From owner-freebsd-security@freebsd.org Mon Aug 23 07:25:35 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0A1276655F4 for ; Mon, 23 Aug 2021 07:25:35 +0000 (UTC) (envelope-from administrator@freebsd.org) Received: from hp0.i.tvivox.buzz (hp0.i.tvivox.buzz [137.184.65.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4GtP0Z70M6z3C4D for ; Mon, 23 Aug 2021 07:25:34 +0000 (UTC) (envelope-from administrator@freebsd.org) From: freebsd.org To: freebsd-security@freebsd.org Subject: Verify Your Account freebsd-security@freebsd.org Date: 22 Aug 2021 23:58:20 -0700 Message-ID: <20210822235820.538E0E33B08562B1@freebsd.org> X-Rspamd-Queue-Id: 4GtP0Z70M6z3C4D X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:14061, ipnet:137.184.64.0/20, country:US]; local_wl_from(0.00)[freebsd.org] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2021 07:25:35 -0000 From owner-freebsd-security@freebsd.org Tue Aug 24 20:52:43 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3FAB9660B26 for ; Tue, 24 Aug 2021 20:52:43 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvLsR0yvQz4ppk; Tue, 24 Aug 2021 20:52:43 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1629838363; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Lo9tyzYaQG7I+MFFtorFKoLAxZuI3ME4f3p/xWqY7qY=; b=y2rb+yuBEGswL7cq8zReIhpSii/yCLdTDLFecFdKazD9CxXnY7LWS5IEM9qLmwZTT7N+tC 2tww6f6/fvzsvscUUhOxqfT77hZOq2DzN9EHFuplgQlzk/vJlHGNDKntK0W9iT3dZ8wwyE jjp0COO0fsUG2DNnaDIuKzdMZUk7OmU0jSenwtrMBwZ5N11fbFA+HDPMLqzD8z9sGENyhx JVY9Je+QDPFLR+F2uZmpHPpHKEcSF1rI7tPmD8QsmumxMkcwoGJtpPHdPo0Iyp3GCY3DY+ /w3lJW6TBMaF9zK6uQbZvLkeKTJFH+xnI71VULjHy6R9x6WjnI1G9vQchN1yMw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 0976172E9; Tue, 24 Aug 2021 20:52:43 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:13.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210824205243.0976172E9@freefall.freebsd.org> Date: Tue, 24 Aug 2021 20:52:43 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1629838363; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Lo9tyzYaQG7I+MFFtorFKoLAxZuI3ME4f3p/xWqY7qY=; b=c7h0AEq1RfRBy6FgSrx7gfFQlHfQtxoNMFpK1VA69fLHStLp1MnGXOQZ/NuByPkafJfzYP ZIHXtw1WwumD3gNwMv3//D/vzYjxccRHZCtjkjAeuo/85Ig6eDOuMqGzKMB7qRIbDPxeC6 6eVGVQFTUQVmdXa207kOb0YPL88V7+2IMlYy4Un5aFWO3W3XxtMXIwwD86b+zc24sLwhHc +jhhafP3Fa4wT1dIu4MinRkGVaEgifSMfwWL85CTQ8xdW0AV0IsiyWaFPeLuvRk1ZSnSkT hSZ27m2ekA9UYB/uCeIz8cyGJ5R+kAc3kVXWu2cPK3jppce8vplnBZ0UdLR/EQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1629838363; a=rsa-sha256; cv=none; b=sw4QpRHYTTiLRQjX0OoVJGCXdVmqraPpPDHxYEzx34nP94rUb5hZhxoPuLxKZB9dO6zwCr hQVsGazheBsgu/HAt4cQ5kHeI2KaQTa6geJf1znamA3bAt2JTGruyG0F2Vc1w7ROtSZ+YR LRIRNZK0x3u/Xvhw0bIFW2JoUMxKfBJFxNZHAj7hqf8WUamF5zdVqd8rETJLZUNMV7+clD TcSYbGElgUa/CiyQYogA0CAPtGfpfmx2olB6/wmdsPMIL0A7xMfJO3LhK3CsEJZAodDQiI YPL8nwGBHxjRg2fJprbB5+DzzxoGTX82Kf6T01KtwcScuqeNLko2k3rCDeTjYQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2021 20:52:43 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:13.bhyve Security Advisory The FreeBSD