From owner-freebsd-security@freebsd.org Sun Dec 13 00:57:11 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 679434C6635 for ; Sun, 13 Dec 2020 00:57:11 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtmMC1MBNz4fjS; Sun, 13 Dec 2020 00:57:10 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 0BD0v8oB062904 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 12 Dec 2020 16:57:08 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 0BD0v80Q062903; Sat, 12 Dec 2020 16:57:08 -0800 (PST) (envelope-from jmg) Date: Sat, 12 Dec 2020 16:57:08 -0800 From: John-Mark Gurney To: John Baldwin Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201213005708.GU31099@funkthat.com> Mail-Followup-To: John Baldwin , freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sat, 12 Dec 2020 16:57:08 -0800 (PST) X-Rspamd-Queue-Id: 4CtmMC1MBNz4fjS X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Dec 2020 00:57:11 -0000 John Baldwin wrote this message on Sat, Dec 12, 2020 at 11:40 -0800: > On 12/10/20 10:46 PM, John-Mark Gurney wrote: > > FreeBSD Security Advisories wrote this message on Wed, Dec 09, 2020 at 23:03 +0000: > >> versions included in FreeBSD 12.x. This vulnerability is also known to > >> affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > >> project is only giving patches for that version to premium support contract > >> holders. The FreeBSD project does not have access to these patches and > >> recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > >> up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > >> may update this advisory to include FreeBSD 11.4 should patches become > >> publicly available. > > > > FreeBSD needs to reevaluate the continued reliance on OpenSSL for our > > crypto/TLS library. 1.0.2 which is in 11-stable has not had support > > for almost a year, and 11 is going to have almost another year of > > support during which time if there's another vuln, we'll again be > > leaving the users in a bad place. > > > > I have not heard if OpenSSL has bother to address the breakage of > > /dev/crypto that also recently came up, but it does appear that they > > are no longer a good fit for FreeBSD. > > I think I can't disagree more. In terms of /dev/crypto, see here: > > https://github.com/openssl/openssl/pull/13468 I went back to the original PR that rewrote /dev/crypto: https://github.com/openssl/openssl/pull/3744 The PR was submitted in June 2017, and they tested on FreeBSD 8.4-R, which had support end on June 2015. Even back in 2017, it was easy enough w/ VMs and cloud compute to spin up a modern, supported FreeBSD box. Yes, it's good that it's now getting fixed, 3 years after it was broken. If FreeBSD is going to continue to use OpenSSL, better testing needs to be done to figure out such breakage earliers, and how to not have them go undetected for so long. > Also, OpenSSL has been perfectly fine to work with in terms of > upstreaming KTLS. kaduk@ is an OpenSSL committer and has been > helpful with helping me find reviewers for patches when needed > as well. > > In terms of OpenSSL vs other SSL libraries, I'll defer to this: > > https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html I'll note that this article is more for a developer than the maintainer of an OS. When FreeBSD has 5 year support cycles, things are slightly different, otherwise I agree that the article is good advice (from my brief reading/looking over). > > Even as it stands, FreeBSD has committed to supporting 12 for close > > to a year longer than OpenSSL has for 1.1.1 meaning we will be in the > > same situation we are w/ 11 in a few years. > > > > Assuming 13 releases w/ OpenSSL, we'll be even in a worse situation > > than we are now. OpenSSL 3.0.0 has no support commitment announced > > yet, and sticking with 1.1.1 for 13 will put us even in a worse > > situation than we are today. > > > > What are peoples thoughts on how to address the support mismatch between > > FreeBSD and OpenSSL? And how to address it? > > I do think the support mismatch questions are still real, and I'm not > sure what the best answer is. My guess is that the the delay of > 3.0.0 (which I had hoped would ship in 13.0) will mean that 1.1.1's > lifetime will get extended, but probably not enough to cover 13.x > for 5 years. One option may be that we provide a compat openssl for > 13.x that is 1.1.1 for things built on the head of the branch but > actually import OpenSSL 3.0.0 into stable/13 at some point. You could > do this with a shlib major version bump. It won't solve all problems > if some shared library linked against 1.1.1 returns some object > allocated by libssl that the application tries to use directly (and > the application is linked against 3.0.0), but I'm not sure how common > that situation will be in practice. OpenSSL isn't libc where you have > issues with malloc/free crossing this sort of boundary. In the case of mixed 1.1.1 and 3.0.0, that should just be disallowed. Though importing 3.0.0 doesn't solve the issue if 1.1.1 has a security problem... Because the security problem in 1.1.1 will still need to be addressed to deal w/ all the applications that are linked against it.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sun Dec 13 02:07:39 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E34584A9195 for ; Sun, 13 Dec 2020 02:07:39 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtnwV5x5Vz4lBM for ; Sun, 13 Dec 2020 02:07:38 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0BD27RF4015128 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sat, 12 Dec 2020 21:07:32 -0500 Date: Sat, 12 Dec 2020 18:07:27 -0800 From: Benjamin Kaduk To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201213020727.GP64351@kduck.mit.edu> References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> <20201213005708.GU31099@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201213005708.GU31099@funkthat.com> X-Rspamd-Queue-Id: 4CtnwV5x5Vz4lBM X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of kaduk@mit.edu designates 18.9.28.11 as permitted sender) smtp.mailfrom=kaduk@mit.edu X-Spamd-Result: default: False [2.53 / 15.00]; RCVD_TLS_LAST(0.00)[]; RWL_MAILSPIKE_VERYGOOD(0.00)[18.9.28.11:from]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:18.9.28.0/24]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_SPAM_MEDIUM(0.83)[0.831]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[mit.edu]; NEURAL_SPAM_SHORT(1.00)[0.998]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3, ipnet:18.9.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; RECEIVED_SPAMHAUS_PBL(0.00)[24.16.140.251:received] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Dec 2020 02:07:39 -0000 On Sat, Dec 12, 2020 at 04:57:08PM -0800, John-Mark Gurney wrote: > > If FreeBSD is going to continue to use OpenSSL, better testing needs to > be done to figure out such breakage earliers, and how to not have them > go undetected for so long. I don't think anyone would argue against increasing test coverage. The most important question seems to be how to know what should be getting tested but isn't. Do you have any ideas for where to start looking? Thanks, Ben From owner-freebsd-security@freebsd.org Sun Dec 13 09:37:16 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 08F464B3911 for ; Sun, 13 Dec 2020 09:37:16 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (mailserver.netfence.it [78.134.96.