert some to packages, but others have to stay like this for the moment. Will "portupgrade -Fa" do or do I need something more complex? bye & Thanks av. From owner-freebsd-security@freebsd.org Fri Dec 11 11:15:32 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 145F14AB9A8 for ; Fri, 11 Dec 2020 11:15:32 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.18.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Csp9b26ghz3QfY for ; Fri, 11 Dec 2020 11:15:30 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from [217.246.62.22] (helo=fabiankeil.de) by smtprelay04.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1kngOL-0004Bv-Uy for freebsd-security@freebsd.org; Fri, 11 Dec 2020 12:15:18 +0100 Date: Fri, 11 Dec 2020 12:14:42 +0100 From: Fabian Keil To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201211121442.1062671e@fabiankeil.de> In-Reply-To: <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> References: <20201209230300.03251CA1@freefall.freebsd.org> <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_//ciArv_5W.mpuyk+tBE4fSZ"; protocol="application/pgp-signature"; micalg=pgp-sha1 X-Df-Sender: Nzc1MDY3 X-Rspamd-Queue-Id: 4Csp9b26ghz3QfY X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-listen@fabiankeil.de has no SPF policy when checking 80.67.18.16) smtp.mailfrom=freebsd-listen@fabiankeil.de X-Spamd-Result: default: False [1.80 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[80.67.18.16:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(1.00)[0.999]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[80.67.18.16:from:127.0.2.255]; DMARC_NA(0.00)[fabiankeil.de]; RBL_DBL_DONT_QUERY_IPS(0.00)[80.67.18.16:from]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:8972, ipnet:80.67.16.0/20, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; RECEIVED_SPAMHAUS_PBL(0.00)[217.246.62.22:received] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 11:15:32 -0000 --Sig_//ciArv_5W.mpuyk+tBE4fSZ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Andrea Venturoli wrote on 2020-12-11: > On 12/10/20 12:03 AM, FreeBSD Security Advisories wrote: >=20 > > Note: The OpenSSL project has published publicly available patches for > > versions included in FreeBSD 12.x. This vulnerability is also known to > > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > > project is only giving patches for that version to premium support cont= ract > > holders. The FreeBSD project does not have access to these patches and > > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leve= rage > > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Pro= ject > > may update this advisory to include FreeBSD 11.4 should patches become > > publicly available. >=20 > So I'm looking for suggestion on how to handle this. > I guess I'll just upgrade some 11.4 to 12.2 and that'll be it. The fix was already backported to stable/11 so it's now "publicly available= ": https://svnweb.freebsd.org/base?view=3Drevision&revision=3D368530 I expect that releng/11.4 will receive the fix in the near future. Fabian --Sig_//ciArv_5W.mpuyk+tBE4fSZ Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQTKUNd6H/m3+ByGULIFiohV/3dUnQUCX9NUogAKCRAFiohV/3dU nUy/AKCguZmaH22xeLW+4Qm/LT5KQJoDdQCcDHmAsS8397iP0voh1RuyuauDFHo= =iydC -----END PGP SIGNATURE----- --Sig_//ciArv_5W.mpuyk+tBE4fSZ-- From owner-freebsd-security@freebsd.org Fri Dec 11 11:38:08 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BBEFD4AC62F for ; Fri, 11 Dec 2020 11:38:08 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from mail.lispworks.com (mail.lispworks.com [46.17.166.21]) by mx1.freebsd.org (Postfix) with ESMTP id 4Cspgg1fpZz3hYr for ; Fri, 11 Dec 2020 11:38:06 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (higson.cam.lispworks.com [192.168.1.7]) by lwfs1-cam.cam.lispworks.com (8.15.2/8.15.2) with ESMTP id 0BBBc2Kl069684; Fri, 11 Dec 2020 11:38:02 GMT (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by higson.cam.lispworks.com (8.14.4) id 0BBBc25i006286; Fri, 11 Dec 2020 11:38:02 GMT Received: (from martin@localhost) by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id 0BBBc2Eq006002; Fri, 11 Dec 2020 11:38:02 GMT Date: Fri, 11 Dec 2020 11:38:02 GMT Message-Id: <202012111138.0BBBc2Eq006002@higson.cam.lispworks.com> From: Martin Simmons To: freebsd-security@freebsd.org In-reply-to: <20201211064628.GM31099@funkthat.com> (message from John-Mark Gurney on Thu, 10 Dec 2020 22:46:28 -0800) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> X-Rspamd-Queue-Id: 4Cspgg1fpZz3hYr X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of martin@lispworks.com has no SPF policy when checking 46.17.166.21) smtp.mailfrom=martin@lispworks.com X-Spamd-Result: default: False [2.00 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[46.17.166.21:from]; FREEFALL_USER(0.00)[martin]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[lispworks.com]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[46.17.166.21:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[46.17.166.21:from]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:51055, ipnet:46.17.166.0/24, country:GB]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 11:38:08 -0000 >>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: > > What are peoples thoughts on how to address the support mismatch between > FreeBSD and OpenSSL? And how to address it? Maybe it would help a little if the packages on pkg.FreeBSD.org all used the pkg version of OpenSSL? Currently, it looks like you have build your own ports if you want that. __Martin From owner-freebsd-security@freebsd.org Fri Dec 11 11:44:31 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CB9244AC99E for ; Fri, 11 Dec 2020 11:44:31 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [IPv6:2a01:4f8:a0:51d3::107:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cspq25ns9z3j5m for ; Fri, 11 Dec 2020 11:44:30 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de (p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de [IPv6:2003:cd:8727:c9fc:a4b5:9381:9ba8:e1d5]) by host64.shmhost.net (Postfix) with ESMTPSA id 4Csppt3QX5zNkQw; Fri, 11 Dec 2020 12:44:22 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl From: Franco Fichtner In-Reply-To: <202012111138.0BBBc2Eq006002@higson.cam.lispworks.com> Date: Fri, 11 Dec 2020 12:44:17 +0100 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <2AF24633-7E9F-4B92-8E99-6A81CD9D3AF8@lastsummer.de> References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <202012111138.0BBBc2Eq006002@higson.cam.lispworks.com> To: Martin Simmons X-Mailer: Apple Mail (2.3608.120.23.2.4) X-Virus-Scanned: clamav-milter 0.102.4 at host64.shmhost.net X-Virus-Status: Clean X-Rspamd-Queue-Id: 4Cspq25ns9z3j5m X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of franco@lastsummer.de has no SPF policy when checking 2a01:4f8:a0:51d3::107:1) smtp.mailfrom=franco@lastsummer.de X-Spamd-Result: default: False [0.40 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lastsummer.de]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[2a01:4f8:a0:51d3::107:1:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a01:4f8:a0:51d3::107:1:from]; NEURAL_HAM_SHORT(-1.00)[-0.998]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 11:44:31 -0000 > On 11. Dec 2020, at 12:38 PM, Martin Simmons = wrote: >=20 >>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: >>=20 >> What are peoples thoughts on how to address the support mismatch = between >> FreeBSD and OpenSSL? And how to address it? >=20 > Maybe it would help a little if the packages on pkg.FreeBSD.org all = used the > pkg version of OpenSSL? Currently, it looks like you have build your = own > ports if you want that. This pretty much breaks LibreSSL ports usage for binary package = consumers. Cheers, Franco From owner-freebsd-security@freebsd.org Fri Dec 11 11:48:12 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1E7A84AC8C5 for ; Fri, 11 Dec 2020 11:48:12 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from mail.lispworks.com (mail.lispworks.com [46.17.166.21]) by mx1.freebsd.org (Postfix) with ESMTP id 4CspvH2q86z3j7S for ; Fri, 11 Dec 2020 11:48:11 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (higson.cam.lispworks.com [192.168.1.7]) by lwfs1-cam.cam.lispworks.com (8.15.2/8.15.2) with ESMTP id 0BBBm72q069995; Fri, 11 Dec 2020 11:48:07 GMT (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by higson.cam.lispworks.com (8.14.4) id 0BBBm76U012384; Fri, 11 Dec 2020 11:48:07 GMT Received: (from martin@localhost) by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id 0BBBm7uw012149; Fri, 11 Dec 2020 11:48:07 GMT Date: Fri, 11 Dec 2020 11:48:07 GMT Message-Id: <202012111148.0BBBm7uw012149@higson.cam.lispworks.com> From: Martin Simmons To: freebsd-security@freebsd.org In-reply-to: <20201209230300.03251CA1@freefall.freebsd.org> (message from FreeBSD Security Advisories on Wed, 9 Dec 2020 23:03:00 +0000 (UTC)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl References: <20201209230300.03251CA1@freefall.freebsd.org> X-Rspamd-Queue-Id: 4CspvH2q86z3j7S X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of martin@lispworks.com has no SPF policy when checking 46.17.166.21) smtp.mailfrom=martin@lispworks.com X-Spamd-Result: default: False [2.00 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[46.17.166.21:from]; FREEFALL_USER(0.00)[martin]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[lispworks.com]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[46.17.166.21:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[46.17.166.21:from]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:51055, ipnet:46.17.166.0/24, country:GB]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 11:48:12 -0000 >>>>> On Wed, 9 Dec 2020 23:03:00 +0000 (UTC), FreeBSD Security Advisories said: > > Note: The OpenSSL project has published publicly available patches for > versions included in FreeBSD 12.x. This vulnerability is also known to > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > project is only giving patches for that version to premium support contract > holders. The FreeBSD project does not have access to these patches and > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > may update this advisory to include FreeBSD 11.4 should patches become > publicly available. I see that Ubuntu have backported this (see 1.0.2n-1ubuntu5.5 in https://launchpad.net/ubuntu/+source/openssl1.0). __Martin From owner-freebsd-security@freebsd.org Fri Dec 11 12:20:04 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 64DB44AE620 for ; Fri, 11 Dec 2020 12:20:04 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from mail.lispworks.com (mail.lispworks.com [46.17.166.21]) by mx1.freebsd.org (Postfix) with ESMTP id 4Csqc34Nz4z3lFW for ; Fri, 11 Dec 2020 12:20:03 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (higson.cam.lispworks.com [192.168.1.7]) by lwfs1-cam.cam.lispworks.com (8.15.2/8.15.2) with ESMTP id 0BBCJY8o070864; Fri, 11 Dec 2020 12:19:34 GMT (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by higson.cam.lispworks.com (8.14.4) id 0BBCJYxf000632; Fri, 11 Dec 2020 12:19:34 GMT Received: (from martin@localhost) by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id 0BBCJYSf000629; Fri, 11 Dec 2020 12:19:34 GMT Date: Fri, 11 Dec 2020 12:19:34 GMT Message-Id: <202012111219.0BBCJYSf000629@higson.cam.lispworks.com> From: Martin Simmons To: freebsd-security@freebsd.org In-reply-to: <2AF24633-7E9F-4B92-8E99-6A81CD9D3AF8@lastsummer.de> (message from Franco Fichtner on Fri, 11 Dec 2020 12:44:17 +0100) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <202012111138.0BBBc2Eq006002@higson.cam.lispworks.com> <2AF24633-7E9F-4B92-8E99-6A81CD9D3AF8@lastsummer.de> X-Rspamd-Queue-Id: 4Csqc34Nz4z3lFW X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of martin@lispworks.com has no SPF policy when checking 46.17.166.21) smtp.mailfrom=martin@lispworks.com X-Spamd-Result: default: False [2.00 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[46.17.166.21:from]; FREEFALL_USER(0.00)[martin]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[lispworks.com]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[46.17.166.21:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[46.17.166.21:from]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:51055, ipnet:46.17.166.0/24, country:GB]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 12:20:04 -0000 >>>>> On Fri, 11 Dec 2020 12:44:17 +0100, Franco Fichtner said: > > > On 11. Dec 2020, at 12:38 PM, Martin Simmons wrote: > > > >>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: > >> > >> What are peoples thoughts on how to address the support mismatch between > >> FreeBSD and OpenSSL? And how to address it? > > > > Maybe it would help a little if the packages on pkg.FreeBSD.org all used the > > pkg version of OpenSSL? Currently, it looks