Project Topic: Missing error handling in bhyve(8) device models Category: core Module: bhyve Announced: 2021-08-24 Credits: Agustin Gianni (GitHub Security Lab) Affects: All supported versions of FreeBSD. Corrected: 2021-08-24 18:29:48 UTC (stable/13, 13.0-STABLE) 2021-08-24 17:33:35 UTC (releng/13.0, 13.0-RELEASE-p4) 2021-08-24 18:33:04 UTC (stable/12, 12.2-STABLE) 2021-08-24 18:32:13 UTC (releng/12.2, 12.2-RELEASE-p10) 2021-08-24 18:33:02 UTC (stable/11, 11.4-STABLE) 2021-08-24 18:31:27 UTC (releng/11.4, 11.4-RELEASE-p13) CVE Name: CVE-2021-29631 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8) is a hypervisor that supports running a variety of guest operating systems in virtual machines. It implements a number of device models using the VirtIO interface to exchange data between the guest and the host. II. Problem Description Certain VirtIO-based device models failed to handle errors when fetching I/O descriptors. Such errors could be triggered by a malicious guest. As a result, the device model code could be tricked into operating on uninitialized I/O vectors, leading to memory corruption. III. Impact A malicious guest may be able to crash the bhyve process. It may be possible to exploit the memory corruption bugs to achieve arbitrary code execution in the bhyve process. IV. Workaround No workaround is available. Virtual machines are unaffected unless they use one or more of the following device models: * virtio-console * virtio-rnd * virtio-scsi (available starting in FreeBSD 12.0) * virtio-9p (available starting in FreeBSD 13.0) V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.0] # fetch https://security.FreeBSD.org/patches/SA-21:13/bhyve.13.patch # fetch https://security.FreeBSD.org/patches/SA-21:13/bhyve.13.patch.asc # gpg --verify bhyve.13.patch.asc [FreeBSD 12.2] # fetch https://security.FreeBSD.org/patches/SA-21:13/bhyve.12.patch # fetch https://security.FreeBSD.org/patches/SA-21:13/bhyve.12.patch.asc # gpg --verify bhyve.12.patch.asc [FreeBSD 11.4] # fetch https://security.FreeBSD.org/patches/SA-21:13/bhyve.11.patch # fetch https://security.FreeBSD.org/patches/SA-21:13/bhyve.11.patch.asc # gpg --verify bhyve.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 20f96f215562 stable/13-n246941 releng/13.0/ ec08bc89d4b3 releng/13.0-n244756 stable/12/ r370400 releng/12.2/ r370393 stable/11/ r370399 releng/11.4/ r370386 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmElV10ACgkQ05eS9J6n 5cLrsw//SuInBQjVhNXa1OkC7FcBve+vQCmgThGAxJVrFpRdHxg/q3Vfyza3/V1w FGUiPPhAsF3wYwK9UqMS5a3dOI3WbaUvH8dDeLd3BLj4AfFE3uTOFC0xzmdBQcm0 2mFbTRkL0Wqb6FpDiswdu1s9jp1JggIa+SGuajl4XaoIyM/tek3PFuEOeE2v2N7E djKciPwFnsRneFQIOTHVqa0mut5AilNI9WwKZgv3qzqQNnAasBpbiZKG/BhA2mZm GLm0NtI40BdnIW3mfGYqK3r/tXUi/tcMSHzV2NDOGToB5wHj6Ah1lQ8pUEVnLo0d TeDrioK/z53wqLhHUSsxdifST6JX0CQ2kf7qb256mE3o9brRyD2s6AM2Bld3r/ov wzPTIzIGmtaxezCJhZpEPfaul/B2mCTjWkGrxOMROAzeocrIY4pJ5cGmH8XYfGA+ WQOwe+OKHb33qak3mrgGxECv72R/h2PUH5PV14HEj+PW5S03qIHm3iisvGWo6+3C efqZ9tsiWbPvbF3CFuECOgjUIu5YDf6K83H5/Lnaw9SnANuTj8t8I1yg/RmByWlx 