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtzvG6sg0z3NTG for ; Sun, 13 Dec 2020 09:37:14 +0000 (UTC) (envelope-from ml@netfence.it) Received: from alamar.ventu (mailserver.netfence.it [78.134.96.152]) (authenticated bits=0) by soth.netfence.it (8.16.1/8.16.1) with ESMTPSA id 0BD9b92M016418 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Sun, 13 Dec 2020 10:37:09 +0100 (CET) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host mailserver.netfence.it [78.134.96.152] claimed to be alamar.ventu Subject: Re: Kerberos: base or port? [Was: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl] To: Benjamin Kaduk Cc: freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> <20201211202315.GK64351@kduck.mit.edu> <08c18c5e-d0fe-16c2-dd17-af5162fd8716@netfence.it> <20201212181821.GO64351@kduck.mit.edu> From: Andrea Venturoli Message-ID: <3ddff964-73f1-ed41-777c-a4c785414fd9@netfence.it> Date: Sun, 13 Dec 2020 10:37:09 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1 MIME-Version: 1.0 In-Reply-To: <20201212181821.GO64351@kduck.mit.edu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.83 X-Rspamd-Queue-Id: 4CtzvG6sg0z3NTG X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=netfence.it; spf=pass (mx1.freebsd.org: domain of ml@netfence.it designates 78.134.96.152 as permitted sender) smtp.mailfrom=ml@netfence.it X-Spamd-Result: default: False [-3.80 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:78.134.96.152]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[78.134.96.152:from]; SPAMHAUS_ZRD(0.00)[78.134.96.152:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[netfence.it,none]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_COUNT_ONE(0.00)[1]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:35612, ipnet:78.134.0.0/17, country:IT]; RCVD_TLS_ALL(0.00)[]; SUBJECT_HAS_QUESTION(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Dec 2020 09:37:16 -0000 On 12/12/20 7:18 PM, Benjamin Kaduk wrote: > Having two different instances of libcrypto in the same address space is > generally asking for trouble Of course. That's why I was always wary about switching to a newer/shinier OpenSSL from ports (wihtout eradicating the old one from base). You are right, "with sufficient care to detail" it will work, but it's going to be a lot of testing. > Understood. Thanks for following up anyway! You are welcome! Really! > None of those quite seem like they qualify as being complicated uses, so > there is probably not much immediate benefit from switching, for you. Thanks a lot for clarifying. > Sorry to have been a little too sensationalist, there. Well, you being "sorry" means me being safe and safe is better than sorry :) bye av. From owner-freebsd-security@freebsd.org Sun Dec 13 12:12:17 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 83AC04B79EF for ; Sun, 13 Dec 2020 12:12:17 +0000 (UTC) (envelope-from codeblue@inbox.lv) Received: from shark4.inbox.lv (shark4.inbox.lv [194.152.32.84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cv3L84X7Kz3m4w for ; Sun, 13 Dec 2020 12:12:16 +0000 (UTC) (envelope-from codeblue@inbox.lv) Received: from shark4.inbox.lv (localhost [127.0.0.1]) by shark4-out.inbox.lv (Postfix) with ESMTP id 5209C68EEC for ; Sun, 13 Dec 2020 14:12:13 +0200 (EET) Received: from localhost (localhost [127.0.0.1]) by shark4-in.inbox.lv (Postfix) with ESMTP id 47CE568EC5 for ; Sun, 13 Dec 2020 14:12:13 +0200 (EET) Received: from shark4.inbox.lv ([127.0.0.1]) by localhost (shark4.inbox.lv [127.0.0.1]) (spamfilter, port 35) with ESMTP id A7UPj1b67xoK for ; Sun, 13 Dec 2020 14:12:13 +0200 (EET) Received: from mail.inbox.lv (pop1 [127.0.0.1]) by shark4-in.inbox.lv (Postfix) with ESMTP id E8A1368E8F for ; Sun, 13 Dec 2020 14:12:12 +0200 (EET) Received: from localhost (unknown [185.186.250.14]) (Authenticated sender: codeblue@inbox.lv) by mail.inbox.lv (Postfix) with ESMTPA id ACA523E60F02 for ; Sun, 13 Dec 2020 14:12:12 +0200 (EET) Date: Sun, 13 Dec 2020 12:12:08 +0000 From: John Long To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201213121208.54f8a8ed@inbox.lv> In-Reply-To: <20201213020727.GP64351@kduck.mit.edu> References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> <20201213005708.GU31099@funkthat.com> <20201213020727.GP64351@kduck.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: OK X-ESPOL: AJqEQ2V/7XRHu8S+K4Zt5Ovj2q/TW1sruDn7xrsu63dZqLLFr60GfRz/B/eRFELmMn8= X-Rspamd-Queue-Id: 4Cv3L84X7Kz3m4w X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; RWL_MAILSPIKE_VERYGOOD(0.00)[194.152.32.84:from]; RCVD_COUNT_FIVE(0.00)[6]; R_DKIM_ALLOW(-0.20)[inbox.lv:s=30062014]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:194.152.32.84]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; DWL_DNSWL_LOW(-1.00)[inbox.lv:dkim]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[inbox.lv:+]; DMARC_POLICY_ALLOW(-0.50)[inbox.lv,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:12993, ipnet:194.152.32.0/23, country:LV]; MID_RHS_MATCH_FROM(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_IN_DNSWL_LOW(-0.10)[194.152.32.84:from] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Dec 2020 12:12:17 -0000 Hi Guys, What about adopting OpenBSD's libressl? I was expecting it to take a long time to be compatible but from my uneducated point of view it looks like they did an incredible job. I think everything on OpenBSD uses it. I was running OpenBSD until I put FreeBSD 12.2 on a new box, so I haven't been looking at for a year or so. Does anybody know if this is a viable option? Can we just link against libressl or is it (much) more involved than that? /jl On Sat, 12 Dec 2020 18:07:27 -0800 Benjamin Kaduk wrote: > On Sat, Dec 12, 2020 at 04:57:08PM -0800, John-Mark Gurney wrote: > > > > If FreeBSD is going to continue to use OpenSSL, better testing > > needs to be done to figure out such breakage earliers, and how to > > not have them go undetected for so long. > > I don't think anyone would argue against increasing test coverage. > The most important question seems to be how to know what should be > getting tested but isn't. Do you have any ideas for where to start > looking? > > Thanks, > > Ben > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Sun Dec 13 22:16:22 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BC2CD4C545E for ; Sun, 13 Dec 2020 22:16:22 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CvJl964LXz3FRH for ; Sun, 13 Dec 2020 22:16:21 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-qk1-x72c.google.com with SMTP id u5so1047219qkf.0 for ; Sun, 13 Dec 2020 14:16:21 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=1GglO1UBJtF1cxH+FdAJ4LMF0Xm99cKoReuNm5X9ay0=; b=LelX5WXFTepBG50b2vbpd1xzvt1glpb5TsfH/3aYOzNFpGRPtIqpX8mVKe21/qJQrH qlw6U8WeGuVjwA6/wVzKPFc6lO5AIjjIWF+RjL2mDW2+mPyTrHVBdnBzlbQ40Qe5l0Nh c2avu/Zh9dPUXx6JTg8cThUyNJwaBGkcuorKSIBlgae5dlJHLI0zYfo8qpsWqpVGqXnT gux4t3talHY/lwlM85FZObrYvjkYQUlZxK9oKAGLszKGof4Wr+qgWtcNxCzr1pltMPzJ oq6R5NLE+fBS9d4QAud/Hv4WtGiaBPOPkMWs3lNcsK8q+q6+88Dm3sQ5Ho6F1iNN315J l5Zg== X-Gm-Message-State: AOAM532YZgKUx49Dgr3QLbcnn5eCQ5d8fDUpeNRWs2Dg3VFbY+9P2iWi k/m1eIcB7fgIxWpXKmMxTBdo X-Google-Smtp-Source: ABdhPJwYYQkOa5HuUSsord1Om8bVC3B4uSUz405LAzHaYAHlzcQLrGYa21FbHRcIC53IUl2OfW/QKQ== X-Received: by 2002:a37:4c16:: with SMTP id z22mr9578350qka.22.1607897780723; Sun, 13 Dec 2020 14:16:20 -0800 (PST) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id v4sm13520360qth.16.2020.12.13.14.16.