like you have build your own > > ports if you want that. > > This pretty much breaks LibreSSL ports usage for binary package consumers. I'm talking about the binary packages from pkg.FreeBSD.org. Don't they always use the base OpenSSL at the moment? __Martin From owner-freebsd-security@freebsd.org Fri Dec 11 12:28:55 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 804394AEB92 for ; Fri, 11 Dec 2020 12:28:55 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CsqpG4Vkzz3lyZ for ; Fri, 11 Dec 2020 12:28:54 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from [IPv6:2003:cd:8727:c9fc:7166:6e44:d963:974] (p200300cd8727c9fc71666e44d9630974.dip0.t-ipconnect.de [IPv6:2003:cd:8727:c9fc:7166:6e44:d963:974]) by host64.shmhost.net (Postfix) with ESMTPSA id 4Csqp71HNGzP2TB; Fri, 11 Dec 2020 13:28:47 +0100 (CET) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Franco Fichtner Mime-Version: 1.0 (1.0) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Date: Fri, 11 Dec 2020 13:28:43 +0100 Message-Id: <612054DD-F857-455F-AF49-695A910A0D81@lastsummer.de> References: <202012111219.0BBCJYSf000629@higson.cam.lispworks.com> Cc: freebsd-security@freebsd.org In-Reply-To: <202012111219.0BBCJYSf000629@higson.cam.lispworks.com> To: Martin Simmons X-Mailer: iPhone Mail (18B92) X-Virus-Scanned: clamav-milter 0.102.4 at host64.shmhost.net X-Virus-Status: Clean X-Rspamd-Queue-Id: 4CsqpG4Vkzz3lyZ X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of franco@lastsummer.de has no SPF policy when checking 213.239.241.64) smtp.mailfrom=franco@lastsummer.de X-Spamd-Result: default: False [2.36 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; NEURAL_SPAM_SHORT(0.96)[0.965]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lastsummer.de]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[213.239.241.64:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[213.239.241.64:from]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 12:28:55 -0000 > On 11. Dec 2020, at 13:20, Martin Simmons wrote: >=20 > =EF=BB=BF >>=20 >>>>>> On Fri, 11 Dec 2020 12:44:17 +0100, Franco Fichtner said: >>=20 >>>> On 11. Dec 2020, at 12:38 PM, Martin Simmons wro= te: >>>=20 >>>>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: >>>>=20 >>>> What are peoples thoughts on how to address the support mismatch betwee= n >>>> FreeBSD and OpenSSL? And how to address it? >>>=20 >>> Maybe it would help a little if the packages on pkg.FreeBSD.org all used= the >>> pkg version of OpenSSL? Currently, it looks like you have build your ow= n >>> ports if you want that. >>=20 >> This pretty much breaks LibreSSL ports usage for binary package consumers= . >=20 > I'm talking about the binary packages from pkg.FreeBSD.org. Don't they al= ways > use the base OpenSSL at the moment? Yes, and if it would be built against ports OpenSSL you can no longer build a= gainst LibreSSL locally. In OPNsense we do build against ports OpenSSL for upgrade ease, but we also o= ffer a second set of packages for LibreSSL. For the normal FreeBSD user defaulting packages against OpenSSL from ports w= ould be severely limiting their capability to deviate from this with one-off= builds and most cannot or will not run their own poudriere batch. Effectively, using the second tier crypto to emulate the first tier crypto w= ould trash the second tier for everyone else. Cheers, Franco= From owner-freebsd-security@freebsd.org Fri Dec 11 12:57:12 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D90C94AF3D9 for ; Fri, 11 Dec 2020 12:57:12 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CsrQw13R0z3pVS for ; Fri, 11 Dec 2020 12:57:11 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de (p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de [IPv6:2003:cd:8727:c9fc:a4b5:9381:9ba8:e1d5]) by host64.shmhost.net (Postfix) with ESMTPSA id 4CsrQt3jBMzP2P8; Fri, 11 Dec 2020 13:57:10 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl From: Franco Fichtner In-Reply-To: Date: Fri, 11 Dec 2020 13:57:10 +0100 Cc: Martin Simmons , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <6E2E0169-F2E8-4562-85BA-42FC28B07F35@lastsummer.de> References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <202012111138.0BBBc2Eq006002@higson.cam.lispworks.com> <2AF24633-7E9F-4B92-8E99-6A81CD9D3AF8@lastsummer.de> To: Tomasz CEDRO X-Mailer: Apple Mail (2.3608.120.23.2.4) X-Virus-Scanned: clamav-milter 0.102.4 at host64.shmhost.net X-Virus-Status: Clean X-Rspamd-Queue-Id: 4CsrQw13R0z3pVS X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of franco@lastsummer.de has no SPF policy when checking 213.239.241.64) smtp.mailfrom=franco@lastsummer.de X-Spamd-Result: default: False [2.38 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lastsummer.de]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; NEURAL_SPAM_SHORT(0.98)[0.979]; SPAMHAUS_ZRD(0.00)[213.239.241.64:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[213.239.241.64:from]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 12:57:12 -0000 > On 11. Dec 2020, at 1:36 PM, Tomasz CEDRO wrote: >=20 > On Fri, Dec 11, 2020 at 12:44 PM Franco Fichtner wrote: >>> On 11. Dec 2020, at 12:38 PM, Martin Simmons = wrote: >>>>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: >>>> What are peoples thoughts on how to address the support mismatch = between >>>> FreeBSD and OpenSSL? And how to address it? >>> Maybe it would help a little if the packages on pkg.FreeBSD.org all = used the >>> pkg version of OpenSSL? Currently, it looks like you have build = your own >>> ports if you want that. >>=20 >> This pretty much breaks LibreSSL ports usage for binary package = consumers. >=20 > Why not switch to LibreSSL as default? :-) Good question. LibreSSL lacks engine and PSK support. TLS 1.3 was tailing behind. = Missing CMS also was a large issue for those who needed it. Someone with more = in- depth knowledge can probably name more. The other issue with LibreSSL in general is that third party support is = mostly ok, but some high profile cases have had issues with it for years: = HAProxy, OpenVPN, StrongSwan just to name a few. Having ports contributors and = committers chase these unthankful quests is probably not worth the overall effort. It works pretty well as a ports crypto replacement, but for the reasons = listed above it is probably not going to happen on a default scale. Also, LibreSSL in base was a failed experiment in HardenedBSD. Its = release cycle and support policy is tailored neatly around OpenBSD releases and the = attempt to break ABI compatibility in packages while you retrofit a new version = into a minor release can fail pretty spectacularly. I'm not being skeptical. I helped improve overall LibreSSL support in = the ports tree since 2015. The LibreSSL team is doing a great job all things = considered. This is simply the current reality of keeping LibreSSL in ports a steady alternative. Cheers, Franco From owner-freebsd-security@freebsd.org Fri Dec 11 16:05:01 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BC2994B360D for ; Fri, 11 Dec 2020 16:05:01 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from mail.lispworks.com (mail.lispworks.com [46.17.166.21]) by mx1.freebsd.org (Postfix) with ESMTP id 4Cswbc6gJzz4XNh for ; Fri, 11 Dec 2020 16:05:00 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (higson.cam.lispworks.com [192.168.1.7]) by lwfs1-cam.cam.lispworks.com (8.15.2/8.15.2) with ESMTP id 0BBG4uVh076921; Fri, 11 Dec 2020 16:04:56 GMT (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by higson.cam.lispworks.com (8.14.4) id 0BBG4uFJ002973; Fri, 11 Dec 2020 16:04:56 GMT Received: (from martin@localhost) by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id 0BBG4uh3002969; Fri, 11 Dec 2020 16:04:56 GMT Date: Fri, 11 Dec 2020 16:04:56 GMT Message-Id: <202012111604.0BBG4uh3002969@higson.cam.lispworks.com> From: Martin Simmons To: freebsd-security@freebsd.org In-reply-to: <612054DD-F857-455F-AF49-695A910A0D81@lastsummer.de> (message from Franco Fichtner on Fri, 11 Dec 2020 13:28:43 +0100) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl References: <202012111219.0BBCJYSf000629@higson.cam.lispworks.com> <612054DD-F857-455F-AF49-695A910A0D81@lastsummer.de> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4Cswbc6gJzz4XNh X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of martin@lispworks.com has no SPF policy when checking 46.17.166.21) smtp.mailfrom=martin@lispworks.com X-Spamd-Result: default: False [2.20 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[46.17.166.21:from]; FREEFALL_USER(0.00)[martin]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.97)[0.973]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[lispworks.com]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[46.17.166.21:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-0.77)[-0.773]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[46.17.166.21:from]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:51055, ipnet:46.17.166.0/24, country:GB]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 16:05:01 -0000 >>>>> On Fri, 11 Dec 2020 13:28:43 +0100, Franco Fichtner said: > > > On 11. Dec 2020, at 13:20, Martin Simmons wrote: > > > >  > >> > >>>>>> On Fri, 11 Dec 2020 12:44:17 +0100, Franco Fichtner said: > >> > >>>> On 11. Dec 2020, at 12:38 PM, Martin Simmons wrote: > >>> > >>>>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: > >>>> > >>>> What are peoples thoughts on how to address the support mismatch between > >>>> FreeBSD and OpenSSL? And how to address it? > >>> > >>> Maybe it would help a little if the packages on pkg.FreeBSD.org all used the > >>> pkg version of OpenSSL? Currently, it looks like you have build your own > >>> ports if you want that. > >> > >> This pretty much breaks LibreSSL ports usage for binary package consumers. > > > > I'm talking about the binary packages from pkg.FreeBSD.org. Don't they always > > use the base OpenSSL at the moment? > > Yes, and if it would be built against ports OpenSSL you can no longer build against LibreSSL locally. > > In OPNsense we do build against ports OpenSSL for upgrade ease, but we also offer a second set of packages for LibreSSL. > > For the normal FreeBSD user defaulting packages against OpenSSL from ports would be severely limiting their capability to deviate from this with one-off builds and most cannot or will not run their own poudriere batch. OK, I see what you mean now. The underlying problem is that it is impossible to install packages/ports for OpenSSL and LibreSSL at the same time. __Martin From owner-freebsd-security@freebsd.org Fri Dec 11 19:57:26 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DA7FF4B8F8A for ; Fri, 11 Dec 2020 19:57:26 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ct1lp08drz4p95 for ; Fri, 11 Dec 2020 19:57:25 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 0BBJvD9f003970 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 11 Dec 2020 11:57:13 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 0BBJvDdc003969; Fri, 11 Dec 2020 11:57:13 -0800 (PST) (envelope-from jmg) Date: Fri, 11 Dec 2020 11:57:13 -0800 From: John-Mark Gurney To: Robert Schulze Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201211195713.GO31099@funkthat.com> Mail-Followup-To: Robert Schulze , freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <72f2110e-8f1b-76ca-4dd8-2d7283b951d6@bytecamp.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <72f2110e-8f1b-76ca-4dd8-2d7283b951d6@bytecamp.net> X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Fri, 11 Dec 2020 11:57:13 -0800 (PST) X-Rspamd-Queue-Id: 4Ct1lp08drz4p95 X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [2.20 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[funkthat.com]; RBL_DBL_DONT_QUERY_IPS(0.00)[208.87.223.18:from]; AUTH_NA(1.00)[]; NEURAL_SPAM_SHORT(1.00)[0.998]; SPAMHAUS_ZRD(0.00)[208.87.223.18:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(1.00)[1.000]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 19:57:26 -0000 Robert Schulze wrote this message on Fri, Dec 11, 2020 at 10:14 +0100: > Hi, > > Am 11.12.20 um 07:46 schrieb John-Mark Gurney: > > > > Assuming 13 releases w/ OpenSSL, we'll be even in a worse situation > > than we are now. OpenSSL 3.0.0 has no support commitment announced > > yet, and sticking with 1.1.1 for 13 will put us even in a worse > > situation than we are today. > > > > What are peoples thoughts on how to address the support mismatch between > > FreeBSD and OpenSSL? And how to address it? > > > > IMO, FreeBSD does need to do something, and staying w/ OpenSSL does > > not look like a viable option. > > you may install a current OpenSSL via ports if you like to. > I don't see any OpenSSL fork to be more reliable than its predecessor > but there has been done much work in the portstree to enable the system > administrator to switch. That does not fix all the applications that are in base, like fetch, that use OpenSSL. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Fri Dec 11 20:14:30 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 11BAB4B9CE3 for ; Fri, 11 Dec 2020 20:14:30 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ct27S5zXQz4qjj for ; Fri, 11 Dec 2020 20:14:28 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0BBKDVdf005425 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 11 Dec 2020 15:14:19 -0500 Date: Fri, 11 Dec 2020 12:13:31 -0800 From: Benjamin Kaduk To: Franco Fichtner Cc: Martin Simmons , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201211201331.GJ64351@kduck.mit.edu> References: <202012111219.0BBCJYSf000629@higson.cam.lispworks.com> <612054DD-F857-455F-AF49-695A910A0D81@lastsummer.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <612054DD-F857-455F-AF49-695A910A0D81@lastsummer.de> X-Rspamd-Queue-Id: 4Ct27S5zXQz4qjj X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of kaduk@mit.edu designates 18.9.28.11 as permitted sender) smtp.mailfrom=kaduk@mit.edu X-Spamd-Result: default: False [-1.30 / 15.00]; RCVD_TLS_LAST(0.00)[]; RWL_MAILSPIKE_VERYGOOD(0.00)[18.9.28.11:from]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:18.9.28.0/24]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[mit.edu]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-0.998]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3, ipnet:18.9.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; RECEIVED_SPAMHAUS_PBL(0.00)[24.16.140.251:received] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 20:14:30 -0000 Hi Franco, On Fri, Dec 11, 2020 at 01:28:43PM +0100, Franco Fichtner wrote: > > > On 11. Dec 2020, at 13:20, Martin Simmons wrote: > > > > > > I'm talking about the binary packages from pkg.FreeBSD.org. Don't they always > > use the base OpenSSL at the moment? > > Yes, and if it would be built against ports OpenSSL you can no longer build against LibreSSL locally. > > In OPNsense we do build against ports OpenSSL for upgrade ease, but we also offer a second set of packages for LibreSSL. > > For the normal FreeBSD user defaulting packages against OpenSSL from ports would be severely limiting their capability to deviate from this with one-off builds and most cannot or will not run their own poudriere batch. > > Effectively, using the second tier crypto to emulate the first tier crypto would trash the second tier for everyone else. Could you please clarify what you mean by "second tier crypto" and "first tier crypto"? I'm having a hard time understanding this statement. Thanks, Ben From owner-freebsd-security@freebsd.org Fri Dec 11 20:23:23 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 108224BA001 for ; Fri, 11 Dec 2020 20:23:23 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ct2Kk17zxz4rLy for ; Fri, 11 Dec 2020 20:23:21 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0BBKNF17008868 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 11 Dec 2020 15:23:20 -0500 Date: Fri, 11 Dec 2020 12:23:15 -0800 From: Benjamin Kaduk To: Andrea Venturoli Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201211202315.GK64351@kduck.mit.edu> References: <20201209230300.03251CA1@freefall.freebsd.org> <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> X-Rspamd-Queue-Id: 4Ct2Kk17zxz4rLy X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of kaduk@mit.edu designates 18.9.28.11 as permitted sender) smtp.mailfrom=kaduk@mit.edu X-Spamd-Result: default: False [-1.30 / 15.00]; RCVD_TLS_LAST(0.00)[]; RWL_MAILSPIKE_VERYGOOD(0.00)[18.9.28.11:from]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:18.9.28.0/24]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[mit.edu]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3, ipnet:18.9.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; RECEIVED_SPAMHAUS_PBL(0.00)[24.16.140.251:received] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 20:23:23 -0000 On Fri, Dec 11, 2020 at 11:11:54AM +0100, Andrea Venturoli wrote: > On 12/10/20 12:03 AM, FreeBSD Security Advisories wrote: > > > Note: The OpenSSL project has published publicly available patches for > > versions included in FreeBSD 12.x. This vulnerability is also known to > > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > > project is only giving patches for that version to premium support contract > > holders. The FreeBSD project does not have access to these patches and > > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > > may update this advisory to include FreeBSD 11.4 should patches become > > publicly available. > > So I'm looking for suggestion on how to handle this. > I guess I'll just upgrade some 11.4 to 12.2 and that'll be it. > > However there are a few boxes I can't or don't want to upgrade and I'm > thinking about using openssl from ports. > > > > If I'm correct, I'll need to put "DEFAULT_VERSIONS= ssl=openssl" either > in /etc/make.conf and/or in /usr/local/etc/poudriere.d/114amd64-make.conf. > > I started with the latter, but a bulk run ended up in some port failing > (and a lot being skipped) due to kerberos support: AFAICT I cannot use > base's kerberos with ports' openssl. Which is a better replacement: MIT > or HEIMDAL? It would be useful to give more specifics on the failures, as there's a few classes of things that can go wrong. It doesn't look like openssl from ports attempts to support the TLS ciphers with kerberos, which would rule out the "openssl tries to depend on kerberos" class of issues. I assume, then, that you're running into API conflicts where hcrypto and libcrypto present similar-named symbols, in which case MIT would be preferred. (The heimdal in base is quite old anyway, and using an external kerberos would be recommended in general if you're using it for much.) -Ben From owner-freebsd-security@freebsd.org Fri Dec 11 20:38:27 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 316A44BA2F8 for ; Fri, 11 Dec 2020 20:38:27 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ct2g5756tz4rk8 for ; Fri, 11 Dec 2020 20:38:25 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0BBKcJsr014096 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 11 Dec 2020 15:38:23 -0500 Date: Fri, 11 Dec 2020 12:38:18 -0800 From: Benjamin Kaduk To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201211203818.GL64351@kduck.mit.edu> References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201211064628.GM31099@funkthat.com> X-Rspamd-Queue-Id: 4Ct2g5756tz4rk8 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of kaduk@mit.edu designates 18.9.28.11 as permitted sender) smtp.mailfrom=kaduk@mit.edu X-Spamd-Result: default: False [-0.33 / 15.00]; RCVD_TLS_LAST(0.00)[]; RWL_MAILSPIKE_VERYGOOD(0.00)[18.9.28.11:from]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:18.9.28.0/24]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[mit.edu]; NEURAL_HAM_SHORT(-0.03)[-0.035]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3, ipnet:18.9.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; RECEIVED_SPAMHAUS_PBL(0.00)[24.16.140.251:received] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 20:38:27 -0000 Hi John-Mark, On Thu, Dec 10, 2020 at 10:46:28PM -0800, John-Mark Gurney wrote: > FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at 23:03 +0000: > > versions included in FreeBSD 12.x. This vulnerability is also known to > > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > > project is only giving patches for that version to premium support contract > > holders. The FreeBSD project does not have access to these patches and > > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > > may update this advisory to include FreeBSD 11.4 should patches become > > publicly available. > > FreeBSD needs to reevaluate the continued reliance on OpenSSL for our > crypto/TLS library. 1.0.2 which is in 11-stable has not had support > for almost a year, and 11 is going to have almost another year of > support during which time if there's another vuln, we'll again be > leaving the users in a bad place. To be blunt: didn't we try reevaluating already, and come up empty? OpenSSL's 5-year support lifetime is quite generous, in my experience, and we are suffering more of a clash of release dates than a fundamental support-lifetime mismatch. > I have not heard if OpenSSL has bother to address the breakage of > /dev/crypto that also recently came up, but it does appear that they > are no longer a good fit for FreeBSD. I'm not sure why you leap from issues with the devcrypto engine to a broader "no longer a good fit" conclusion. The devcrypto engine is hardly a core piece of functionality, and jhb has https://github.com/openssl/openssl/pull/13468 up waiting for review. I regularly commit to openssl from my FreeBSD system, including the build+test cycle; the core functionality remains well-supported. To be honest, I didn't bother caring about devcrypto because I didn't expect it to be widely used, given that you have to have special hardware to overcome the hit of syscall context switching. > Even as it stands, FreeBSD has committed to supporting 12 for close > to a year longer than OpenSSL has for 1.1.1 meaning we will be in the > same situation we are w/ 11 in a few years. > > Assuming 13 releases w/ OpenSSL, we'll be even in a worse situation > than we are now. OpenSSL 3.0.0 has no support commitment announced > yet, and sticking with 1.1.1 for 13 will put us even in a worse > situation than we are today. OpenSSL 3.0.0 is not going to be LTS; I expect it to go EoL before 1.1.1 does. (And I expect 1.1.1 to be supported past 2023-09-11, though of course I do not speak for the project.) I also think that 3.0.0 is not the recommended relase for anyone who doesn't need the FIPS compatibility; there's been a substantial rearchitecture and will likely be growing pains as tend to accompany dot-zero releases. > What are peoples thoughts on how to address the support mismatch between > FreeBSD and OpenSSL? And how to address it? > > IMO, FreeBSD does need to do something, and staying w/ OpenSSL does > not look like a viable option. IMO OpenSSL 1.1.1 is generally in pretty good shape and much easier to maintain than 1.0.2 was. I have yet to see an alternative suitable for inclusion in the base system that would be more viable. -Ben From owner-freebsd-security@freebsd.org Fri Dec 11 21:44:15 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A60F04BB8D2 for ; Fri, 11 Dec 2020 21:44:15 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ct4726Y0jz3C9n for ; Fri, 11 Dec 2020 21:44:14 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de (p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de [IPv6:2003:cd:8727:c9fc:a4b5:9381:9ba8:e1d5]) by host64.shmhost.net (Postfix) with ESMTPSA id 4Ct4710S3BzNsSp; Fri, 11 Dec 2020 22:44:13 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl From: Franco Fichtner In-Reply-To: <20201211201331.GJ64351@kduck.mit.edu> Date: Fri, 11 Dec 2020 22:44:09 +0100 Cc: Martin Simmons , pi8Raiwi via freebsd-security Content-Transfer-Encoding: 7bit Message-Id: <83CE80AC-DBBE-49DC-B469-12E004739C51@lastsummer.de> References: <202012111219.0BBCJYSf000629@higson.cam.lispworks.com> <612054DD-F857-455F-AF49-695A910A0D81@lastsummer.de> <20201211201331.GJ64351@kduck.mit.edu> To: Benjamin Kaduk X-Mailer: Apple Mail (2.3608.120.23.2.4) X-Virus-Scanned: clamav-milter 0.102.4 at host64.shmhost.net X-Virus-Status: Clean X-Rspamd-Queue-Id: 4Ct4726Y0jz3C9n X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of franco@lastsummer.de has no SPF policy when checking 213.239.241.64) smtp.mailfrom=franco@lastsummer.de X-Spamd-Result: default: False [2.36 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MV_CASE(0.50)[]; NEURAL_SPAM_SHORT(0.96)[0.957]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lastsummer.de]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[213.239.241.64:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; RBL_DBL_DONT_QUERY_IPS(0.00)[213.239.241.64:from]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 21:44:15 -0000 Hi Ben, > On 11. Dec 2020, at 9:13 PM, Benjamin Kaduk wrote: > > Could you please clarify what you mean by "second tier crypto" and "first > tier crypto"? I'm having a hard time understanding this statement. Sorry for being unclear. First tier = base system crypto for ports Second tier = ports/packages crypto for ports It's also true what John-Mark wrote that moving ports to ports-based crypto does not solve security updates for the dependent base system parts. pkg-base can fix this, but then that also requires to stay clear of package ABI clashes in dependent packages, which requires concerted updates of base and ports packages or at least some sort of version constraint / mismatch detection via something other than the FreeBSD version number. Cheers, Franco From owner-freebsd-security@freebsd.org Fri Dec 11 22:35:45 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AAF2F4BD2B7 for ; Fri, 11 Dec 2020 22:35:45 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ct5GS62pPz3Ft9 for ; Fri, 11 Dec 2020 22:35:44 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 0BBMZgSl008919 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 11 Dec 2020 14:35:42 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 0BBMZgPq008918; Fri, 11 Dec 2020 14:35:42 -0800 (PST) (envelope-from jmg) Date: Fri, 11 Dec 2020 14:35:42 -0800 From: John-Mark Gurney To: Benjamin Kaduk Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201211223542.GQ31099@funkthat.com> Mail-Followup-To: Benjamin Kaduk , freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <20201211203818.GL64351@kduck.