9ucposBVht9h9TcFKNm+REfNCaYwQ3FukfGn/s3ih/iHNcGn1rGjh1t+vN4DNnLl Ew3GTlSzJqzeO3QvstdrRDvvBNFGDZV6yyZBu3ogPaZc4WAHnHQ= =suTg -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Aug 24 20:52:50 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4708B660AC5 for ; Tue, 24 Aug 2021 20:52:50 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvLsY5Yx7z4ps1; Tue, 24 Aug 2021 20:52:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1629838369; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=SLTFutSfddXhbGN47tHpCiqeYUNc4DsBUilA4PTzyag=; b=TNctCfgz6Qx4H75MPF95If/gMDqhJjS8VopgUNrJdtV/70nyMxJ/ig15IybcS5tdykZUnH ltCt9UkjCSpcVbzJNn80Mu11WJ1DFhhN5U7GPSOp/xCrIbcMhfYtA6b5HShcLLOxvYHGZP oy+L/6g5fRA7oltYIwf4D6ZJRJxwP14DqE9LbdACyHfP5a4bsVDJmfE0aw3A0w5Kjyu1Y4 PgRrGsAg8VIv6itmP/ulb/jjm/I3Q/F8FgyQ0j8X0JjAHFX7wwlm7VXJn7h1t7wc1pOqRO lP8PbcXPdwuQvzzFXq73LzaFNrQf5k92UkPp4mi7d4q5rkbI5yVVLk/HSM3UoA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 6B61A743E; Tue, 24 Aug 2021 20:52:49 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:14.ggatec Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210824205249.6B61A743E@freefall.freebsd.org> Date: Tue, 24 Aug 2021 20:52:49 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1629838369; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=SLTFutSfddXhbGN47tHpCiqeYUNc4DsBUilA4PTzyag=; b=XY/WXaXY4Nc2Rsu20joeXd2/RV8BOcTuP9CHOJIQjKSG3fF1TVR29z/7qYzUxWKcnrcH5D ohDBUb0n4EneDJDeKZj/A6bWW4erjrfRXscYe/hi3IhQ+lyc9+7rTr1hUFWwiCkcU2+A/A p9/eFZxZX0kbTYusy+drAaPelxnxBh7o+2O3BxMysZpLGTqcRawdQ75edMnBsMqBxCbfBf hPBDeLWqUq2yumFkirGCL3brvV3oyMU71oPL3sgvR7+Coa6tIRJfdLpImb0W2JOZwMD+uY jzl1doVvv+V6KVEC0Lu/iHZDMdCNVyShzMkm7nCecXxTARmApaNHRjgGudmiRQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1629838369; a=rsa-sha256; cv=none; b=n6v9p+/oqSyonhvgh1ONanm+hGoZhA3ZWabTr60Mr/zSkAYXnbCvNTP5jhIZMjpfrzS2b2 5tUxBRtVJDXWUMMY63MOyvdbX7iJ+QxVzfsVkXzpEIDR82JJl33IxetaQzXKNkcbKRhxYK 445pzBpIwEd8jKNgBI9KVhYISeyArHwS9s2vf25Ty7E/liVkYG0lYPo/UB3W+oj1ZC+pBt q8yrZ+biHtAaIPllUSECpU0o6NxUwrT2p4q/P68T9OVp/d5juX9jWmLTvfNXjTArPkCeo8 vcJ3demtm/zLnaKNhpuEQzithrr70kzpa0WlHN4/+T4G70XBMvtO/2R6uQoigQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2021 20:52:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:14.ggatec Security Advisory The FreeBSD Project Topic: Remote code execution in ggatec(8) Category: core Module: ggatec Announced: 2021-08-24 Credits: Johannes Totz Affects: All supported versions of FreeBSD. Corrected: 2021-08-24 17:50:50 UTC (stable/13, 13.0-STABLE) 2021-08-24 17:37:45 UTC (releng/13.0, 13.0-RELEASE-p4) 2021-08-24 18:30:13 UTC (stable/12, 12.2-STABLE) 2021-08-24 18:32:15 UTC (releng/12.2, 12.2-RELEASE-p10) 2021-08-24 18:29:35 UTC (stable/11, 11.4-STABLE) 2021-08-24 18:31:29 UTC (releng/11.4, 11.4-RELEASE-p13) CVE Name: CVE-2021-29630 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background GEOM Gate is a GEOM module that reflects I/O requests into user mode where the ggatec(8) daemon fowards those requests to ggated(8), possibly