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Dec 2020 14:16:20 -0800 (PST) Date: Sun, 13 Dec 2020 14:16:18 -0800 From: Gordon Tetlow To: John Long Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> <20201213005708.GU31099@funkthat.com> <20201213020727.GP64351@kduck.mit.edu> <20201213121208.54f8a8ed@inbox.lv> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201213121208.54f8a8ed@inbox.lv> X-Rspamd-Queue-Id: 4CvJl964LXz3FRH X-Spamd-Bar: --- X-Spamd-Result: default: False [-4.00 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::72c:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tetlows.org:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::72c:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::72c:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Dec 2020 22:16:22 -0000 On Sun, Dec 13, 2020 at 12:12:08PM +0000, John Long via freebsd-security wrote: > Hi Guys, > > What about adopting OpenBSD's libressl? I was expecting it to take a > long time to be compatible but from my uneducated point of view it > looks like they did an incredible job. I think everything on OpenBSD > uses it. > > I was running OpenBSD until I put FreeBSD 12.2 on a new box, so I > haven't been looking at for a year or so. > > Does anybody know if this is a viable option? Can we just link against > libressl or is it (much) more involved than that? As was mentioned elsewhere, LibreSSL isn't a great fit due to their very limited support lifespan of a given release. Once a stable release is made, that branch is only given 1 year of support. This doesn't mesh well with FreeBSD's 5 year support lifespan of a given branch. Gordon From owner-freebsd-security@freebsd.org Mon Dec 14 06:54:19 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7CDB54AF9EB for ; Mon, 14 Dec 2020 06:54:19 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CvXDp1JpFz4TlF for ; Mon, 14 Dec 2020 06:54:17 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 0BE6sAKH025145 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 13 Dec 2020 22:54:10 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 0BE6s8mG025142; Sun, 13 Dec 2020 22:54:08 -0800 (PST) (envelope-from jmg) Date: Sun, 13 Dec 2020 22:54:08 -0800 From: John-Mark Gurney To: Benjamin Kaduk Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <20201214065408.GV31099@funkthat.com> Mail-Followup-To: Benjamin Kaduk , freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> <20201213005708.GU31099@funkthat.com> <20201213020727.GP64351@kduck.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201213020727.GP64351@kduck.mit.edu> X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sun, 13 Dec 2020 22:54:10 -0800 (PST) X-Rspamd-Queue-Id: 4CvXDp1JpFz4TlF X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [0.98 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[funkthat.com]; RBL_DBL_DONT_QUERY_IPS(0.00)[208.87.223.18:from]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; SPAMHAUS_ZRD(0.00)[208.87.223.18:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_LONG(-0.67)[-0.668]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.55)[-0.552]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2020 06:54:19 -0000 Benjamin Kaduk wrote this message on Sat, Dec 12, 2020 at 18:07 -0800: > On Sat, Dec 12, 2020 at 04:57:08PM -0800, John-Mark Gurney wrote: > > > > If FreeBSD is going to continue to use OpenSSL, better testing needs to > > be done to figure out such breakage earliers, and how to not have them > > go undetected for so long. > > I don't think anyone would argue against increasing test coverage. > The most important question seems to be how to know what should be getting > tested but isn't. Do you have any ideas for where to start looking? Is there a CI pipeline setup for OpenSSL testing on -current and the stable branches? If so, where the results posted? Are the existing test suite being run? Why was the engine test not being run? Has that now been fixed? -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Mon Dec 14 16:34:49 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6898B4BE05F for ; Mon, 14 Dec 2020 16:34:49 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f41.google.com (mail-io1-f41.google.com [209.85.166.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cvn6c4cQsz3Jkl for ; Mon, 14 Dec 2020 16:34:48 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-io1-f41.google.com with SMTP id q137so17442147iod.9 for ; Mon, 14 Dec 2020 08:34:48 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=RuPGjz56JFZRXWqt11cKcnFo62dChTmN6Stz/iRpCRo=; b=o4H/IXFf0KziJzQ4FiW4Hfc7IohAibQB7SB3Ng3/pzHFfdc2TKPOVNeG5LFvdqeHy5 BeBXS9JzxlNH7+ZGpWi3/dq6IEYPSrZ2dW7cjnuuKv4qm3k1FN33rXJ496IQin8FYWAz rXL1HEPR9QUZxxbOAoJS2oLidxQI87quCgCirvc0MLC2bqTe4nKv8hFaRxFc7GTTQdx5 82BnC+NeZjGuToJRwIPUmHmL9HSId7jN8OCEjbw4SX0P//6oIETCHENCEjCNcT3kRaAm m9NL2hbDZDXY5d2VWDRaBk+/48S7X4l3+ram0OuE0s+wjMW0n2cmxS4PWbWhFuskeRbT Nzhw== X-Gm-Message-State: AOAM530I1QyEncQfwcUNRhVxCL6zfKjwV+B5K5zLv3Bhy/GPWoYplPd5 TaMNN4zDdnuzWO/5gvmOuA0zUjw6fiJEBqyv6nquk03LqWw= X-Google-Smtp-Source: ABdhPJwuaFth0CHv6uXefSbNz6gA7ZbMWeYLklcLYkyIzwwiHpN3rx3TELhIDGLcqP8WDEuKp8/Qdq5dTOjGNyFjK50= X-Received: by 2002:a5e:c012:: with SMTP id u18mr32659542iol.15.1607963686182; Mon, 14 Dec 2020 08:34:46 -0800 (PST) MIME-Version: 1.0 References: <20201209230300.03251CA1@freefall.freebsd.org> In-Reply-To: <20201209230300.03251CA1@freefall.freebsd.org> From: Ed Maste Date: Mon, 14 Dec 2020 11:34:32 -0500 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4Cvn6c4cQsz3Jkl X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.41 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-1.96 / 15.00]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; TO_DN_NONE(0.00)[]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[209.85.166.41:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; TO_DOM_EQ_FROM_DOM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FREEFALL_USER(0.00)[carpeddiem]; R_DKIM_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[209.85.166.41:from:127.0.2.255]; NEURAL_SPAM_SHORT(0.04)[0.045]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.41:from]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.41:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2020 16:34:49 -0000 On Wed, 9 Dec 2020 at 18:03, FreeBSD Security Advisories wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-20:33.openssl Security Advisory > The FreeBSD Project > > Topic: OpenSSL NULL pointer de-reference > > Category: contrib > Module: openssl > Announced: 2020-12-08 > Affects: All supported versions of FreeBSD. > Corrected: 2020-12-08 18:28:49 UTC (stable/12, 12.2-STABLE) > 2020-12-08 19:10:40 UTC (releng/12.2, 12.2-RELEASE-p2) > 2020-12-08 19:10:40 UTC (releng/12.1, 12.1-RELEASE-p12) > CVE Name: CVE-2020-1971 > > Note: The OpenSSL project has published publicly available patches for > versions included in FreeBSD 12.x. This vulnerability is also known to > affect OpenSSL versions included in FreeBSD 11.4. The fix has been backported by jkim@ to stable/11 in r368530: https://svnweb.freebsd.org/base?view=revision&revision=368530 It can be applied to a releng/11.4 Subversion checkout by executing (at the top of the checked-out tree): $ svn merge -c 368530 ^/stable/11 . I expect an updated advisory, including the 11.4 patch, to be released soon. From owner-freebsd-security@freebsd.org Mon Dec 14 16:47:05 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D26AA4BE5A0 for ; Mon, 14 Dec 2020 16:47:05 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f180.google.com (mail-il1-f180.google.com [209.85.166.180]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CvnNn0Mlhz3KXD for ; Mon, 14 Dec 2020 16:47:04 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-il1-f180.google.com with SMTP id r17so16368590ilo.11 for ; Mon, 14 Dec 2020 08:47:04 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=1aFuKaw2eNDpiFIL7HedE9ld6k3bArOIPOvnY1KPerY=; b=nXeDaFVfOH39xHHNAWJHPh0C0DZfTnoODG7vqTsfTtsryrVQelDoU0N4B5EA/I0BcE kmLmEkQ+ONLN1v+tvK0M02yJlw0Xl0qN4liNsSWFziA4TZ5jsz3hS6tEV9Zq6pDj+TG3 I4BQulDc9N8ftqSCWzPbyRST2QpN+0V357IQwTzGuhM2PCVUvgF9wb9+WqaVQXR1xQZb LxikJLaucqUwAKsLG5EbyKQvKaLLuOkHlLB0+co352fEEl0CAJSsao5wKKxltnRMKcKg RjB4eLs4VhIqk2g30+z21HO5rpp4Eq6Mwazsmos8xMpoqsJmqaZ8ZvKy0mKmgq4gjY5N 3P/w== X-Gm-Message-State: AOAM531uOAPjLU92PcqSqbVt0D08MlIBVOxSdpyv/xn7zLKVF8NkV2bE 1kr/mvgOpUVaVbcthPB4Ri+aQ8Pm8IrNslM2WwA= X-Google-Smtp-Source: ABdhPJx8wo7Wyl4nMQpgzWcapaeJM1+Isn4c+PBFFTWcPGCvy3vb791GinBSaqcPdf4iiYbi7aqGL1rF1N6IxEhkL4k= X-Received: by 2002:a92:4a12:: with SMTP id m18mr35870001ilf.98.1607964424151; Mon, 14 Dec 2020 08:47:04 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Mon, 14 Dec 2020 11:46:52 -0500 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: "Wall, Stephen" Cc: Bob Bishop , "freebsd-security@freebsd.