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201211203818.GL64351@kduck.mit.edu> X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Fri, 11 Dec 2020 14:35:42 -0800 (PST) X-Rspamd-Queue-Id: 4Ct5GS62pPz3Ft9 X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [1.55 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[funkthat.com]; RBL_DBL_DONT_QUERY_IPS(0.00)[208.87.223.18:from]; AUTH_NA(1.00)[]; NEURAL_SPAM_SHORT(0.35)[0.347]; SPAMHAUS_ZRD(0.00)[208.87.223.18:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(1.00)[1.000]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 22:35:45 -0000 Benjamin Kaduk wrote this message on Fri, Dec 11, 2020 at 12:38 -0800: > On Thu, Dec 10, 2020 at 10:46:28PM -0800, John-Mark Gurney wrote: > > FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at 23:03 +0000: > > > versions included in FreeBSD 12.x. This vulnerability is also known to > > > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > > > project is only giving patches for that version to premium support contract > > > holders. The FreeBSD project does not have access to these patches and > > > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > > > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > > > may update this advisory to include FreeBSD 11.4 should patches become > > > publicly available. > > > > FreeBSD needs to reevaluate the continued reliance on OpenSSL for our > > crypto/TLS library. 1.0.2 which is in 11-stable has not had support > > for almost a year, and 11 is going to have almost another year of > > support during which time if there's another vuln, we'll again be > > leaving the users in a bad place. > > To be blunt: didn't we try reevaluating already, and come up empty? Software is not a stand still, just because in the past we didn't find anything, doesn't mean we won't find something this time. > OpenSSL's 5-year support lifetime is quite generous, in my experience, and > we are suffering more of a clash of release dates than a fundamental > support-lifetime mismatch. > > > I have not heard if OpenSSL has bother to address the breakage of > > /dev/crypto that also recently came up, but it does appear that they > > are no longer a good fit for FreeBSD. > > I'm not sure why you leap from issues with the devcrypto engine to a > broader "no longer a good fit" conclusion. The devcrypto engine is hardly > a core piece of functionality, and jhb has No, but it demonstrates the amount of work that the OpenSSL devs are putting in to supporting FreeBSD. It's one thing to say, we're not going to support /dev/crypto anymore and stop compiling it on FreeBSD, it's another to take known working software and intentionally break it w/o evaluating it's impact upon their "supported" platforms. OpenSSL chose to do the later... > https://github.com/openssl/openssl/pull/13468 up waiting for review. Why is FreeBSD reacting to these problems? Why didn't OpenSSL devs drop a mail to FreeBSD -security saying, btw, we've changed X, and we know it'll break your code, so heads up if anyone wants to fix it, please submit patches, otherwise in a few weeks we'll disable building support for it on FreeBSD. If they're not regularly running and testing code on FreeBSD (or is actively working w/ a person to do such a thing), can we really say that OpenSSL supports FreeBSD? > I regularly commit to openssl from my FreeBSD system, including the > build+test cycle; the core functionality remains well-supported. To be > honest, I didn't bother caring about devcrypto because I didn't expect it > to be widely used, given that you have to have special hardware to overcome > the hit of syscall context switching. Sounds like you need to get a QAT system or other accelerator board for testing then. There are a new class of crypto accelerators that make this a viable option again, so I dispute your definition of devcrypto not being useful. > > Even as it stands, FreeBSD has committed to supporting 12 for close > > to a year longer than OpenSSL has for 1.1.1 meaning we will be in the > > same situation we are w/ 11 in a few years. > > > > Assuming 13 releases w/ OpenSSL, we'll be even in a worse situation > > than we are now. OpenSSL 3.0.0 has no support commitment announced > > yet, and sticking with 1.1.1 for 13 will put us even in a worse > > situation than we are today. > > OpenSSL 3.0.0 is not going to be LTS; I expect it to go EoL before 1.1.1 > does. (And I expect 1.1.1 to be supported past 2023-09-11, though of > course I do not speak for the project.) I also think that 3.0.0 is not the Until the OpenSSL project changes it, we have to operate under the assumption that the date will not change, and make plans to deal w/ OpenSSL 1.1.1 on 13-current for years after OpenSSL stops supporting it. > recommended relase for anyone who doesn't need the FIPS compatibility; > there's been a substantial rearchitecture and will likely be growing pains > as tend to accompany dot-zero releases. > > > What are peoples thoughts on how to address the support mismatch between > > FreeBSD and OpenSSL? And how to address it? > > > > IMO, FreeBSD does need to do something, and staying w/ OpenSSL does > > not look like a viable option. > > IMO OpenSSL 1.1.1 is generally in pretty good shape and much easier to > maintain than 1.0.2 was. I have yet to see an alternative suitable for > inclusion in the base system that would be more viable. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sat Dec 12 02:42:17 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C8B6E47C68D for ; Sat, 12 Dec 2020 02:42:17 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtBkw6jr7z3nV0 for ; Sat, 12 Dec 2020 02:42:16 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-qv1-xf2e.google.com with SMTP id l14so5214761qvh.2 for ; Fri, 11 Dec 2020 18:42:16 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=V/HuPJmtgUpYcSwSU+sNkJP0cnWPaQsJJqnIkNYtSIM=; b=XjTDGpcuVAlLRDO0C8RpxROLXR4jWG08RSLD484xNoRsbj8M5R9JsOgmwweyw/7F9m q1Aam/CVXvR3RRRcdpyqPKDcFAjf9AqMMbMM2jDHGCVt+6r79qZZNQ2x7wOEt6Jvw2pK Vzop7k/9OIw6mISjh5CQB0IsJ/BsQvmmUXH22ujq10RLLNMSj0rNBgfyVWvPOZuAOR46 WjoNbgghhnGgFdY/qo+TsntKRByLnsG82gFFa/NLYqrh7oqpDvEQR9rV5op1sbsPtXm2 ExDLB9Jf1ohjWi9Y+1YAPyGQps4hzTsh2jtZrlVc5v6o+b3zXye9+kpH3vmCJvvB9PYa oBtA== X-Gm-Message-State: AOAM533dCvqncs8YXIlzWzYNk4wrqP6zc0VDFlhGYpu7LgqsKgyffsNp Z7RABt3iMXcPyvStoTX0MdN9crIqcZys X-Google-Smtp-Source: ABdhPJxnCFgNeXkha3xdHMy9UbFtdxQH9YExQNCf7dOEFRDYvSYwAKdoB2YgcHLopr/4kxTF84vbaA== X-Received: by 2002:ad4:43ca:: with SMTP id o10mr19537096qvs.25.1607740935731; Fri, 11 Dec 2020 18:42:15 -0800 (PST) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id n2sm9009212qkf.37.2020.12.11.18.42.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Dec 2020 18:42:15 -0800 (PST) Date: Fri, 11 Dec 2020 18:42:13 -0800 From: Gordon Tetlow To: Benjamin Kaduk , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <20201211203818.GL64351@kduck.mit.edu> <20201211223542.GQ31099@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201211223542.GQ31099@funkthat.com> X-Rspamd-Queue-Id: 4CtBkw6jr7z3nV0 X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.00 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::f2e:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tetlows.org:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f2e:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::f2e:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 02:42:17 -0000 On Fri, Dec 11, 2020 at 02:35:42PM -0800, John-Mark Gurney wrote: > Benjamin Kaduk wrote this message on Fri, Dec 11, 2020 at 12:38 -0800: > > On Thu, Dec 10, 2020 at 10:46:28PM -0800, John-Mark Gurney wrote: > > > FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at 23:03 +0000: > > > > versions included in FreeBSD 12.x. This vulnerability is also known to > > > > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > > > > project is only giving patches for that version to premium support contract > > > > holders. The FreeBSD project does not have access to these patches and > > > > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > > > > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > > > > may update this advisory to include FreeBSD 11.4 should patches become > > > > publicly available. > > > > > > FreeBSD needs to reevaluate the continued reliance on OpenSSL for our > > > crypto/TLS library. 1.0.2 which is in 11-stable has not had support > > > for almost a year, and 11 is going to have almost another year of > > > support during which time if there's another vuln, we'll again be > > > leaving the users in a bad place. > > > > To be blunt: didn't we try reevaluating already, and come up empty? > > Software is not a stand still, just because in the past we didn't find > anything, doesn't mean we won't find something this time. I welcome a reasonable alternative to be put forward, but I'm pretty sure there isn't one. The five year lifespan of our releases pretty much guarantees our crypto toolkit is going to be out of support. This is the reality we have signed up for. LibreSSL - 1 year lifespan of stable branch. BoringSSL - No guarantee of API/ABI stability. Actively tells people not to use it for production use cases. Anything other viable implementations I'm missing? Gordon From owner-freebsd-security@freebsd.org Sat Dec 12 03:11:18 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 80E6647DD64 for ; Sat, 12 Dec 2020 03:11:18 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtCNP0BXdz3qKf for ; Sat, 12 Dec 2020 03:11:16 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.16.1/8.16.1) with ESMTPS id 0BC3B7Gu090930 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Sat, 12 Dec 2020 05:11:10 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua 0BC3B7Gu090930 Received: (from kostik@localhost) by tom.home (8.16.1/8.16.1/Submit) id 0BC3B7Ph090929; Sat, 12 Dec 2020 05:11:07 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 12 Dec 2020 05:11:07 +0200 From: Konstantin Belousov To: Gordon Tetlow Cc: Benjamin Kaduk , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <20201211203818.GL64351@kduck.mit.edu> <20201211223542.GQ31099@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on tom.home X-Rspamd-Queue-Id: 4CtCNP0BXdz3qKf X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=gmail.com (policy=none); spf=softfail (mx1.freebsd.org: 2001:470:d5e7:1::1 is neither permitted nor denied by domain of kostikbel@gmail.com) smtp.mailfrom=kostikbel@gmail.com X-Spamd-Result: default: False [2.33 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:470:d5e7:1::1:from]; DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : No valid SPF, No valid DKIM,none]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FREEMAIL_FROM(0.00)[gmail.com]; NEURAL_SPAM_SHORT(0.98)[0.975]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all:c]; NEURAL_SPAM_MEDIUM(0.36)[0.357]; SPAMHAUS_ZRD(0.00)[2001:470:d5e7:1::1:from:127.0.2.255]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; MIME_TRACE(0.00)[0:+]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 03:11:18 -0000 On Fri, Dec 11, 2020 at 06:42:13PM -0800, Gordon Tetlow via freebsd-security wrote: > On Fri, Dec 11, 2020 at 02:35:42PM -0800, John-Mark Gurney wrote: > > Benjamin Kaduk wrote this message on Fri, Dec 11, 2020 at 12:38 -0800: > > > On Thu, Dec 10, 2020 at 10:46:28PM -0800, John-Mark Gurney wrote: > > > > FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at 23:03 +0000: > > > > > versions included in FreeBSD 12.x. This vulnerability is also known to > > > > > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > > > > > project is only giving patches for that version to premium support contract > > > > > holders. The FreeBSD project does not have access to these patches and > > > > > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > > > > > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > > > > > may update this advisory to include FreeBSD 11.4 should patches become > > > > > publicly available. > > > > > > > > FreeBSD needs to reevaluate the continued reliance on OpenSSL for our > > > > crypto/TLS library. 