over the network to another machine. II. Problem Description The ggatec(8) daemon does not validate the size of a response before writing it to a fixed-sized buffer. This allows to overwrite the stack of ggatec(8). III. Impact A malicious ggated(8) or an attacker in a priviledged network position can overwrite the stack with crafted content and potentially execute arbitrary code. IV. Workaround No workaround is available but systems not using ggatec(8) are not affected. Neither ggatec(8) nor ggated(8) are enabled by default and need explicit configuration by the super-user. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart any ggatec(8) instances. Existing ggate devices can be kept alive and restarted with `ggatec rescue`. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-21:14/ggatec.patch # fetch https://security.FreeBSD.org/patches/SA-21:14/ggatec.patch.asc # gpg --verify ggatec.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 0729ba2f49c9 stable/13-n246938 releng/13.0/ c8a2cc4ba845 releng/13.0-n244757 stable/12/ r370383 releng/12.2/ r370394 stable/11/ r370381 releng/11.4/ r370387 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmElV14ACgkQ05eS9J6n 5cKyqBAAi7eHUJ5Ud4dNJac8zbaj5uIlYF1XUPBfm5XlevfW1b1vgrfrs0QM3Sw5 9efTVTESFUC+T9wVMYO3s9POEwiu3x0A/eRsH2tq9oaZPQKdpAhkEEQ/uqnNRKfm qHZ8YuSJGT+EWEFp1ib5O4Y78TvjL7ST0+IG/O5vBMKqgsxy29o6tOAy3q9+RVqj hNQNo7KbXBXEns/I7HN4JssQSjeWOmK65Ty5YAp1VsNGbD/7rSqsCp4P/CatvRQ7 0kzVMb/hkaDn1G7jYOXbAPk+XrUr9cFriChjLuAAyZRBfWcNlPmoxRgNoDVDY44x elnBAEmSPD9adwy2hoHeusiiUnN7Vrz6DJeox7BSnbQx1lbU+j6qev0EBaMAmEUJ POxn9wjfth3hdfRSx5p2jSVaD/086BBpMQ9KXojVONgqE7hFF402+ooCnorA2XTh s08cIy38TEyHoW/rqr3SoXwyvkM3vAjQBmYzocDqocfufQ7UCH+SDFSsORuof+4N 9T2j/UvGqmrQvnMhAsRfbdFImvwUut+ZLJzNqTEjYWlZv58QEKocU0OOvrd2Wb5i ok2CRIhCy08UnDItFSYI28TaMv8ZiCoWLx7H0+20mQeLaPF45dQWXz1o4FrFHVjx EdMZpmh9tFU8j5bm0J5l8CpoiTZsqZ41gTrFyEdSnOnS1uvT8jQ= =6Z2C -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Aug 24 20:52:55 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9132A660C4D for ; Tue, 24 Aug 2021 20:52:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvLsg2LHPz4q60; Tue, 24 Aug 2021 20:52:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1629838375; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4r+fQaaFty7OGmza4TJMaS9bbuKqMtBhMVkkYfwB4MI=; b=dmi6BPrYg4q+AVU8z0DwTLS3xXNjcbEGM9RN2b80Y/OxCu1Yie8I7RtesGLJl3GpaCWW6j iOlu8Y7Ry+shzcbVJjrwgr82E9ka0A+aSmMuuaHgSKdR/1GsxgKcTmXJ/khEMtatDo0RTY PJMLbCbZVZkdH+8n6PvlKlmfna4TJDJqUcj112RmXz+ZUR5b+c0hXhOvDmcLI9sweJ/SEd YrTX8DfIfdu+B2Kw/YoxTSryNFsI+7eQPAopBSJzl7bPHWNBQZ1F1mMO7BuwVAAIVPnR/P bLkBO4gZnzDmIqfjaRXR3jpTBcAMbwHsnwoY0lg6IopJBhtK8Kt6SpZU1AH2hw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 3056F73E7; Tue, 24 Aug 2021 20:52:55 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:15.libfetch Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210824205255.3056F73E7@freefall.freebsd.org> Date: Tue, 24 Aug 2021 20:52:55 