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4CvnNn0Mlhz3KXD X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.180 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RBL_DBL_DONT_QUERY_IPS(0.00)[209.85.166.180:from]; R_DKIM_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FREEFALL_USER(0.00)[carpeddiem]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; SPAMHAUS_ZRD(0.00)[209.85.166.180:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.180:from]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.180:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2020 16:47:05 -0000 On Thu, 10 Dec 2020 at 10:43, Wall, Stephen wrote= : > > > A query: am I right that the patch doesn=E2=80=99t bump the OpenSSL ver= sion to 1.1.1.i ? > > That is correct. Further to that, OpenSSL 1.1.1i includes some additional, minor changes beyond the vulnerability fix. 1.1.1i is now in HEAD (as of r368472) and has been merged to stable/12. From owner-freebsd-security@freebsd.org Mon Dec 14 17:02:11 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 61A144BE7DE for ; Mon, 14 Dec 2020 17:02:11 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f41.google.com (mail-io1-f41.google.com [209.85.166.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CvnkB1FJMz3L9N for ; Mon, 14 Dec 2020 17:02:09 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-io1-f41.google.com with SMTP id 81so17511466ioc.13 for ; Mon, 14 Dec 2020 09:02:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Z+2Etee70vfE8BjIv9iD0yOQlNF1yl0KqlDR7MQ2LVU=; b=jUVeBEJssoz5qGsyfJdSbl9ezOKNAZbm2JOLSMN635mQR01PBDPz0eyyNzsM2js9ec nJotgk7AoIv2hKni036ullPUongOdBdIEX2ncfWsOEh1KcDrwWy8uTO+LghvvUI3tgJ5 efWVq4cUb7SmG+ADHKWckCfQjFbIDaOztWNQkYjxizg6mzmLjPhWIethwaU7uLakohXV tYs3e0Vjt1rhSPXF6yZcfQYOpitI/EzbWRkU1KcNNUTDUap2VXnWxUqa7hBDym+cY+kp 0eHFH1jF8k4fuhAITK7qABpWZdhDo91xUE5goieTSK+3JgM5xqyyLxA6CvcYrjlaV+as ZHnQ== X-Gm-Message-State: AOAM532+Th5uaPPW3yUOBXViCRRfzBx+B93kOvAChxsI0R/Z/yid6E9w vn3LrNlFyrdfLanrbmZGVgL2GscSxyb5gQxBJr0= X-Google-Smtp-Source: ABdhPJzll2HaFLhT1im96h2cV5plunthufYtby1TBL60zrfnV/DK6b+EFRr7URdqriKtTE+Pos5uIfwNQdlOlnQkfrk= X-Received: by 2002:a02:9107:: with SMTP id a7mr8547217jag.12.1607965329276; Mon, 14 Dec 2020 09:02:09 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Mon, 14 Dec 2020 12:01:56 -0500 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: "Wall, Stephen" Cc: Bob Bishop , "freebsd-security@freebsd.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4CvnkB1FJMz3L9N X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.41 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[209.85.166.41:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FREEFALL_USER(0.00)[carpeddiem]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; SPAMHAUS_ZRD(0.00)[209.85.166.41:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.41:from]; R_DKIM_NA(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.41:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2020 17:02:11 -0000 On Mon, 14 Dec 2020 at 11:46, Ed Maste wrote: > > On Thu, 10 Dec 2020 at 10:43, Wall, Stephen wro= te: > > > > > A query: am I right that the patch doesn=E2=80=99t bump the OpenSSL v= ersion to 1.1.1.i ? > > > > That is correct. > > Further to that, OpenSSL 1.1.1i includes some additional, minor > changes beyond the vulnerability fix. 1.1.1i is now in HEAD (as of > r368472) and has been merged to stable/12. Oops, I got ahead of myself - it has not yet been merged to stable/12. From owner-freebsd-security@freebsd.org Mon Dec 14 19:22:57 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 83E4A4C1452 for ; Mon, 14 Dec 2020 19:22:57 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cvrrd3GDdz3jW4; Mon, 14 Dec 2020 19:22:57 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from freefall.freebsd.org (pool-100-8-53-238.nwrknj.fios.verizon.net [100.8.53.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jkim/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 56D17252BA; Mon, 14 Dec 2020 19:22:57 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: Ed Maste , "Wall, Stephen" Cc: Bob Bishop , "freebsd-security@freebsd.org" References: From: Jung-uk Kim Organization: FreeBSD.org Message-ID: <9febc23e-2db0-add2-f31b-1356909331dd@FreeBSD.org> Date: Mon, 14 Dec 2020 14:22:56 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2020 19:22:57 -0000 On 20. 12. 14., Ed Maste wrote: > On Mon, 14 Dec 2020 at 11:46, Ed Maste wrote: >> >> On Thu, 10 Dec 2020 at 10:43, Wall, Stephen wrote: >>> >>>> A query: am I right that the patch doesn’t bump the OpenSSL version to 1.1.1.i ? >>> >>> That is correct. >> >> Further to that, OpenSSL 1.1.1i includes some additional, minor >> changes beyond the vulnerability fix. 1.1.1i is now in HEAD (as of >> r368472) and has been merged to stable/12. > > Oops, I got ahead of myself - it has not yet been merged to stable/12. Now it's done (r368639). Sorry for the delay. I wasn't sure about mergeinfo because of svn-to-git transition. Jung-uk Kim From owner-freebsd-security@freebsd.org Mon Dec 14 19:44:28 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BE92D4C19B0 for ; Mon, 14 Dec 2020 19:44:28 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CvsKS4tlRz3kds for ; Mon, 14 Dec 2020 19:44:28 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from John-Baldwins-MacBook-Pro.local (unknown [IPv6:2601:648:8681:1cb0:e1db:ff9e:cc0f:ee17]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 59D0C255EE for ; Mon, 14 Dec 2020 19:44:28 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> <20201213005708.GU31099@funkthat.com> From: John Baldwin Autocrypt: addr=jhb@FreeBSD.org; keydata= mQGiBETQ+XcRBADMFybiq69u+fJRy/0wzqTNS8jFfWaBTs5/OfcV7wWezVmf9sgwn8TW0Dk0 c9MBl0pz+H01dA2ZSGZ5fXlmFIsee1WEzqeJzpiwd/pejPgSzXB9ijbLHZ2/E0jhGBcVy5Yo /Tw5+U/+laeYKu2xb0XPvM0zMNls1ah5OnP9a6Ql6wCgupaoMySb7DXm2LHD1Z9jTsHcAQMD /1jzh2BoHriy/Q2s4KzzjVp/mQO5DSm2z14BvbQRcXU48oAosHA1u3Wrov6LfPY+0U1tG47X 1BGfnQH+rNAaH0livoSBQ0IPI/8WfIW7ub4qV6HYwWKVqkDkqwcpmGNDbz3gfaDht6nsie5Z pcuCcul4M9CW7Md6zzyvktjnbz61BADGDCopfZC4of0Z3Ka0u8Wik6UJOuqShBt1WcFS8ya1 oB4rc4tXfSHyMF63aPUBMxHR5DXeH+EO2edoSwViDMqWk1jTnYza51rbGY+pebLQOVOxAY7k do5Ordl3wklBPMVEPWoZ61SdbcjhHVwaC5zfiskcxj5wwXd2E9qYlBqRg7QeSm9obiBCYWxk d2luIDxqaGJARnJlZUJTRC5vcmc+iGAEExECACAFAkTQ+awCGwMGCwkIBwMCBBUCCAMEFgID AQIeAQIXgAAKCRBy3lIGd+N/BI6RAJ9S97fvbME+3hxzE3JUyUZ6vTewDACdE1stFuSfqMvM jomvZdYxIYyTUpC5Ag0ERND5ghAIAPwsO0B7BL+bz8sLlLoQktGxXwXQfS5cInvL17Dsgnr3 1AKa94j9EnXQyPEj7u0d+LmEe6CGEGDh1OcGFTMVrof2ZzkSy4+FkZwMKJpTiqeaShMh+Goj XlwIMDxyADYvBIg3eN5YdFKaPQpfgSqhT+7El7w+wSZZD8pPQuLAnie5iz9C8iKy4/cMSOrH YUK/tO+Nhw8Jjlw94Ik0T80iEhI2t+XBVjwdfjbq3HrJ0ehqdBwukyeJRYKmbn298KOFQVHO EVbHA4rF/37jzaMadK43FgJ0SAhPPF5l4l89z5oPu0b/+5e2inA3b8J3iGZxywjM+Csq1tqz hltEc7Q+E08AAwUIAL+15XH8bPbjNJdVyg2CMl10JNW2wWg2Q6qdljeaRqeR6zFus7EZTwtX sNzs5bP8y51PSUDJbeiy2RNCNKWFMndM22TZnk3GNG45nQd4OwYK0RZVrikalmJY5Q6m7Z16 4yrZgIXFdKj2t8F+x613/SJW1lIr9/bDp4U9tw0V1g3l2dFtD3p3ZrQ3hpoDtoK70ioIAjjH aIXIAcm3FGZFXy503DOA0KaTWwvOVdYCFLm3zWuSOmrX/GsEc7ovasOWwjPn878qVjbUKWwx Q4QkF4OhUV9zPtf9tDSAZ3x7QSwoKbCoRCZ/xbyTUPyQ1VvNy/mYrBcYlzHodsaqUDjHuW+I SQQYEQIACQUCRND5ggIbDAAKCRBy3lIGd+N/BCO8AJ9j1dWVQWxw/YdTbEyrRKOY8YZNwwCf afMAg8QvmOWnHx3wl8WslCaXaE8= Message-ID: <63bb8800-e756-9b9b-0ec3-8f91097b6738@FreeBSD.org> Date: Mon, 14 Dec 2020 11:44:27 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.12.1 MIME-Version: 1.0 In-Reply-To: <20201213005708.GU31099@funkthat.