1.0.2 which is in 11-stable has not had support > > > > for almost a year, and 11 is going to have almost another year of > > > > support during which time if there's another vuln, we'll again be > > > > leaving the users in a bad place. > > > > > > To be blunt: didn't we try reevaluating already, and come up empty? > > > > Software is not a stand still, just because in the past we didn't find > > anything, doesn't mean we won't find something this time. > > I welcome a reasonable alternative to be put forward, but I'm pretty > sure there isn't one. The five year lifespan of our releases pretty much > guarantees our crypto toolkit is going to be out of support. This is the > reality we have signed up for. > > LibreSSL - 1 year lifespan of stable branch. > BoringSSL - No guarantee of API/ABI stability. Actively tells people not > to use it for production use cases. > > Anything other viable implementations I'm missing? I believe it was discussed, but either there are some insurmountable issues, or it was abandoned just because. What about making openssl private for base ? Pro is that it would be possible to update to new major release in the midst of the stable branch, and even keep all branches on the same release. There is no ABI or API stability to satisfy. There is a technical cons argument, besides amount of work required. It is important that private openssl libs do not leaked into user namespace and did not clashed with openssl names from ports. Basically, I believe this is what makes the issue hard and requires a lot of work. BTW, this is something where upstream OpenSSL could help. If they started supporting mangling all exported symbols, it would make this proposal easier up to the trivial level. From owner-freebsd-security@freebsd.org Sat Dec 12 03:44:20 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9132347ED4B for ; Sat, 12 Dec 2020 03:44:20 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtD6W4T6Xz3rtk for ; Sat, 12 Dec 2020 03:44:19 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0BC3iCIT002638 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 11 Dec 2020 22:44:17 -0500 Date: Fri, 11 Dec 2020 19:44:12 -0800 From: Benjamin Kaduk To: Konstantin Belousov Cc: Gordon Tetlow , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201212034412.GM64351@kduck.mit.edu> References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <20201211203818.GL64351@kduck.mit.edu> <20201211223542.GQ31099@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4CtD6W4T6Xz3rtk X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of kaduk@mit.edu designates 18.9.28.11 as permitted sender) smtp.mailfrom=kaduk@mit.edu X-Spamd-Result: default: False [-0.61 / 15.00]; RCVD_TLS_LAST(0.00)[]; RWL_MAILSPIKE_VERYGOOD(0.00)[18.9.28.11:from]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:18.9.28.0/24]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[mit.edu]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.31)[-0.311]; NEURAL_SPAM_LONG(1.00)[1.000]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3, ipnet:18.9.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; RECEIVED_SPAMHAUS_PBL(0.00)[24.16.140.251:received] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 03:44:20 -0000 On Sat, Dec 12, 2020 at 05:11:07AM +0200, Konstantin Belousov wrote: > On Fri, Dec 11, 2020 at 06:42:13PM -0800, Gordon Tetlow via freebsd-security wrote: > > On Fri, Dec 11, 2020 at 02:35:42PM -0800, John-Mark Gurney wrote: > > > Benjamin Kaduk wrote this message on Fri, Dec 11, 2020 at 12:38 -0800: > > > > On Thu, Dec 10, 2020 at 10:46:28PM -0800, John-Mark Gurney wrote: > > > > > FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at 23:03 +0000: > > > > > > versions included in FreeBSD 12.x. This vulnerability is also known to > > > > > > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > > > > > > project is only giving patches for that version to premium support contract > > > > > > holders. The FreeBSD project does not have access to these patches and > > > > > > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > > > > > > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > > > > > > may update this advisory to include FreeBSD 11.4 should patches become > > > > > > publicly available. > > > > > > > > > > FreeBSD needs to reevaluate the continued reliance on OpenSSL for our > > > > > crypto/TLS library. 1.0.2 which is in 11-stable has not had support > > > > > for almost a year, and 11 is going to have almost another year of > > > > > support during which time if there's another vuln, we'll again be > > > > > leaving the users in a bad place. > > > > > > > > To be blunt: didn't we try reevaluating already, and come up empty? > > > > > > Software is not a stand still, just because in the past we didn't find > > > anything, doesn't mean we won't find something this time. > > > > I welcome a reasonable alternative to be put forward, but I'm pretty > > sure there isn't one. The five year lifespan of our releases pretty much > > guarantees our crypto toolkit is going to be out of support. This is the > > reality we have signed up for. > > > > LibreSSL - 1 year lifespan of stable branch. > > BoringSSL - No guarantee of API/ABI stability. Actively tells people not > > to use it for production use cases. > > > > Anything other viable implementations I'm missing? > I believe it was discussed, but either there are some insurmountable > issues, or it was abandoned just because. > > What about making openssl private for base ? Pro is that it would be > possible to update to new major release in the midst of the stable > branch, and even keep all branches on the same release. There is no ABI > or API stability to satisfy. > > There is a technical cons argument, besides amount of work required. It > is important that private openssl libs do not leaked into user namespace > and did not clashed with openssl names from ports. Basically, I believe > this is what makes the issue hard and requires a lot of work. > > BTW, this is something where upstream OpenSSL could help. If they started > supporting mangling all exported symbols, it would make this proposal easier > up to the trivial level. There's currently support for mangling the SONAME and symbol version (https://github.com/openssl/openssl/commit/822b5e2645a99bea15329bd66c9723c7e7119cdb) but not the actual symbols themselves. Given that the exported symbols are already tracked in the ".num" files and there's perl to process them, it seems like it would not be a huge amount of work to add some mangling and emit a header with the relevant #defines ... I'm less sure of whether it would easily get accepted, though. I think the topic has come up previously but would have to dig a bit to find it. -Ben From owner-freebsd-security@freebsd.org Sat Dec 12 04:38:07 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5108D47FDB1 for ; Sat, 12 Dec 2020 04:38:07 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtFJZ43Tkz3vCM for ; Sat, 12 Dec 2020 04:38:06 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0BC4bxhE017731 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 11 Dec 2020 23:38:04 -0500 Date: Fri, 11 Dec 2020 20:37:59 -0800 From: Benjamin Kaduk To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201212043759.GN64351@kduck.mit.edu> References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <20201211203818.GL64351@kduck.mit.edu> <20201211223542.GQ31099@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201211223542.GQ31099@funkthat.com> X-Rspamd-Queue-Id: 4CtFJZ43Tkz3vCM X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of kaduk@mit.edu designates 18.9.28.11 as permitted sender) smtp.mailfrom=kaduk@mit.edu X-Spamd-Result: default: False [0.68 / 15.00]; RCVD_TLS_LAST(0.00)[]; RWL_MAILSPIKE_VERYGOOD(0.00)[18.9.28.11:from]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:18.9.28.0/24]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[mit.edu]; NEURAL_SPAM_SHORT(0.98)[0.983]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3, ipnet:18.9.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; RECEIVED_SPAMHAUS_PBL(0.00)[24.16.140.251:received] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 04:38:07 -0000 On Fri, Dec 11, 2020 at 02:35:42PM -0800, John-Mark Gurney wrote: > Benjamin Kaduk wrote this message on Fri, Dec 11, 2020 at 12:38 -0800: > > On Thu, Dec 10, 2020 at 10:46:28PM -0800, John-Mark Gurney wrote: > > > FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at 23:03 +0000: > > > > versions included in FreeBSD 12.x. This vulnerability is also known to > > > > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > > > > project is only giving patches for that version to premium support contract > > > > holders. The FreeBSD project does not have access to these patches and > > > > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > > > > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > > > > may update this advisory to include FreeBSD 11.4 should patches become > > > > publicly available. > > > > > > FreeBSD needs to reevaluate the continued reliance on OpenSSL for our > > > crypto/TLS library. 1.0.2 which is in 11-stable has not had support > > > for almost a year, and 11 is going to have almost another year of > > > support during which time if there's another vuln, we'll again be > > > leaving the users in a bad place. > > > > To be blunt: didn't we try reevaluating already, and come up empty? > > Software is not a stand still, just because in the past we didn't find > anything, doesn't mean we won't find something this time. Sure. I was just hoping that you might have some thoughts about what had changed, since you were bringing it up again, though I don't mind asking an open question to the list. > > OpenSSL's 5-year support lifetime is quite generous, in my experience, and > > we are suffering more of a clash of release dates than a fundamental > > support-lifetime mismatch. > > > > > I have not heard if OpenSSL has bother to address the breakage of > > > /dev/crypto that also recently came up, but it does appear that they > > > are no longer a good fit for FreeBSD. > > > > I'm not sure why you leap from issues with the devcrypto engine to a > > broader "no longer a good fit" conclusion. The devcrypto engine is hardly > > a core piece of functionality, and jhb has > > No, but it demonstrates the amount of work that the OpenSSL devs are > putting in to supporting FreeBSD. It's one thing to say, we're not > going to support /dev/crypto anymore and stop compiling it on FreeBSD, > it's another to take known working software and intentionally break it > w/o evaluating it's impact upon their "supported" platforms. OpenSSL > chose to do the later... With all due respect, that seems to misrepresent the facts of the situation. If you consider the history at https://github.com/openssl/openssl/pull/3744 it is quite clear that the cryptodev rewrite was specifically tested on FreeBSD before it was committed. An older version, to be sure, yet we might as well be complaining about FreeBSD having changed the userspace/kernel interface rather than OpenSSL having changed its interface. (I am pretty sure that I pointed out to levitte at the time that it was an old version, but I didn't feel a need to repeat the testing locally because FreeBSD is known for its backward compatibility. I don't have that mail on this system, though.) > > https://github.com/openssl/openssl/pull/13468 up waiting for review. > > Why is FreeBSD reacting to these problems? Why didn't OpenSSL devs drop > a mail to FreeBSD -security saying, btw, we've changed X, and we know > it'll break your code, so heads up if anyone wants to fix it, please > submit patches, otherwise in a few weeks we'll disable building support > for it on FreeBSD. If they're not regularly running and testing code > on FreeBSD (or is actively working w/ a person to do such a thing), can > we really say that OpenSSL supports FreeBSD? Um, hello? I'm an OpenSSL committer and I regularly build and test the OpenSSL code on FreeBSD. Not the devcrypto engine, obviously, given the rest of this thread, but the rest of it. Having recently learned that my assumption about the devcrypto engine was misguided, I can start testing that, too. There's also been some recent work from David Carlier to help bring support for some of the more advanced features to FreeBSD as well. If you want examples of upstream proactively keeping up FreeBSD support, I offer: https://github.com/openssl/openssl/pull/12887 https://github.com/openssl/openssl/pull/11797 https://github.com/openssl/openssl/pull/8509 and that's the only instances of FreeBSD-specific breakage (other than devcrypto) that I can recall. The "new" (several years old, at this point) mandatory code-review policy seems to be doing its job, and the quality of new code