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1629838375; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4r+fQaaFty7OGmza4TJMaS9bbuKqMtBhMVkkYfwB4MI=; b=H3T8AA3XjV8TERS0Z0HpGPmL6YPXFUKQkIqUoGFPoYRqf5A7pWzvGrbLz2yVYG8i75XZ8N qNvkOQE+yfj9i8UN0DD2aX+bLbwh7fAd9PyuB+AjqcDN3i+26miHQP3KKd+1ZxT5Bbfosy lXpu0bh7muVjEoW2n58RerIF/PG/2KkjHH56OA4EzYfX2L9S1fB38/VBEU4TAVVr/UkTM+ OnquqJJKOZw/DZesdNmec2iK7McoSLfijY8CWu+g7geeHad5g6fje6Bjb9kDggG8l0JRyA jLy1IOWzTJnzj0xSqwsvlnHXA1GpnwAtn6Gx4kkNZAQBRCpqOEcJMz3kcKTuAw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1629838375; a=rsa-sha256; cv=none; b=Gc5vqJgnCwH3i9vnm3K0/0tmY6KXVjzGjOjUQqZWfrTodg3Mj9Zl01VtYsoz4rrn9P1zm8 6Y5dRq7o2APvETOyeYelArl4fcwFXGrCJRHJLgf2Dnwzc6dFY/VTNMInxvObIBLpgeresn oWcwZKaGEW/SoBgdTDymrq25JmdYocpk4RVSLThj3PPuoyHUPTIBfPg/l+16hADsSHQ08I iQ9JX/SDdfYKFVvnoPHhEXrjqDET7vHaNPj7xI2jcLTJVjk/9eKmV65U56UXy/bpytEy+W JV2AM10U/PjexJNyUCuKyCES4DEByIpxvFP7CAk9okKY1yiR5MyATybGJf1vWA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2021 20:52:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:15.libfetch Security Advisory The FreeBSD Project Topic: libfetch out of bounds read Category: core Module: libfetch Announced: 2021-08-24 Credits: Samanta Navarro Affects: All supported versions of FreeBSD. Corrected: 2021-08-24 17:59:43 UTC (stable/13, 13.0-STABLE) 2021-08-24 18:00:47 UTC (releng/13.0, 13.0-RELEASE-p4) 2021-08-24 18:30:16 UTC (stable/12, 12.2-STABLE) 2021-08-24 18:32:17 UTC (releng/12.2, 12.2-RELEASE-p10) 2021-08-24 18:29:40 UTC (stable/11, 11.4-STABLE) 2021-08-24 18:31:31 UTC (releng/11.4, 11.4-RELEASE-p13) CVE Name: CVE-2021-36159 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libfetch(3) is a multi-protocol file transfer library included with FreeBSD and used by the fetch(1) command-line tool, pkg(8) package manager, and others. II. Problem Description The passive mode in FTP communication allows an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for *p == '\0' one byte too late because p++ was already performed. III. Impact The connection buffer size can be controlled by a malicious FTP server because the size is increased until a newline is encountered (or no more characters are read). This also allows to move the buffer into more interesting areas within the address space, potentially parsing relevant numbers for the attacker. Since these bytes become available to the server in form of a new TCP connection to a constructed port number or even part of the IPv6 address this is a potential information leak. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-21:15/libfetch.patch # fetch https://security.FreeBSD.org/patches/SA-21:15/libfetch.patch.asc # gpg --verify libfetch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ a75324d674f5 stable/13-n246939 releng/13.0/ 060510ba8bfb releng/13.0-n244758 stable/12/ r370384 releng/12.2/ r370395 stable/11/ r370382 releng/11.4/ r370388 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmElV14ACgkQ05eS9J6n 5cJpVBAApBRBKwxTpmLfH+JJP8JwDwpop407/A54uPFRXzl7ri6D0wlvlHgMb70T