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2020 19:44:28 -0000 On 12/12/20 4:57 PM, John-Mark Gurney wrote: > John Baldwin wrote this message on Sat, Dec 12, 2020 at 11:40 -0800: >> On 12/10/20 10:46 PM, John-Mark Gurney wrote: >>> I have not heard if OpenSSL has bother to address the breakage of >>> /dev/crypto that also recently came up, but it does appear that they >>> are no longer a good fit for FreeBSD. >> >> I think I can't disagree more. In terms of /dev/crypto, see here: >> >> https://github.com/openssl/openssl/pull/13468 > > I went back to the original PR that rewrote /dev/crypto: > https://github.com/openssl/openssl/pull/3744 > > The PR was submitted in June 2017, and they tested on FreeBSD 8.4-R, > which had support end on June 2015. Even back in 2017, it was easy > enough w/ VMs and cloud compute to spin up a modern, supported > FreeBSD box. > > Yes, it's good that it's now getting fixed, 3 years after it was broken. > > If FreeBSD is going to continue to use OpenSSL, better testing needs to > be done to figure out such breakage earliers, and how to not have them > go undetected for so long. At some point the onus is also on FreeBSD to keep things working as well. In practice, our kernel crypto interface is pretty crappy (hopefully less crappy in 13, but there is still room for improvement). Also, when I have tested it with actual offload hardware, it doesn't really compete with native AES instructions on the CPU running in userland. KTLS does help because you can use sendfile, but /dev/crypto is not a win in my testing. I had to make additional changes to teach the engine in 1.0.2 to use AES-GCM with the extensions needed for TLS as well as wire the user buffers to avoid copies, and with that I got a hardware co-processor to break even in with AES-NI in userland in terms of both throughput and CPU usage for HTTPS. sendfile-enabled KTLS, OTOH, is able to achieve significantly higher throughput. >> Also, OpenSSL has been perfectly fine to work with in terms of >> upstreaming KTLS. kaduk@ is an OpenSSL committer and has been >> helpful with helping me find reviewers for patches when needed >> as well. >> >> In terms of OpenSSL vs other SSL libraries, I'll defer to this: >> >> https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html > > I'll note that this article is more for a developer than the maintainer > of an OS. When FreeBSD has 5 year support cycles, things are slightly > different, otherwise I agree that the article is good advice (from my > brief reading/looking over). While it's true it is tailored for a developer, I think it is still relevant in its discussion of alternative SSL library implementations. I agree with Gordon's assessment that there aren't really other viable alternatives. >>> Even as it stands, FreeBSD has committed to supporting 12 for close >>> to a year longer than OpenSSL has for 1.1.1 meaning we will be in the >>> same situation we are w/ 11 in a few years. >>> >>> Assuming 13 releases w/ OpenSSL, we'll be even in a worse situation >>> than we are now. OpenSSL 3.0.0 has no support commitment announced >>> yet, and sticking with 1.1.1 for 13 will put us even in a worse >>> situation than we are today. >>> >>> What are peoples thoughts on how to address the support mismatch between >>> FreeBSD and OpenSSL? And how to address it? >> >> I do think the support mismatch questions are still real, and I'm not >> sure what the best answer is. My guess is that the the delay of >> 3.0.0 (which I had hoped would ship in 13.0) will mean that 1.1.1's >> lifetime will get extended, but probably not enough to cover 13.x >> for 5 years. One option may be that we provide a compat openssl for >> 13.x that is 1.1.1 for things built on the head of the branch but >> actually import OpenSSL 3.0.0 into stable/13 at some point. You could >> do this with a shlib major version bump. It won't solve all problems >> if some shared library linked against 1.1.1 returns some object >> allocated by libssl that the application tries to use directly (and >> the application is linked against 3.0.0), but I'm not sure how common >> that situation will be in practice. OpenSSL isn't libc where you have >> issues with malloc/free crossing this sort of boundary. > > In the case of mixed 1.1.1 and 3.0.0, that should just be disallowed. > > Though importing 3.0.0 doesn't solve the issue if 1.1.1 has a security > problem... Because the security problem in 1.1.1 will still need to be > addressed to deal w/ all the applications that are linked against it.. If we import 3.0.0 into, say, 13.2, then when 13.0/13.1 are EOLd we are no longer having to maintain 1.1.1 in 13. If people want to keep older applications built on unsupported releases still working without recompiling, etc. they will have to manage that themselves. Currently we don't support 12.0 on the 12.x branch for example. -- John Baldwin From owner-freebsd-security@freebsd.org Mon Dec 14 20:53:19 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 29A324C2CDD for ; Mon, 14 Dec 2020 20:53:19 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl2gcc02on2058.outbound.protection.outlook.com [40.107.89.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cvtrt1J6Qz3pd8 for ; Mon, 14 Dec 2020 20:53:17 +0000 (UTC) (envelope-from stephen.wall@redcom.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cJsjtsL8LV9z55wIis+ZV8gkZm1wYhfiIJkEIyKvqQqbG6aGBmF3kOxNbFD6t2pZwfgCzuEYU7ssxKRc6RCRxIoCAX15kLBvx2yjxxrpLZABlgHVrU6yA06JFk5YpdzjcZjTnWzI0PlWlhB52tcZqembNfVCyFeZq6n1CZCiWTuCs3YJW6K3hW/7yHecPBkho3VNVuPKJic724As30/WU0xv3/9/MisjKzv1MY1HJzwCedR7KB9tnPwZKszyLXIBrjs+9JoDGGX+jAzab2hMMWf1TTzVrANzQK5xFjjKIZuvl2mlxHqAuUajYv+gNQoFdhH3oX/FcbvBSy+ATAyadw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q92IvUWe9HokuuJpFHE8nSbTFd/gBeGkQJKO/QQxusY=; b=B+Rzs1lmDt023bRtS2QnYKJOJMWvXkVzfodyTuh5Noj5NF34S9MLpzGSG7Od8ERUFLeL/E9eAqVp0JknR5WsgycYIw4aZ7Idy/AacorFVVxgK4IiLsTvmxilpZFufSry758TnrEATU5cMBe3IM1hPDb+sOuVAHResmfWy70+JeFiwDC0lzbHTrTl3f4H3sLrc8uoke9SA+/DDe/tdpDPA+5mQTzYZnVQS/q7ZDIY8UMLLYKHpbhzzIX8gTxVH46QOPxJFe981172lPvHIwwY0jp2kkfLmHAkPAwip7W+klUbZaib6V69JOt+3dPwQvnyHKO8J5DPooTJOmcY2pEHIA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=redcom.com; dmarc=pass action=none header.from=redcom.com; dkim=pass header.d=redcom.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redcomlaboratories.onmicrosoft.com; s=selector1-redcomlaboratories-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q92IvUWe9HokuuJpFHE8nSbTFd/gBeGkQJKO/QQxusY=; b=h8jcaAIZsKZ6bki0/s8t6fdKuI3wDisWqQtpM3p5vD22/8LSxKrlHON9ytBs56t2bt/q34roV0JWX//quViPS4yXSNJbZIuGROphyyf5nM5OVgD1qpwvbxEyLt2AeND9KPWnL1/HL+tjGCGsNigJrSEwdp6evo9hg4cliy31xk0VllGrd6hDwUuN/XImWjpSySaIOJxtO21wpK4tj6/gem78lKvH7pafhq2S+Y8zJO+AbdV7HMRtOOElUd6kBuuuEcIR+aoe+LHLZF8WAKm5CiyoM0BhYE9YRl+vlLr/OOCfqE/ihFLgzd35KzuJkbmKbGyj4S4Yj4h7dyFSzX/UhA== Received: from DM6PR09MB4807.namprd09.prod.outlook.com (2603:10b6:5:260::13) by DM8PR09MB6680.namprd09.prod.outlook.com (2603:10b6:5:2ed::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.13; Mon, 14 Dec 2020 20:53:16 +0000 Received: from DM6PR09MB4807.namprd09.prod.outlook.com ([fe80::7911:f495:f483:3a1b]) by DM6PR09MB4807.namprd09.prod.outlook.com ([fe80::7911:f495:f483:3a1b%6]) with mapi id 15.20.3654.025; Mon, 14 Dec 2020 20:53:16 +0000 From: "Wall, Stephen" To: "freebsd-security@freebsd.org" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Thread-Topic: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Thread-Index: AQHWzn+FUV7Lu6uu7Um+ycG7B5eg06nxdbQAgAJqhICAAFiMAIACzUyAgAAFdjs= Date: Mon, 14 Dec 2020 20:53:16 +0000 Message-ID: References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> <20201213005708.GU31099@funkthat.com>, <63bb8800-e756-9b9b-0ec3-8f91097b6738@FreeBSD.org> In-Reply-To: <63bb8800-e756-9b9b-0ec3-8f91097b6738@FreeBSD.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.48.157.2] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 5e989d64-8682-4552-9015-08d8a07247b6 x-ms-traffictypediagnostic: DM8PR09MB6680: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Mcl7WKrAAcsFWzXhin2+r/VAdmOzjBtGAh3Y1mqFBb8n6Gg8wmTn2+JaIBwGmJA7sRW3oEQRbg9D2ePn/3jbJmuJ9R852BYcMYKRVoDoppKVQ8P/h8lF9TnjJ9JUbwt+OQA2ZUepL+1ht1kMyOjgdf93IPxsqivvLhmXhmC8XsWpDEIDleQ8+5f03pwV8K/MeLoweWKy0ZRg+DUaJXSK51AX/Veiy1zC2PBUBf+0PVS+Q3/gQKh/g5K97Lf9A2goB0Q0B/XO4IefKu6Za2Yh7t7H8JvaAzS5tOzUB49YigVjTeehYo0IFCiUFrUxc/SA x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR09MB4807.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(376002)(136003)(366004)(71200400001)(66556008)(508600001)(86362001)(91956017)(15650500001)(66446008)(9686003)(8936002)(6916009)(26005)(6506007)(8676002)(33656002)(55016002)(186003)(2906002)(5660300002)(76116006)(66946007)(7696005)(66476007)(52536014)(64756008)(83380400001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?pJ1p23JbjDcLl1l8xOpikUGDVwiHzzSfwZxAaHsa/MOlD9gqCWzhqrw8a/?