is generally pretty good. > > I regularly commit to openssl from my FreeBSD system, including the > > build+test cycle; the core functionality remains well-supported. To be > > honest, I didn't bother caring about devcrypto because I didn't expect it > > to be widely used, given that you have to have special hardware to overcome > > the hit of syscall context switching. > > Sounds like you need to get a QAT system or other accelerator board > for testing then. There are a new class of crypto accelerators that > make this a viable option again, so I dispute your definition of > devcrypto not being useful. I said that I "didn't expect", past tense. I now know otherwise. And I don't actually need proper accelleration to test the accelleration support; just to know that it is worth doing. (Note that ENGINE itself is deprecated in 3.0.) > > > Even as it stands, FreeBSD has committed to supporting 12 for close > > > to a year longer than OpenSSL has for 1.1.1 meaning we will be in the > > > same situation we are w/ 11 in a few years. > > > > > > Assuming 13 releases w/ OpenSSL, we'll be even in a worse situation > > > than we are now. OpenSSL 3.0.0 has no support commitment announced > > > yet, and sticking with 1.1.1 for 13 will put us even in a worse > > > situation than we are today. > > > > OpenSSL 3.0.0 is not going to be LTS; I expect it to go EoL before 1.1.1 > > does. (And I expect 1.1.1 to be supported past 2023-09-11, though of > > course I do not speak for the project.) I also think that 3.0.0 is not the > > Until the OpenSSL project changes it, we have to operate under the > assumption that the date will not change, and make plans to deal w/ > OpenSSL 1.1.1 on 13-current for years after OpenSSL stops supporting > it. Yes. I assert, as someone who (co-)maintains both the public OpenSSL and a corporate derivative, that being on our own with OpenSSL 1.1.1 is much easier than being on our own with, say, BoringSSL would be. There is risk, to be sure, and the suggestion downthread to make it a private library may well be wise, but I don't see it as catastrophic risk. -Ben > > recommended relase for anyone who doesn't need the FIPS compatibility; > > there's been a substantial rearchitecture and will likely be growing pains > > as tend to accompany dot-zero releases. > > > > > What are peoples thoughts on how to address the support mismatch between > > > FreeBSD and OpenSSL? And how to address it? > > > > > > IMO, FreeBSD does need to do something, and staying w/ OpenSSL does > > > not look like a viable option. > > > > IMO OpenSSL 1.1.1 is generally in pretty good shape and much easier to > > maintain than 1.0.2 was. I have yet to see an alternative suitable for > > inclusion in the base system that would be more viable. > > -- > John-Mark Gurney Voice: +1 415 225 5579 > > "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Fri Dec 11 12:36:29 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1CFE04AEC5F for ; Fri, 11 Dec 2020 12:36:29 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Csqz00K9Lz3mQc for ; Fri, 11 Dec 2020 12:36:27 +0000 (UTC) (envelope-from tomek@cedro.info) Received: by mail-ed1-x52d.google.com with SMTP id k4so9193022edl.0 for ; Fri, 11 Dec 2020 04:36:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NBGW34xk/5TUm88LJYRgm8RCFnSK7YmpGshVLW/4TJI=; b=bqpU8NGzOu5GsyLUWL88nLWHCFQBolsjli7k9tfX3kOQSePwbY1k+aOaGWvRh0WYl/ iKVVNA7lzTw/ahSe58XArVay74eg1FkmY2L6hb4HZAdOjgSf2nkjabO1/3fxgK7YyZ/3 xZGIza7a8kR9tvmSW38epeJF8bAY232JdGRGlIphAUDd/H2jukjZkJaELHlHGsjz+FWA IWjLJU9fX2GsGOjHOxYGdfLzq41dOYdeJbxWjKL3LkHEDDnGc0Al2rPXQuMeBHqF4Nny bbFAiDfVWChFg0HBl9oWJqb8N+Z5Al7mWwfsH06f1NynkWPwVKWWw9UHx5V5UIbaO8sG H/nQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NBGW34xk/5TUm88LJYRgm8RCFnSK7YmpGshVLW/4TJI=; b=lLuvtjDaZSfDb9hv7wTW1VTRNto3B5CLMebc5dE8BoHm6oRe7gsRaQoDLz7Bh4ycOC APOcl8wZjSUKpCsdCE7Aav4RTsp6PziHgwUhIslAp6qFWrazt5Ols0h6VFknLEzGE9qs /0bjwKWB2UFmD8irX4VYbqjzR53H+7C+z1ikHJt3jSoPjJ6lI8Ir9cdJbMhwvYoVbdwA LBX6bkMdX/YB6YQHx04Opbd7Ws17Ww3tjUrOyHlZgk78izOdhpA+lz8HM9eURYYos142 dsuhdV72iGJfNzf0N863dAMc6j28jcn1r87Tr40P8q6sCvdETDlx2b/apv4Q3ORFIL6T fgag== X-Gm-Message-State: AOAM533NRoXAXqalIbbxyBzkvbREVUemazcBZjP9ZZy49WB90NhsA/l6 3zwYZ8Lkvz/AE1Zg95z9gIRXLTNK3hfWVH5E+GdynKQP430= X-Google-Smtp-Source: ABdhPJxcQBvHAo6HxZLMcx0gU/q5u3+lFA9BWBjTxplgTdQ+AkYwFycAL6v9C3S9kPzoMcUhdL6YlSiJzUx8/6ePQdA= X-Received: by 2002:a05:6402:1a54:: with SMTP id bf20mr11639412edb.65.1607690185891; Fri, 11 Dec 2020 04:36:25 -0800 (PST) MIME-Version: 1.0 References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <202012111138.0BBBc2Eq006002@higson.cam.lispworks.com> <2AF24633-7E9F-4B92-8E99-6A81CD9D3AF8@lastsummer.de> In-Reply-To: <2AF24633-7E9F-4B92-8E99-6A81CD9D3AF8@lastsummer.de> From: Tomasz CEDRO Date: Fri, 11 Dec 2020 13:36:13 +0100 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: Franco Fichtner Cc: Martin Simmons , freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4Csqz00K9Lz3mQc X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=cedro.info header.s=google header.b=bqpU8NGz; dmarc=none; spf=none (mx1.freebsd.org: domain of tomek@cedro.info has no SPF policy when checking 2a00:1450:4864:20::52d) smtp.mailfrom=tomek@cedro.info X-Spamd-Result: default: False [0.61 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[cedro.info:s=google]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.91)[0.914]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[cedro.info]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::52d:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[cedro.info:+]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::52d:from]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::52d:from]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-Mailman-Approved-At: Sat, 12 Dec 2020 08:30:47 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 12:36:29 -0000 On Fri, Dec 11, 2020 at 12:44 PM Franco Fichtner wrote: > > On 11. Dec 2020, at 12:38 PM, Martin Simmons wrote: > >>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: > >> What are peoples thoughts on how to address the support mismatch between > >> FreeBSD and OpenSSL? And how to address it? > > Maybe it would help a little if the packages on pkg.FreeBSD.org all used the > > pkg version of OpenSSL? Currently, it looks like you have build your own > > ports if you want that. > > This pretty much breaks LibreSSL ports usage for binary package consumers. Why not switch to LibreSSL as default? :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info From owner-freebsd-security@freebsd.org Fri Dec 11 13:04:00 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3FDEE4AFB26 for ; Fri, 11 Dec 2020 13:04:00 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-ed1-x544.google.com (mail-ed1-x544.google.com [IPv6:2a00:1450:4864:20::544]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CsrZl1tmBz3psX for ; Fri, 11 Dec 2020 13:03:59 +0000 (UTC) (envelope-from tomek@cedro.info) Received: by mail-ed1-x544.google.com with SMTP id cw27so9268701edb.5 for ; Fri, 11 Dec 2020 05:03:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HWhXVYinBW7j8Y34biKR9kYL1Z0YhLZybfII5Dwm3O4=; b=jnmOWS6FnUUU1j3Qe4ebhwi6kE1FbTUDlp2QSNmYKAsgooLDtq5WgPkY4+Y2mhRuzo e3uVphVvWezIXT3+pw3Dnyq4T+jJ8dVTof9Ehm0GX+L07w/DLkU+l0PdyxNhkcfQbR6N tY9Q8AA/aIf4WQrOkoxxD0ajTFKO/77PmUrxNPPTXccBPptl63Hc/ZPHjlE5o1RBpU/v B5aGQbkhfnT5hNDUiAKnoEq9DhVSwufqvVQlzwpMbAESZ/XFFGAJgU8hQgjdrmLi4M60 Vc4AuVodjPmy1ctaIKeXUe8DoUoNcjGFVOTFHvwvq3Jj5zlE2WRBslMKNj1MBjOyXN91 IaQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HWhXVYinBW7j8Y34biKR9kYL1Z0YhLZybfII5Dwm3O4=; b=dwoYAq94F1CbudFHjxQ5585mQ5ZVLliqUFdTeZ3GDYJ8SqxYYcj/BnIP2+DBG3VfBm ggEgjmOhI1AFO269LWgyawwmJKYzwEFt811Nof4gJ/nDVzbRN4DobspzIE5YwBoZ1h0j XfGS135sGf0Mzvt5C/B/K7kqgLtP4cP5emzmq3fomhzyyqrlZgOOj/ZMQCRqTZZn84vn puGLQdYV4cLc3cQMWnQf/JDj2h/4dwSGrrZ8ltINcWj4iAPkjx7/Xm/+Vz6e6syj5jFA gZVRQG3J5tyIQ8FUwz81GuETcVG+GeQ5mODasm/ctJgj3cyftu/7CSlmUu/KQFj5dGDn rz4A== X-Gm-Message-State: AOAM530DzF4aa0MYQjmhMD5yH/nkhHAw2nZzf1Zuj22WrjBqgEw4in+n wrAtZi93tYMzcWW4z40VkHq16VS8Go4QggJbAAKe8Q== X-Google-Smtp-Source: ABdhPJwYIXVJV7AI6WJvlA7bBdqBkeim4fchZ8/74DwUVWLfNvQjw61LSuUzPWZYVyU5+yFMkjhx/Q32sFcXsn9U+Sk= X-Received: by 2002:a05:6402:1a54:: with SMTP id bf20mr11749227edb.65.1607691838082; Fri, 11 Dec 2020 05:03:58 -0800 (PST) MIME-Version: 1.0 References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <202012111138.0BBBc2Eq006002@higson.cam.lispworks.com> <2AF24633-7E9F-4B92-8E99-6A81CD9D3AF8@lastsummer.de> <6E2E0169-F2E8-4562-85BA-42FC28B07F35@lastsummer.de> In-Reply-To: <6E2E0169-F2E8-4562-85BA-42FC28B07F35@lastsummer.de> From: Tomasz CEDRO Date: Fri, 11 Dec 2020 14:03:45 +0100 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: Franco Fichtner Cc: Martin Simmons , freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4CsrZl1tmBz3psX X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=cedro.info header.s=google header.b=jnmOWS6F; dmarc=none; spf=none (mx1.freebsd.org: domain of tomek@cedro.info has no SPF policy when checking 2a00:1450:4864:20::544) smtp.mailfrom=tomek@cedro.info X-Spamd-Result: default: False [0.61 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[cedro.info:s=google]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.91)[0.911]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[cedro.info]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::544:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[cedro.info:+]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::544:from]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::544:from]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-Mailman-Approved-At: Sat, 12 Dec 2020 08:31:04 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 13:04:00 -0000 On Fri, Dec 11, 2020 at 1:57 PM Franco Fichtner wrote: > > On 11. Dec 2020, at 1:36 PM, Tomasz CEDRO wrote: > > On Fri, Dec 11, 2020 at 12:44 PM Franco Fichtner wrote: > >>> On 11. Dec 2020, at 12:38 PM, Martin Simmons wrote: > >>>>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: > >>>> What are peoples thoughts on how to address the support mismatch between > >>>> FreeBSD and OpenSSL? And how to address it? > >>> Maybe it would help a little if the packages on pkg.FreeBSD.org all used the > >>> pkg version of OpenSSL? Currently, it looks like you have build your own > >>> ports if you want that. > >> This pretty much breaks LibreSSL ports usage for binary package consumers. > > Why not switch to LibreSSL as default? :-) > > Good question. > > LibreSSL lacks engine and PSK support. TLS 1.3 was tailing behind. Missing > CMS also was a large issue for those who needed it. Someone with more in- > depth knowledge can probably name more. > > The other issue with LibreSSL in general is that third party support is mostly > ok, but some high profile cases have had issues with it for years: HAProxy, > OpenVPN, StrongSwan just to name a few. Having ports contributors and committers > chase these unthankful quests is probably not worth the overall effort. > > It works pretty well as a ports crypto replacement, but for the reasons listed > above it is probably not going to happen on a default scale. > > Also, LibreSSL in base was a failed experiment in HardenedBSD. Its release cycle > and support policy is tailored neatly around OpenBSD releases and the attempt > to break ABI compatibility in packages while you retrofit a new version into > a minor release can fail pretty spectacularly. > > I'm not being skeptical. I helped improve overall LibreSSL support in the ports > tree since 2015. The LibreSSL team is doing a great job all things considered. > > This is simply the current reality of keeping LibreSSL in ports a steady > alternative. Thank you Franco! Too many reasons why not to.. looks like no good alternative.. at least for now :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info From owner-freebsd-security@freebsd.org Fri Dec 11 16:14:16 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 664B14B3AC8; Fri, 11 Dec 2020 16:14:16 +0000 (UTC) (envelope-from warlock@phouka1.phouka.net) Received: from phouka1.phouka.net (phouka1.phouka.net [107.170.196.116]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "phouka.net", Issuer "Go Daddy Secure Certificate Authority - G2" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CswpH3YgBz4Xww; Fri, 11 Dec 2020 16:14:15 +0000 (UTC) (envelope-from warlock@phouka1.phouka.net) Received: from phouka1.phouka.net (localhost [127.0.0.1]) by phouka1.phouka.net (8.16.1/8.16.1) with ESMTPS id 0BBGCpkp089205 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Fri, 11 Dec 2020 08:12:51 -0800 (PST) (envelope-from warlock@phouka1.phouka.net) Received: (from warlock@localhost) by phouka1.phouka.net (8.16.1/8.16.1/Submit) id 0BBGCphx089204; Fri, 11 Dec 2020 08:12:51 -0800 (PST) (envelope-from warlock) Date: Fri, 11 Dec 2020 08:12:51 -0800 From: John Kennedy To: "Hartmann, O." Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: AMNESIA:33 and FreeBSD TCP/IP stack involvement Message-ID: References: <20201209065849.47a51561@hermann.fritz.box> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201209065849.47a51561@hermann.fritz.box> X-Rspamd-Queue-Id: 4CswpH3YgBz4Xww X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of warlock@phouka1.phouka.net has no SPF policy when checking 107.170.196.116) smtp.mailfrom=warlock@phouka1.phouka.net X-Spamd-Result: default: False [2.18 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.98)[0.981]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[phouka.net]; RBL_DBL_DONT_QUERY_IPS(0.00)[107.170.196.116:from]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[107.170.196.116:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[warlock@phouka.net,warlock@phouka1.phouka.net]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:14061, ipnet:107.170.192.0/18, country:US]; FROM_NEQ_ENVFROM(0.00)[warlock@phouka.net,warlock@phouka1.phouka.net]; MAILMAN_DEST(0.00)[freebsd-security,freebsd-current]; RCVD_COUNT_TWO(0.00)[2] X-Mailman-Approved-At: Sat, 12 Dec 2020 08:31:23 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 16:14:16 -0000 On Wed, Dec 09, 2020 at 06:58:49AM +0100, Hartmann, O. wrote: > Hello, > I've got a question about recently discovered serious vulnerabilities > in certain TCP stack implementations, designated as AMNESIA:33 (as far > as I could follow the recently made announcements and statements, > please see, for instance, > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/). > > All mentioned open-source TCP stacks seem not to be related in any way > with freeBSD or any derivative of the FreeBSD project, but I do not > dare to make a statement about that. > > My question is very simple and aimes towards calming down my employees > requests: is FreeBSD potentially vulnerable to this newly discovered > flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT, > latest incarnations, of course, should be least vulnerable ...). Look at it this way: If it is/was, what are you going to do about it? [Please don't take this as a personal attack. I get the same kind of questions you are by my bosses and auditors, who live in their own little world where they think there is a guarantee for everything and the only real-world cost is an appropriately asked question.] If you've got an upgrade policy that rolls out patches when FreeBSD publishes them (or tracking -STABLE or -CURRENT in such a way that they're going to be incorporated with some parity with the security and errata notifications) and you're keeping your packages up to date, you're doing pretty good. If there is a problem, you'll roll out the fixes when they're available. You may not even know they're in there yet. If you've got a menagerie of FreeBSD-based IoT-style devices that aren't getting regular updates and this bug has shown you the tip of the iceberg to all the other potential problems, then you probably have issues. Now an attack against the kernel TCP/IP stack is universally bad (possibly bypassing any firewall, probably not requiring authentication, probably gaining the kernel privileges, etc), plenty of other problems are a subset of just as bad. Assuming that the Amnesia:33 reported responsibly disclosed, if FreeBSD was affected we'd probably have fixes out (pre-publication). On 12/8, you just got patch released for FreeBSD-SA-20:33.openssl, and that is burned into a lot of OS pieces. Have you pushed those changes out yet? Two paragraphs up, I basically asked a policy question. This paragraph, I'm basically asking you an implementation question: You had a policy, did it work? Did anything get missed? Can someone audit that? -CURRENT and -STABLE tend to get patches (and, potentially, problems) before -RELENG does, but sometime that's a natural process of the patches discovering the problems that need put into -RELENG. It's always nice to see a bug report for -RELENG and then tracking down the revision and finding out you've been patched for a while now. On the other hand, -STABLE gets daily patches and you probably wouldn't want to have a production patch cycles with that kind of frequently. [Personally, I tend to update -STABLE/-CURRENT when I see a "Security:" tag with a CVE reference, semi-weekly, or when I see something that looks alarming or interesting and -RELENG when it gets a patch.] From owner-freebsd-security@freebsd.org Sat Dec 12 10:21:27 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3B8A64B054C for ; Sat, 12 Dec 2020 10:21:27 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (mailserver.netfence.it [78.134.96.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtNwk0H79z4jn4 for ; Sat, 12 Dec 2020 10:21:25 +0000 (UTC) (envelope-from ml@netfence.it) Received: from alamar.ventu (mailserver.netfence.it [78.134.96.152]) (authenticated bits=0) by soth.netfence.it (8.16.1/8.16.1) with ESMTPSA id 0BCALE6k048861 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Sat, 12 Dec 2020 11:21:14 +0100 (CET) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host mailserver.netfence.it [78.134.96.152] claimed to be alamar.ventu Subject: Kerberos: base or port? [Was: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl] To: Benjamin Kaduk Cc: freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> <20201211202315.GK64351@kduck.mit.edu> From: Andrea Venturoli Message-ID: <08c18c5e-d0fe-16c2-dd17-af5162fd8716@netfence.it> Date: Sat, 12 Dec 2020 11:21:14 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1 MIME-Version: 1.0 In-Reply-To: <20201211202315.GK64351@kduck.mit.edu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.83 X-Rspamd-Queue-Id: 4CtNwk0H79z4jn4 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=netfence.it; spf=pass (mx1.freebsd.org: domain of ml@netfence.it designates 78.134.96.152 as permitted sender) smtp.mailfrom=ml@netfence.it X-Spamd-Result: default: False [-1.80 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:78.134.96.152]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[78.134.96.152:from]; SPAMHAUS_ZRD(0.00)[78.134.96.152:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[netfence.it,none]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_COUNT_ONE(0.00)[1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:35612, ipnet:78.134.0.0/17, country:IT]; RCVD_TLS_ALL(0.00)[]; SUBJECT_HAS_QUESTION(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 10:21:27 -0000 On 12/11/20 9:23 PM, Benjamin Kaduk wrote: > It would be useful to give more specifics on the failures, as there's a few > classes of things that can go wrong. I thought this would be OT in this thread, but I'll gladly comply :) > It doesn't look like openssl from > ports attempts to support the TLS ciphers with kerberos, which would rule > out the "openssl tries to depend on kerberos" class of issues. Not sure I understand (too much ignorance on my part). > I assume, > then, that you're running into API conflicts where hcrypto and libcrypto > present similar-named symbols Actually, I didn't get that far: /usr/ports/Mk/Uses/gssapi.ml just forbids compilation if using OpenSSL from ports and GSSAPI from base: > IGNORE= You are using OpenSSL from ports and have selected GSSAPI from base, please select another GSSAPI value Now that I know there are patches for 11.4, I hope I'm not going to need OpenSSL from ports, so this is losing interest for me. > (The heimdal in base is quite old anyway, and using an external kerberos > would be recommended in general if you're using it for much.) This is an interesting statement. I barely know what Kerberos is: granted, I know what it was designed for and what it provides, but for me it's more or less just a dependency of Samba and related software. My uses cases are: _ Samba AD DC; _ Samba AD member file server; _ various ways of authenticating against Samba (winbindd, pam_ldap, nss_ldap, saslauthd, etc...); _ kerberizing NFSv4 has been in my todo list for a while (but with too low priority for now :) In spite of everything working, should I abandon Heimdal from base? For Heimdal from ports? (Consider Samba is using it's own bundled Heimdal, so this would be for pam_ldap, nss_ldap, saslauthd, ....). bye & Thanks av. From owner-freebsd-security@freebsd.org Sat Dec 12 13:13:17 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 96D734B510A for ; Sat, 12 Dec 2020 13:13:17 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor.nl2k.ab.ca (doctor.nl2k.ab.ca [204.209.81.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtSl054cdz4trj for ; Sat, 12 Dec 2020 13:13:16 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.94 (FreeBSD)) (envelope-from ) id 1ko4j2-000C1u-HV; Sat, 12 Dec 2020 06:14:16 -0700 Date: Sat, 12 Dec 2020 06:14:16 -0700 From: The Doctor To: Tomasz CEDRO Cc: Franco Fichtner , Martin Simmons , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <202012111138.0BBBc2Eq006002@higson.cam.lispworks.com> <2AF24633-7E9F-4B92-8E99-6A81CD9D3AF8@lastsummer.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4CtSl054cdz4trj X-Spamd-Bar: + X-Spamd-Result: default: False [1.31 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; MIME_GOOD(-0.10)[text/plain]; NEURAL_SPAM_SHORT(0.10)[0.104]; RBL_DBL_DONT_QUERY_IPS(0.00)[204.209.81.1:from]; SPAMHAUS_ZRD(0.00)[204.209.81.1:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DMARC_POLICY_ALLOW(-0.50)[nl2k.ab.ca,quarantine]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-0.99)[-0.993]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6171, ipnet:204.209.81.0/24, country:CA]; INTRODUCTION(2.00)[]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 13:13:17 -0000 On Fri, Dec 11, 2020 at 01:36:13PM +0100, Tomasz CEDRO wrote: > On Fri, Dec 11, 2020 at 12:44 PM Franco Fichtner wrote: > > > On 11. Dec 2020, at 12:38 PM, Martin Simmons wrote: > > >>>>>> On Thu, 10 Dec 2020 22:46:28 -0800, John-Mark Gurney said: > > >> What are peoples thoughts on how to address the support mismatch between > > >> FreeBSD and OpenSSL? And how to address it? > > > Maybe it would help a little if the packages on pkg.FreeBSD.org all used the > > > pkg version of OpenSSL? Currently, it looks like you have build your own > > > ports if you want that. > > > > This pretty much breaks LibreSSL ports usage for binary package consumers. > > Why not switch to LibreSSL as default? :-) > Is LibreSSL TLSv1.3 compliant? > -- > CeDeROM, SQ7MHZ, http://www.tomek.cedro.info > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b Merry Christmas 2020 and Happy New Year 2021 ! From owner-freebsd-security@freebsd.org Sat Dec 12 18:18:30 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 578A94BC708 for ; Sat, 12 Dec 2020 18:18:30 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtbW86Y6Bz3kkN for ; Sat, 12 Dec 2020 18:18:28 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0BCIILJx027078 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 12 Dec 2020 13:18:26 -0500 Date: Sat, 12 Dec 2020 10:18:21 -0800 From: Benjamin Kaduk To: Andrea Venturoli Cc: freebsd-security@freebsd.org Subject: Re: Kerberos: base or port? [Was: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl] Message-ID: <20201212181821.GO64351@kduck.mit.edu> References: <20201209230300.03251CA1@freefall.freebsd.org> <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> <20201211202315.GK64351@kduck.mit.edu> <08c18c5e-d0fe-16c2-dd17-af5162fd8716@netfence.it> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <08c18c5e-d0fe-16c2-dd17-af5162fd8716@netfence.it> X-Rspamd-Queue-Id: 4CtbW86Y6Bz3kkN X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of kaduk@mit.edu designates 18.9.28.11 as permitted sender) smtp.mailfrom=kaduk@mit.edu X-Spamd-Result: default: False [0.14 / 15.00]; RCVD_TLS_LAST(0.00)[]; RWL_MAILSPIKE_VERYGOOD(0.00)[18.9.28.11:from]; RECEIVED_SPAMHAUS_PBL(0.00)[24.16.140.251:received]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:18.9.28.0/24]; NEURAL_SPAM_SHORT(0.43)[0.428]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[mit.edu]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-0.99)[-0.993]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3, ipnet:18.9.