= =?iso-8859-1?Q?zRiVzrOEL/daDIfQztPzP+mvV+DOURA6b8qVhLNZWfhWqi4TXKuEFktc+d?= =?iso-8859-1?Q?GH66qgO4qLOtNWY1OWwjFuDFTa0PniQ12OLfPH1spaRdo7AQ3Uz9X6WzHB?= =?iso-8859-1?Q?5w3HcxWOc3iGVpJky8ajyqeMk81xPkGZs9Oj+E8tQ99A7pVblQqflJB9VG?= =?iso-8859-1?Q?AGmcK5NKNupvrsHITVTnlpDalcHCdoBeBLL980/nhvZu+41AoLr/UEfZPO?= =?iso-8859-1?Q?oBOHiPgnZjLUkzY+VdVGK++6twDEeP+tNh4SEBkRyE1crGk724GFWpICSN?= =?iso-8859-1?Q?s3Y8flF6GbpHOpWod4SQthCk9HbTNZJBMZBspjw2oYK9LABrrITvzrIEVE?= =?iso-8859-1?Q?0EBvIKX7PiCEjmPUpjmWOyG4l/ET3g2VKFdTqmA2l7PLC3TqNHnM1UPyn6?= =?iso-8859-1?Q?x/oVPBzlhsTT1acEiKJu+Fe1I3Sq5tCgyidEwAXz4hXGuT/tQJlEbeEMLu?= =?iso-8859-1?Q?043Z7R1yIPTohmeS1fhB2C4srrQAlvlLdleIuQHnFbe1nmbzTLEYU/C5NK?= =?iso-8859-1?Q?Y89OYkniPa/US6p+s7bTx9CGfYqbH0lI0WaRKgNjiOiF5B8te+bF9D8Idu?= =?iso-8859-1?Q?5QEuKbV+sdCPJztnMwpXZsp9xrPuQjoCOdvCUae7B7IvmPXFJQ1XdLcisa?= =?iso-8859-1?Q?6HsjDBFYUIUJ9SiwRkESFfRhehoaT4nEMBZgjNJ7R/qD58bYnUgVNnZWiN?= =?iso-8859-1?Q?Kx+ZvMLgzigEluaqDO9qsSDmQQpkQ38eN43+x36PGSx2SQvWEPwB50B44s?= =?iso-8859-1?Q?frVi8fgm55EDSHCHy4O8BdhGIiaAprh2bG6z0xLs5HsabrQJ3nQ2Q+S9Ku?= =?iso-8859-1?Q?2Vn8JPA4pD2NC20rhlFbmmzA39WM/UesvMQsPJ/Mu1rCCS/XR5WeVI4KRu?= =?iso-8859-1?Q?JuCTvebZXjy+yLevb8A5Yq7f5oD4QQmzLgVOyMd80ru8LqL0ZtUwVTxCQk?= =?iso-8859-1?Q?OVBuWH5cEXZeDt+P4=3D?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: redcom.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR09MB4807.namprd09.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5e989d64-8682-4552-9015-08d8a07247b6 X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Dec 2020 20:53:16.1463 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 86200ba5-6348-4d6f-bdd7-96f43e8d9247 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 3Ft+wG4amBcxf1MRpR0yJmGugHgBAtpOmdHFvtrAUqF0nqjfl7SSBq0w6zgiT1ss0usavDWQgmxyujgjsGbibA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR09MB6680 X-Rspamd-Queue-Id: 4Cvtrt1J6Qz3pd8 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=redcomlaboratories.onmicrosoft.com header.s=selector1-redcomlaboratories-onmicrosoft-com header.b=h8jcaAIZ; arc=pass (microsoft.com:s=arcselector9901:i=1); dmarc=none; spf=pass (mx1.freebsd.org: domain of stephen.wall@redcom.com designates 40.107.89.58 as permitted sender) smtp.mailfrom=stephen.wall@redcom.com X-Spamd-Result: default: False [-4.60 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RBL_DBL_DONT_QUERY_IPS(0.00)[40.107.89.58:from]; R_DKIM_ALLOW(-0.20)[redcomlaboratories.onmicrosoft.com:s=selector1-redcomlaboratories-onmicrosoft-com]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[redcom.com]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[40.107.89.58:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.107.89.58:from]; DKIM_TRACE(0.00)[redcomlaboratories.onmicrosoft.com:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_IN_DNSWL_LOW(-0.10)[40.107.89.58:from] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2020 20:53:19 -0000 As a party with a vested interest in FIPS, you can guess were I stand on re= placing OpenSSL with some other crypto engine in FreeBSD.=A0 ;)=0A= We are currently building FreeBSD 11.4 against a copy of the latest OpenSSL= 1.0.2 release by diverting the build to a separate part of our source tree= in secure/lib/Makefile.=A0 This has been working quite well for us.=A0 We'= ll see what happens with our ongoing 12.2 upgrade.=0A= =0A= Not really the point of this email though. Regarding /dev/crypto:=0A= > Also, when I have tested it with actual offload hardware, it doesn't=0A= > really compete with native AES instructions on the CPU running in=0A= > userland.=0A= =0A= Here you're really comparing two hardware accelerators, one with extra kern= el overhead, so it's not really fair.=0A= Have you compared RSA or EC signing and verifying between libcrypto and /de= v/crypto?=A0 This would give you a better idea of /dev/crypto performance i= mprovement.=A0 (I'll say that /dev/crypto is not really of interest to me p= rofessionally, because FIPS)=0A= =0A= > KTLS does help because you can use sendfile, but=0A= > /dev/crypto is not a win in my testing.=A0 I had to make additional=0A= > changes to teach the engine in 1.0.2 to use AES-GCM with the=0A= > extensions needed for TLS as well as wire the user buffers to avoid=0A= > copies, and with that I got a hardware co-processor to break even=0A= > with AES-NI in userland in terms of both throughput and CPU usage=0A= > for HTTPS.=A0 sendfile-enabled KTLS, OTOH, is able to achieve=0A= > significantly higher throughput.=0A= =0A= I don't know anything about KTLS - is that using OpenSSL for it's crypto?= =A0 If so, can it load a FIPS canister/provider? If not, then FIPS may be = an issue for us (and other commercial users of FreeBSD), I hope it's someth= ing we can disable... Is there some documentation about this someone can p= oint me to?=0A= =0A= - Steve Wall= From owner-freebsd-security@freebsd.org Mon Dec 14 22:18:42 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 303164C4FAC for ; Mon, 14 Dec 2020 22:18:42 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CvwlQ0xlgz3tyT; Mon, 14 Dec 2020 22:18:42 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1607984322; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Xt5HmUXQVqufuqtWIrfxPO0A1s6GNtB48ZTzhI4bYk8=; b=gFX/AAjLFNCc+9zbF96OmGrP1fex/no7T4+otDuYN1Nw/G1oH5GfYhul32MRsYyztyCxRo WuzSKtlXgiPE1c8hVmSebf40E5ONqdPYHEGKdNQMdTqb76i0lLIB/2DYBD2NCL16wNFxxZ CInLMVEkx077LLabd1hzAqKqA74CnqlLrAxvHrQTSK3xw9DWkT4VSkoa1pqifipHuCNSw1 /fFbIlxMrwIGQeaDOxbi7vuxkx8CBoQJuH+1SsdVgjQp5zyiHlpzj3/RUtR9JPjs4syUr9 L7M5waBW0/6XrIJUGVKRj36BUkRGxQegoNn1PcImp3y/rHBipIB2xuUGFRSk4A== Received: by freefall.freebsd.org (Postfix, from userid 945) id 198D6697B; Mon, 14 Dec 2020 22:18:42 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20201214221842.198D6697B@freefall.freebsd.org> Date: Mon, 14 Dec 2020 22:18:42 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1607984322; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Xt5HmUXQVqufuqtWIrfxPO0A1s6GNtB48ZTzhI4bYk8=; b=DFcn6W8jPH5kV63R11dNWRDAngnRYfS3BVms8IHgqx2wQkSyPHrkf+2Mu/PezZ/d/28+aB Os7Y+4ssDRTObYVaUDpgTLp5Q0fXP74eTR9uPacIgMit58gufPEQ1W4hl2SfFnjedmasgo 6arB2TePYQAxA3iA+0ybS48URYYDHLunelYefn5XcvT8V2y3FmZwIk8SjJbodRyxes54q5 6LyIQ2qJUITraa1niDuqUUF1apRaUYw3NoFFFJSXRKuInX9qvUt/ys+LGNerrneNgSlEnh taMo2FjgB12rO+dmKFtx2TWVhB3ZjPTRr56wdHlfAdySxNHYWflIjfz1a3luTA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1607984322; a=rsa-sha256; cv=none; b=HxBu6AHrFS/K9vEBZNph1pXi20PiwOpyombwGF2imoK6aliJhA7r0uFr6Nn28WgbTTOwc+ QKxqXex1ZTSSIbvr2e8AkrRQ52ASipVhgFcV6ytNjUE22I1DMvT4SzJery+8kdTxHoQNmB GmjArchKrVjMh/JwitLzqEDp1Q9nXS75m/huYIrT0oWlZEHUq0qSSWG3fMOZx2NroK0hUX W1FIlo4oIUcwCyzC9es82odhaDWG87MibitipHKeikeIxq9dtTNJdHf1IZS4TkwTOTeqiQ haRtyB8sRMGbQJg9hBgzAjWb9lh4Yww9w5pKOmpSXq4IlH2musF8gHsG9wAKaw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2020 22:18:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:33.openssl Security Advisory The FreeBSD Project Topic: OpenSSL NULL pointer de-reference Category: contrib Module: openssl Announced: 2020-12-08 Affects: All supported versions of FreeBSD. Corrected: 2020-12-08 18:28:49 UTC (stable/12, 12.2-STABLE) 2020-12-08 19:10:40 UTC (releng/12.2, 12.2-RELEASE-p2) 2020-12-08 19:10:40 UTC (releng/12.1, 12.1-RELEASE-p12) 2020-12-10 23:43:29 UTC (stable/11, 11.4-STABLE) 2020-12-14 21:20:55 UTC (releng/11.4, 11.4-RELEASE-p6) CVE Name: CVE-2020-1971 Note: The OpenSSL project has published publicly available patches for versions included in FreeBSD 12.x. FreeBSD 11.x includes an older OpenSSL version, and patches for that version from from the OpenSSL project are only available to premium support contract holders. This advisory includes an independently-developed backport of the patch for FreeBSD 11.4. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2020-12-08 Initial release. v1.1 2020-12-14 Added FreeBSD 11.4 patch. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. III. Impact An attacker who is able to control both items being compared can trigger a NULL pointer dereference and a crash may occur leading to a possible denial of service attack. As an example, if an attacker can trick a client of server to check a maliciously constructed certificate against a malicious CRL could trigger the NULL dereference. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.2, FreeBSD 12.1] # fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.patch # fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.patch.asc # gpg --verify openssl.patch.asc [FreeBSD 11.4] # fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.11.patch # fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.11.patch.asc # gpg --verify openssl.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r368459 releng/12.2/ r368463 releng/12.1/ r368463 stable/11/ r368530 releng/11.4/ r368643 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/X2AhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLRqQ/8DWGkrFkYn1mpbePFaWFkb2Gt9wexPjfa7oFVSPirHwEFFF1yr5p5hTNF lPyDeSmif5DsAa1fm5CqIVDc9R+kvs8QBfuvD6dRTDW0NSSjPILtBd+7DpnejGKY DGP9Q9aV8pniyJ029vduReF/U0VX/VtHuujYMZBBeXTcfWW1+/olMw0nkMno+3j/ PFflN1d7Kj66b+RjqdIav72vuEmp0nzm8VlL4Sn53Im6TJuGg+24uCj2oCKmMfiR 6mrS9D6H6/8VyAEI7aFfz52TN/Cuqx5U5HjonjRsnKCN/8tST6nxZ3MQ3F6eJRU6 Tqzd9c1iYm9bWYWTpqtDx2dASiIICQeEj8f42RavU+BfpER9rKQi/pcJk/9ISu2L /EOmH735v1dWd5PVZiVQinx+v/Os5pCzAZEOxA4rI7prAFvnX2q7XsJI914p87FR SGwMy/cN7b23rJFLwNp29tpAJhaz9Ac/vAJwvUKEaoGqvcEC8zOPykMcOhcHXONq fXJWgkl/N8fkyKrSfFZkKF5r4aQGsuyaZje1YmrpWIOr/jzV9qL4CAvUhx116yJb XelP+aaXBD82kM3J0Ddivaz+/dP5ng/XUADJvAYzZ1g7N9fxYjLGF6nRJ3eXKuno NQfYPIYAc1TKYAU+k6pbxqQkVuYtTxHCSXdvUGMjh0scZArU8/s= =LaWf -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Dec 15 00:37:27 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 00A294CB8B1 for ; Tue, 15 Dec 2020 00:37:26 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CvzqV4t3Lz4bCv; Tue, 15 Dec 2020 00:37:26 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.16.1/8.16.1) with ESMTPS id 0BF0bCtw083633 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Tue, 15 Dec 2020 02:37:15 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua 0BF0bCtw083633 Received: (from kostik@localhost) by tom.home (8.16.1/8.16.1/Submit) id 0BF0bCVh083632; Tue, 15 Dec 2020 02:37:12 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Tue, 15 Dec 2020 02:37:12 +0200 From: Konstantin Belousov To: John Baldwin Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> <20201213005708.GU31099@funkthat.com> <63bb8800-e756-9b9b-0ec3-8f91097b6738@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <63bb8800-e756-9b9b-0ec3-8f91097b6738@FreeBSD.org> X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on tom.home X-Rspamd-Queue-Id: 4CvzqV4t3Lz4bCv X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2020 00:37:27 -0000 On Mon, Dec 14, 2020 at 11:44:27AM -0800, John Baldwin wrote: > If we import 3.0.0 into, say, 13.2, then when 13.0/13.1 are EOLd we are > no longer having to maintain 1.1.1 in 13. If people want to keep older > applications built on unsupported releases still working without > recompiling, etc. they will have to manage that themselves. Currently > we don't support 12.0 on the 12.x branch for example. What do you mean by 'not supported'? Don't we put large efforts into keeping ABI backward compatible to allow to run _any_ binary built early ? The only exception I can think of is that we allow ABI mistakes on HEAD to be fixed in non-backward compatible way. But for 12.0-built binaries, we offer full support. In fact it is the easiest case, if comparing e.g. with binaries built against older branches. It is possible to bump dso version on stable branch, which I believe was already done several times. In this case, we provided compatXx- for stable/X branch, which contiained shared objects with previous versions. From owner-freebsd-security@freebsd.org Tue Dec 15 01:02:10 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 738E44CC497 for ; Tue, 15 Dec 2020 01:02:10 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cw0N22ghpz4cqf; Tue, 15 Dec 2020 01:02:10 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from John-Baldwins-MacBook-Pro.local (unknown [IPv6:2601:648:8681:1cb0:e1db:ff9e:cc0f:ee17]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 1161027A6D; Tue, 15 Dec 2020 01:02:09 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: Konstantin Belousov Cc: freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> <20201213005708.GU31099@funkthat.com> <63bb8800-e756-9b9b-0ec3-8f91097b6738@FreeBSD.org> From: John Baldwin Autocrypt: addr=jhb@FreeBSD.org; keydata= mQGiBETQ+XcRBADMFybiq69u+fJRy/0wzqTNS8jFfWaBTs5/OfcV7wWezVmf9sgwn8TW0Dk0 c9MBl0pz+H01dA2ZSGZ5fXlmFIsee1WEzqeJzpiwd/pejPgSzXB9ijbLHZ2/E0jhGBcVy5Yo /Tw5+U/+laeYKu2xb0XPvM0zMNls1ah5OnP9a6Ql6wCgupaoMySb7DXm2LHD1Z9jTsHcAQMD /1jzh2BoHriy/Q2s4KzzjVp/mQO5DSm2z14BvbQRcXU48oAosHA1u3Wrov6LfPY+0U1tG47X 1BGfnQH+rNAaH0livoSBQ0IPI/8WfIW7ub4qV6HYwWKVqkDkqwcpmGNDbz3gfaDht6nsie5Z pcuCcul4M9CW7Md6zzyvktjnbz61BADGDCopfZC4of0Z3Ka0u8Wik6UJOuqShBt1WcFS8ya1 oB4rc4tXfSHyMF63aPUBMxHR5DXeH+EO2edoSwViDMqWk1jTnYza51rbGY+pebLQOVOxAY7k do5Ordl3wklBPMVEPWoZ61SdbcjhHVwaC5zfiskcxj5wwXd2E9qYlBqRg7QeSm9obiBCYWxk d2luIDxqaGJARnJlZUJTRC5vcmc+iGAEExECACAFAkTQ+awCGwMGCwkIBwMCBBUCCAMEFgID AQIeAQIXgAAKCRBy3lIGd+N/BI6RAJ9S97fvbME+3hxzE3JUyUZ6vTewDACdE1stFuSfqMvM jomvZdYxIYyTUpC5Ag0ERND5ghAIAPwsO0B7BL+bz8sLlLoQktGxXwXQfS5cInvL17Dsgnr3 1AKa94j9EnXQyPEj7u0d+LmEe6CGEGDh1OcGFTMVrof2ZzkSy4+FkZwMKJpTiqeaShMh+Goj XlwIMDxyADYvBIg3eN5YdFKaPQpfgSqhT+7El7w+wSZZD8pPQuLAnie5iz9C8iKy4/cMSOrH YUK/tO+Nhw8Jjlw94Ik0T80iEhI2t+XBVjwdfjbq3HrJ0ehqdBwukyeJRYKmbn298KOFQVHO EVbHA4rF/37jzaMadK43FgJ0SAhPPF5l4l89z5oPu0b/+5e2inA3b8J3iGZxywjM+Csq1tqz hltEc7Q+E08AAwUIAL+15XH8bPbjNJdVyg2CMl10JNW2wWg2Q6qdljeaRqeR6zFus7EZTwtX sNzs5bP8y51PSUDJbeiy2RNCNKWFMndM22TZnk3GNG45nQd4OwYK0RZVrikalmJY5Q6m7Z16 4yrZgIXFdKj2t8F+x613/SJW1lIr9/bDp4U9tw0V1g3l2dFtD3p3ZrQ3hpoDtoK70ioIAjjH aIXIAcm3FGZFXy503DOA0KaTWwvOVdYCFLm3zWuSOmrX/GsEc7ovasOWwjPn878qVjbUKWwx Q4QkF4OhUV9zPtf9tDSAZ3x7QSwoKbCoRCZ/xbyTUPyQ1VvNy/mYrBcYlzHodsaqUDjHuW+I SQQYEQIACQUCRND5ggIbDAAKCRBy3lIGd+N/BCO8AJ9j1dWVQWxw/YdTbEyrRKOY8YZNwwCf afMAg8QvmOWnHx3wl8WslCaXaE8= Message-ID: Date: Mon, 14 Dec 2020 17:02:08 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.12.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2020 01:02:10 -0000 On 12/14/20 4:37 PM, Konstantin Belousov wrote: > On Mon, Dec 14, 2020 at 11:44:27AM -0800, John Baldwin wrote: >> If we import 3.0.0 into, say, 13.2, then when 13.0/13.1 are EOLd we are >> no longer having to maintain 1.1.1 in 13. If people want to keep older >> applications built on unsupported releases still working without >> recompiling, etc. they will have to manage that themselves. Currently >> we don't support 12.0 on the 12.x branch for example. > What do you mean by 'not supported'? Don't we put large efforts into > keeping ABI backward compatible to allow to run _any_ binary built early ? > The only exception I can think of is that we allow ABI mistakes on HEAD > to be fixed in non-backward compatible way. > > But for 12.0-built binaries, we offer full support. In fact it is the easiest > case, if comparing e.g. with binaries built against older branches. > > It is possible to bump dso version on stable branch, which I believe was > already done several times. In this case, we provided compatXx- > for stable/X branch, which contiained shared objects with previous versions. So to be clear, my suggestion was precisely to bump the shared library and ship the 1.1.1 libraries in misc/compat13 packages, and while yes, binaries would still work (so be supported in that sense), they would not be supported in the sense of getting SA backports for bugs in the old libssl they are linked against. The cases that suck is if due to library dependencies a process pulls in both libssl.so.X verisons in the same binary. We could use symbol versioning to at least ensure a given DSO always gets the symbols it linked against, but it wouldn't solve the problem of a library returning a SSL * handle to another DSO that is linked against the other version. I do think though that sort of cross-threading is perhaps rarer with libssl than it would be with, say, libc where the malloc/free cross-threading is very common and breaks horribly. -- John Baldwin From owner-freebsd-security@freebsd.org Mon Dec 14 14:42:23 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 447CD4BBCC8 for ; Mon, 14 Dec 2020 14:42:23 +0000 (UTC) (envelope-from des@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cvkcv1XsFz3Chs; Mon, 14 Dec 2020 14:42:23 +0000 (UTC) (envelope-from des@freebsd.org) Received: from next.des.no (cm-84.210.152.172.getinternet.no [84.210.152.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: des) by smtp.freebsd.org (Postfix) with ESMTPSA id 0D06A22F15; Mon, 14 Dec 2020 14:42:23 +0000 (UTC) (envelope-from des@freebsd.org) Received: by next.des.no (Postfix, from userid 1001) id C53702AD; Mon, 14 Dec 2020 15:42:20 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mark Johnston Cc: "Wall, Stephen" , FreeBSD Security Advisories , "freebsd-security@freebsd.org" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:32.rtsold In-Reply-To: (Mark Johnston's message of "Thu, 10 Dec 2020 09:51:19 -0500") References: <20201201204625.8DE8D19E9C@freefall.freebsd.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (berkeley-unix) Date: Mon, 14 Dec 2020 15:42:20 +0100 Message-ID: <86r1ns8n5f.fsf@next.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Tue, 15 Dec 2020 18:40:50 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2020 14:42:23 -0000 Mark Johnston writes: > The message has to come from a host on the same layer 2 broadcast domain > as the recipient. Routers don't forward neighbour solicitation messages > but a hub will. s/hub/switch/ DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org From owner-freebsd-security@freebsd.org Thu Dec 17 18:20:58 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D22084BF114; Thu, 17 Dec 2020 18:20:58 +0000 (UTC) (envelope-from ohartmann@walstatt.org) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CxgKj5tzxz4WWk; Thu, 17 Dec 2020 18:20:57 +0000 (UTC) (envelope-from ohartmann@walstatt.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1608229238; bh=eX6b5xXIF3ZaJpAO/WxD9z3gHWtpUZ47AkWRlbdkyNc=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:In-Reply-To:References; b=ahiVRczcgPtWRzSYs6p8yhELh6y2Ngg6Ffb4SiEoNs8OEoUGPsPtw/V5ts3HRyoGT sumneWJWIjY3mOqQjt2KddWLAuNIs3kgf4HT19Kn2Z25W87NScLNLf+Cr/fuBaBYLY X4WxvlbtrQLeCDUZlLC3AjXF61VCLoVD47wYykOA= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from hermann.fritz.box ([77.191.42.43]) by mail.gmx.com (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MysVs-1juAZI07qU-00vzlv; Thu, 17 Dec 2020 19:20:38 +0100 Date: Thu, 17 Dec 2020 19:20:29 +0100 From: "Hartmann, O." To: freebsd-security@freebsd.org Cc: John-Mark Gurney , freebsd-current@freebsd.org, John Kennedy Subject: Re: AMNESIA:33 and FreeBSD TCP/IP stack involvement Message-ID: <20201217192029.56f3d262@hermann.fritz.box> In-Reply-To: <20201210200250.GJ31099@funkthat.com> References: <20201209065849.47a51561@hermann.fritz.box> <20201210200250.GJ31099@funkthat.com> Organization: walstatt.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/c9Tn1HDtoa+xvI1obhUV/Ot"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Provags-ID: V03:K1:KlE/k/dVZbi2uwI7kWtmJ4P4ZhbyzpoVqjkz4SSEm2TiiBUHh/b KDfJhfrHxpzCaPgFMgCqMUO1ERyyKdi5L8ZuGdAILJ+KXwukFy6SUCLkX7yxAuLomffGaf7 QQFHZ/I6bUMwKNMF5Ezj37Elv4AyZPfF8w52v1tRkB4ZwhO3sedNMNh6cNxC3zPBKVYmK5T 1WaW1CgXHQ3SdOiycnr9w== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:PAMAFBdk5VA=:Aty8yPp7AH2SZUEht4ZZfP AKNKPeSK77eJlBZX07xCY1qBb2EWxg5yAP328fMByMwDKvi5u5GmFX55wcDQJAw3Mnz+3lWKv bpyj0cIRXXdjEMG6Dm7osWW+xhbJ/bNm4b7f/TFfSX4fDTXLXE5D37FTDkFQBeJHu7pR0vMeN 3xCu4PBhWEpmvjrN7sgBgVqldlM/9ezgLtwrT5fQdmg0GsmSkjiEp370d8UtoDx1j71mD9KC0 IR6VAsB7vvQvGhZ+qJD/jeia6E/yVCsshqcP+tKDKTU2V1nG7IsbZKlAw4hMZzg+SMncr90Jk qI9Zt/JrzxKzsRsbFMC+nrYeTrdgBjkcsTDd7ahLrudOBZavzfF0Om6L9BH6UrC81mEaxu0Ct PeJaaMJDs+C0cfaGlfE2PCuJHpIFr34hyOepFt/mqVaJVQ0EiAH4ofkLWHzD0k/HSQCMYcOSR 3qHFM8wHhQQ8u9DAIjU+Ag/XsObjyqO+a91fqFYUu8myrEqgadmDY6c7zaGO/r2K2wPP/k2Gr gnSbTLKy9+WFzgYzgKYQGn6ipbDz2benH1+DqopgSPZ0xW9OeimZFndpjnOJf/DVV0v9tOmGi oRWD1FasKL83khn6ZH8CPHQeRqBWLAS2SSxWtP/JVCCsASgsSIBQIodFBDrubXwSXuQPlx6fd gpVmPXmWO5GxVa9wksC4+5bhpWlHMKJ3WSXiF204vlWXFmDzNrOHFn/1j3BiKFABZvvIzK2+z MdRyRkMl11cY+972VR1FTfbgOITp3CuhLu7oL1XkKMleERntLd0lyrtJ3elPHpnX9Q59Z/psu 0lZEYAC8LQorPyZNH025yoZl907I367YvxItalRC7OBXuDPi0do1PTxkvMPlsLgMnlI9sc42d FkMGFmJ+emIdPZj+u7BA== X-Rspamd-Queue-Id: 4CxgKj5tzxz4WWk X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=ahiVRczc; dmarc=none; spf=none (mx1.freebsd.org: domain of ohartmann@walstatt.org has no SPF policy when checking 212.227.15.18) smtp.mailfrom=ohartmann@walstatt.org X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; HAS_ORG_HEADER(0.00)[]; DKIM_TRACE(0.00)[gmx.net:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.15.18:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[212.227.15.18:from]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; RECEIVED_SPAMHAUS_PBL(0.00)[77.191.42.43:received]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[walstatt.org]; SPAMHAUS_ZRD(0.00)[212.227.15.18:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_NA(0.00)[no SPF record]; RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.15.18:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-current,freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Dec 2020 18:20:58 -0000 --Sig_/c9Tn1HDtoa+xvI1obhUV/Ot Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable > Hartmann, O. wrote this message on Wed, Dec 09, 2020 at 06:58 +0100: > > I've got a question about recently discovered serious > > vulnerabilities in certain TCP stack implementations, designated as > > AMNESIA:33 (as far as I could follow the recently made > > announcements and statements, please see, for instance, > > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions= -of-smart-and-industrial-devices/). > >=20 > > All mentioned open-source TCP stacks seem not to be related in any > > way with freeBSD or any derivative of the FreeBSD project, but I do > > not dare to make a statement about that. > >=20 > > My question is very simple and aimes towards calming down my > > employees requests: is FreeBSD potentially vulnerable to this newly > > discovered flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE > > and 13-CURRENT, latest incarnations, of course, should be least > > vulnerable ...). =20 >=20 > I'd be surprised if FreeBSD is vulnerable to those flaws, but I cannot > make any official statement as there are too many to even start to > investigate them. >=20 > Also of note is that there were three other IP stacks that were NOT > vulnerable to ANY new security issues in that report as well, so it > isn't like the report found security vulnerability in every TCP/IP > stack they tested. >=20 > The best way to have confidence is to pay people to analyize and > verify that the FreeBSD TCP/IP stack is secure, just as it is w/ > any critical code that a company runs. >=20 Thank you very much for responding. I'll take all comments into consideration; I think one thing is clear, that even if I'd had to report that freeBSD is vulnerable, I'd have to wait for a pacth. Since my personal patch policy on RELENG for FreeBSD is to patch/update as fast as possible after a SA has been published, I'd have to wait for the patches. CURRENT and STABLE systems are updated frequently - on a weekly basis, if necessary. Kind regards, O. Hartmann --Sig_/c9Tn1HDtoa+xvI1obhUV/Ot Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQSy8IBxAPDkqVBaTJ44N1ZZPba5RwUCX9uhbQAKCRA4N1ZZPba5 R1JDAQCwYAyUkkbdOr9OOzD1JK1k1MSxLMgQDmy4sn6hnJolLgEAzM7kjbwyHtlU wWMbHNnbEcoH6aJI1xI4nRfEfTH/8Ak= =YWqh -----END PGP SIGNATURE----- --Sig_/c9Tn1HDtoa+xvI1obhUV/Ot--