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; SUBJECT_HAS_QUESTION(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 18:18:30 -0000 On Sat, Dec 12, 2020 at 11:21:14AM +0100, Andrea Venturoli wrote: > On 12/11/20 9:23 PM, Benjamin Kaduk wrote: > > > It would be useful to give more specifics on the failures, as there's a few > > classes of things that can go wrong. > > I thought this would be OT in this thread, but I'll gladly comply :) > > > > > It doesn't look like openssl from > > ports attempts to support the TLS ciphers with kerberos, which would rule > > out the "openssl tries to depend on kerberos" class of issues. > > Not sure I understand (too much ignorance on my part). > > > > > I assume, > > then, that you're running into API conflicts where hcrypto and libcrypto > > present similar-named symbols > > Actually, I didn't get that far: /usr/ports/Mk/Uses/gssapi.ml just > forbids compilation if using OpenSSL from ports and GSSAPI from base: > > IGNORE= You are using OpenSSL from ports and have selected GSSAPI from base, please select another GSSAPI value Ah, of course -- that's an easy one: [bjk@kduck ~]$ ldd /usr/lib/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so: libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800693000) libkrb5.so.11 => /usr/lib/libkrb5.so.11 (0x8006a0000) libcrypto.so.111 => /lib/libcrypto.so.111 (0x801000000) libroken.so.11 => /usr/lib/libroken.so.11 (0x800722000) libasn1.so.11 => /usr/lib/libasn1.so.11 (0x800738000) libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8007de000) libc.so.7 => /lib/libc.so.7 (0x800247000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x8012f4000) libhx509.so.11 => /usr/lib/libhx509.so.11 (0x801315000) libwind.so.11 => /usr/lib/libwind.so.11 (0x801366000) libheimbase.so.11 => /usr/lib/libheimbase.so.11 (0x8007e3000) libprivateheimipcc.so.11 => /usr/lib/libprivateheimipcc.so.11 (0x8007ea000) libthr.so.3 => /lib/libthr.so.3 (0x801391000) (Note the dependency on libcrypto.) Having two different instances of libcrypto in the same address space is generally asking for trouble (though it is possible to do safely, with sufficient care to detail). Having the ports collection just forbid that outright seems like the right choice to me -- I had just forgotten that heimdal even had the option to use openssl libcrypto instead of its own libhcrypto. > Now that I know there are patches for 11.4, I hope I'm not going to need > OpenSSL from ports, so this is losing interest for me. Understood. Thanks for following up anyway! > > > > > (The heimdal in base is quite old anyway, and using an external kerberos > > would be recommended in general if you're using it for much.) > > This is an interesting statement. > I barely know what Kerberos is: granted, I know what it was designed for > and what it provides, but for me it's more or less just a dependency of > Samba and related software. > > My uses cases are: > _ Samba AD DC; > _ Samba AD member file server; > _ various ways of authenticating against Samba (winbindd, pam_ldap, > nss_ldap, saslauthd, etc...); > _ kerberizing NFSv4 has been in my todo list for a while (but with too > low priority for now :) > > In spite of everything working, should I abandon Heimdal from base? For > Heimdal from ports? > (Consider Samba is using it's own bundled Heimdal, so this would be for > pam_ldap, nss_ldap, saslauthd, ....). None of those quite seem like they qualify as being complicated uses, so there is probably not much immediate benefit from switching, for you. I was thinking more of issues like https://github.com/pythongssapi/python-gssapi/issues/228 relating to use of "advanced features" that have been only been added/specified comparatively recently. Sorry to have been a little too sensationalist, there. -Ben From owner-freebsd-security@freebsd.org Sat Dec 12 19:40:15 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 152064BE99C for ; Sat, 12 Dec 2020 19:40:15 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtdKV72Lmz3rWl; Sat, 12 Dec 2020 19:40:14 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from John-Baldwins-MacBook-Pro.local (unknown [IPv6:2601:648:8681:1cb0:a166:a433:2697:6a0e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 893412EA4C; Sat, 12 Dec 2020 19:40:14 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: John-Mark Gurney References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> From: John Baldwin Autocrypt: addr=jhb@FreeBSD.org; keydata= mQGiBETQ+XcRBADMFybiq69u+fJRy/0wzqTNS8jFfWaBTs5/OfcV7wWezVmf9sgwn8TW0Dk0 c9MBl0pz+H01dA2ZSGZ5fXlmFIsee1WEzqeJzpiwd/pejPgSzXB9ijbLHZ2/E0jhGBcVy5Yo /Tw5+U/+laeYKu2xb0XPvM0zMNls1ah5OnP9a6Ql6wCgupaoMySb7DXm2LHD1Z9jTsHcAQMD /1jzh2BoHriy/Q2s4KzzjVp/mQO5DSm2z14BvbQRcXU48oAosHA1u3Wrov6LfPY+0U1tG47X 1BGfnQH+rNAaH0livoSBQ0IPI/8WfIW7ub4qV6HYwWKVqkDkqwcpmGNDbz3gfaDht6nsie5Z pcuCcul4M9CW7Md6zzyvktjnbz61BADGDCopfZC4of0Z3Ka0u8Wik6UJOuqShBt1WcFS8ya1 oB4rc4tXfSHyMF63aPUBMxHR5DXeH+EO2edoSwViDMqWk1jTnYza51rbGY+pebLQOVOxAY7k do5Ordl3wklBPMVEPWoZ61SdbcjhHVwaC5zfiskcxj5wwXd2E9qYlBqRg7QeSm9obiBCYWxk d2luIDxqaGJARnJlZUJTRC5vcmc+iGAEExECACAFAkTQ+awCGwMGCwkIBwMCBBUCCAMEFgID AQIeAQIXgAAKCRBy3lIGd+N/BI6RAJ9S97fvbME+3hxzE3JUyUZ6vTewDACdE1stFuSfqMvM jomvZdYxIYyTUpC5Ag0ERND5ghAIAPwsO0B7BL+bz8sLlLoQktGxXwXQfS5cInvL17Dsgnr3 1AKa94j9EnXQyPEj7u0d+LmEe6CGEGDh1OcGFTMVrof2ZzkSy4+FkZwMKJpTiqeaShMh+Goj XlwIMDxyADYvBIg3eN5YdFKaPQpfgSqhT+7El7w+wSZZD8pPQuLAnie5iz9C8iKy4/cMSOrH YUK/tO+Nhw8Jjlw94Ik0T80iEhI2t+XBVjwdfjbq3HrJ0ehqdBwukyeJRYKmbn298KOFQVHO EVbHA4rF/37jzaMadK43FgJ0SAhPPF5l4l89z5oPu0b/+5e2inA3b8J3iGZxywjM+Csq1tqz hltEc7Q+E08AAwUIAL+15XH8bPbjNJdVyg2CMl10JNW2wWg2Q6qdljeaRqeR6zFus7EZTwtX sNzs5bP8y51PSUDJbeiy2RNCNKWFMndM22TZnk3GNG45nQd4OwYK0RZVrikalmJY5Q6m7Z16 4yrZgIXFdKj2t8F+x613/SJW1lIr9/bDp4U9tw0V1g3l2dFtD3p3ZrQ3hpoDtoK70ioIAjjH aIXIAcm3FGZFXy503DOA0KaTWwvOVdYCFLm3zWuSOmrX/GsEc7ovasOWwjPn878qVjbUKWwx Q4QkF4OhUV9zPtf9tDSAZ3x7QSwoKbCoRCZ/xbyTUPyQ1VvNy/mYrBcYlzHodsaqUDjHuW+I SQQYEQIACQUCRND5ggIbDAAKCRBy3lIGd+N/BCO8AJ9j1dWVQWxw/YdTbEyrRKOY8YZNwwCf afMAg8QvmOWnHx3wl8WslCaXaE8= Cc: freebsd-security@freebsd.org Message-ID: <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> Date: Sat, 12 Dec 2020 11:40:13 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.12.1 MIME-Version: 1.0 In-Reply-To: <20201211064628.GM31099@funkthat.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 19:40:15 -0000 On 12/10/20 10:46 PM, John-Mark Gurney wrote: > FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at 23:03 +0000: >> versions included in FreeBSD 12.x. This vulnerability is also known to >> affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL >> project is only giving patches for that version to premium support contract >> holders. The FreeBSD project does not have access to these patches and >> recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage >> up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project >> may update this advisory to include FreeBSD 11.4 should patches become >> publicly available. > > FreeBSD needs to reevaluate the continued reliance on OpenSSL for our > crypto/TLS library. 1.0.2 which is in 11-stable has not had support > for almost a year, and 11 is going to have almost another year of > support during which time if there's another vuln, we'll again be > leaving the users in a bad place. > > I have not heard if OpenSSL has bother to address the breakage of > /dev/crypto that also recently came up, but it does appear that they > are no longer a good fit for FreeBSD. I think I can't disagree more. In terms of /dev/crypto, see here: https://github.com/openssl/openssl/pull/13468 Also, OpenSSL has been perfectly fine to work with in terms of upstreaming KTLS. kaduk@ is an OpenSSL committer and has been helpful with helping me find reviewers for patches when needed as well. In terms of OpenSSL vs other SSL libraries, I'll defer to this: https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html > Even as it stands, FreeBSD has committed to supporting 12 for close > to a year longer than OpenSSL has for 1.1.1 meaning we will be in the > same situation we are w/ 11 in a few years. > > Assuming 13 releases w/ OpenSSL, we'll be even in a worse situation > than we are now. OpenSSL 3.0.0 has no support commitment announced > yet, and sticking with 1.1.1 for 13 will put us even in a worse > situation than we are today. > > What are peoples thoughts on how to address the support mismatch between > FreeBSD and OpenSSL? And how to address it? I do think the support mismatch questions are still real, and I'm not sure what the best answer is. My guess is that the the delay of 3.0.0 (which I had hoped would ship in 13.0) will mean that 1.1.1's lifetime will get extended, but probably not enough to cover 13.x for 5 years. One option may be that we provide a compat openssl for 13.x that is 1.1.1 for things built on the head of the branch but actually import OpenSSL 3.0.0 into stable/13 at some point. You could do this with a shlib major version bump. It won't solve all problems if some shared library linked against 1.1.1 returns some object allocated by libssl that the application tries to use directly (and the application is linked against 3.0.0), but I'm not sure how common that situation will be in practice. OpenSSL isn't libc where you have issues with malloc/free crossing this sort of boundary. -- John Baldwin From owner-freebsd-security@freebsd.org Sat Dec 12 22:25:11 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1C1D64C2F05 for ; Sat, 12 Dec 2020 22:25:11 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor.nl2k.ab.ca (doctor.nl2k.ab.ca [204.209.81.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cthzq0Kh3z4WDq; Sat, 12 Dec 2020 22:25:10 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.94 (FreeBSD)) (envelope-from ) id 1koDLq-0005Ok-Iw; Sat, 12 Dec 2020 15:26:54 -0700 Date: Sat, 12 Dec 2020 15:26:54 -0700 From: The Doctor To: John Baldwin Cc: John-Mark Gurney , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> X-Rspamd-Queue-Id: 4Cthzq0Kh3z4WDq X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 22:25:11 -0000 On Sat, Dec 12, 2020 at 11:40:13AM -0800, John Baldwin wrote: > On 12/10/20 10:46 PM, John-Mark Gurney wrote: > > FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at 23:03 +0000: > >> versions included in FreeBSD 12.x. This vulnerability is also known to > >> affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > >> project is only giving patches for that version to premium support contract > >> holders. The FreeBSD project does not have access to these patches and > >> recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > >> up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > >> may update this advisory to include FreeBSD 11.4 should patches become > >> publicly available. > > > > FreeBSD needs to reevaluate the continued reliance on OpenSSL for our > > crypto/TLS library. 1.0.2 which is in 11-stable has not had support > > for almost a year, and 11 is going to have almost another year of > > support during which time if there's another vuln, we'll again be > > leaving the users in a bad place. > > > > I have not heard if OpenSSL has bother to address the breakage of > > /dev/crypto that also recently came up, but it does appear that they > > are no longer a good fit for FreeBSD. > > I think I can't disagree more. In terms of /dev/crypto, see here: > > https://github.com/openssl/openssl/pull/13468 > > Also, OpenSSL has been perfectly fine to work with in terms of > upstreaming KTLS. kaduk@ is an OpenSSL committer and has been > helpful with helping me find reviewers for patches when needed > as well. > > In terms of OpenSSL vs other SSL libraries, I'll defer to this: > > https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html > > > Even as it stands, FreeBSD has committed to supporting 12 for close > > to a year longer than OpenSSL has for 1.1.1 meaning we will be in the > > same situation we are w/ 11 in a few years. > > > > Assuming 13 releases w/ OpenSSL, we'll be even in a worse situation > > than we are now. OpenSSL 3.0.0 has no support commitment announced > > yet, and sticking with 1.1.1 for 13 will put us even in a worse > > situation than we are today. > > > > What are peoples thoughts on how to address the support mismatch between > > FreeBSD and OpenSSL? And how to address it? > > I do think the support mismatch questions are still real, and I'm not > sure what the best answer is. My guess is that the the delay of > 3.0.0 (which I had hoped would ship in 13.0) will mean that 1.1.1's > lifetime will get extended, but probably not enough to cover 13.x > for 5 years. One option may be that we provide a compat openssl for > 13.x that is 1.1.1 for things built on the head of the branch but > actually import OpenSSL 3.0.0 into stable/13 at some point. You could > do this with a shlib major version bump. It won't solve all problems > if some shared library linked against 1.1.1 returns some object > allocated by libssl that the application tries to use directly (and > the application is linked against 3.0.0), but I'm not sure how common > that situation will be in practice. OpenSSL isn't libc where you have > issues with malloc/free crossing this sort of boundary. > Openssl 3 is still in Alpha and unless a few apps change to accommodate, it should be delayed until the developers get teir act together. > -- > John Baldwin > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b Merry Christmas 2020 and Happy New Year 2021 !