OPnD2pco3gI56GOvRLipnbtrkGZJT0ijsXHMqMK+3O44yoMP8BMNOZauPUVia6FW 6P0aLXqjiJDYZ8N2k+MnnsXQFJKvFt/Vv0D7aHOUettfgyx5YIQX2urjB/hGZIfM 93VMRCsLruixIRgsL6Jt2PvS004HxqJOsaNMg6unp0JWa/vrcCcr4AMzJmu+k0lg /XtUpNBWdClKSYvDFikNrCz9x8ae6V9wosz5gfeKL+1tctBMxhrMLwBEaWtB7YIc 4Vu9+ZsGRLBpapEE8aLRyApY1xFP0xcDutf1G/tuuz5zK8gObaTrxTcRm6fbyf8C ejspPabgM3lgKrWjGiI0T3WzYPWJKTZqtGEAtyMAutjpv9+N/p0YEDsCWkvG/zlt BZ+TbT33oL2N1odzLBNOlJkiR2LQnTcjBgci+jqCVx7CdnYmV2laGF1kIttBCcRN TOJoOJ1pbK1UXqek77+cCSeTKrlocU6oH3+1W68oLeWtemvzCTxlxLsT/pU/TetC 2fibVyN9P1PMI0VbaktjSN8HX8QWtr1u5kp2AIZPmq5RqL+S7+o90GVFr5f41D7M QjHGddO+DG77lGyd+KC7zMuG6p8OcDBkdy9Tc0aTVW4JPhnIeyA= =QN3R -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Aug 24 20:53:00 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 88BF4660971 for ; Tue, 24 Aug 2021 20:53:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvLsm2zsdz4qKK; Tue, 24 Aug 2021 20:53:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1629838380; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=PfcXaWD3tfJAjV1WWTE+qtdcWO8AlGyXbPL1ygbUD+c=; b=TqeAL9tVEhigMFNZxkp8XtMq0JVV58FTS/TlA0/0mvujCRprdrGpyD528Onn48a8VyJ/eA 0l2x8kM+6GWMqAiTy5etu1usFUIGmmo4WwIemJWKLXQ+QfxfzWSebLoFuGzWo3hx36h/1P 4sSDVqoiWSfNVS2oepoTVK88D0vv86xbgccPe+XwEiAtYmtMBvS43MS/8ZKAdE4wZ+r8od em3XPQu4koHtgBFAqyrwYW41kSZg0xy/nUZsblkUhJIMevsw9CVo35IMkxh/fGp1sO0usV mzIzSeJIKu4lRH9Rr+YwmB3SG10xbb/CyG9AO3aDSQhYp/EPmRM/j7u1t2p+4Q== Received: by freefall.freebsd.org (Postfix, from userid 945) id 305BF72EF; Tue, 24 Aug 2021 20:53:00 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210824205300.305BF72EF@freefall.freebsd.org> Date: Tue, 24 Aug 2021 20:53:00 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1629838380; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=PfcXaWD3tfJAjV1WWTE+qtdcWO8AlGyXbPL1ygbUD+c=; b=hZMyJRDOCYw1WaNCGA/i+eUHMtIsnTmnPqd+QcPgDwFfiNAzPtkkwBNTaqJAF/liNlVXCa ZH4JFNc63Dd2tu1ssPPuYmtjh+WkUpN/wBD0Csw+gJb7/kHlu+8DkOBgbxWsZ050+Kqogv A8hxs+e98PB9NnHnt+b17O7kDO1Todt7wvLg3+xyLjHHCM5nHNyMh5QYg0z+v1+rQCc18k Owjvtx9yqmEDNyIyB6uzJhaVZLy5f+9HYbs8Mhu6wo/Ga2P8DVlH/v+COcOQ0ZeoMXObVs PO/JCAZa9SzUeGMHTm/jM4ZuCozQkrjs1tKaFPzN/4YfQnF1X6kTQekXcxPHzQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1629838380; a=rsa-sha256; cv=none; b=l9mOzG4nBJRZVL5NdPImnplNpJ2JJJUksiLQIyvavx3m8lDvbbrSqLdTk9L7HLHZgjoH91 n5mfBS5bywBHqlEz9mBSXIFdinrw8ejUUbu+vyyc8y4CEOtkeUKCQcQW+jIV8xE6WhT/Jz JDfS+bafSH7pSiVXBmWbw05VY8BLKlIRFfS32JTQ2QhRT3pfxp63x6zBmxcqpkL9jC3W0H uyhF+o6xPzNHCJo5JGu2yM4092De00+JroI1A0hdmlpOegKFwhGam2+kT+p+hiGSBXRsyG YGZDvIEeD27ej/2yjGQWc1d6EsHtVSqDWHhje3KNYUCO2J50eTLrlvyiPTMAvA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2021 20:53:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:16.openssl Security Advisory The FreeBSD Project Topic: Multiple OpenSSL vulnerabilities Category: contrib Module: openssl Announced: 2021-08-24 Credits: See OpenSSL advisory in references. Affects: FreeBSD 12.2 and later. Corrected: 2021-08-24 18:05:48 UTC (stable/13, 13.0-STABLE) 2021-08-24 18:08:04 UTC (releng/13.0, 13.0-RELEASE-p4) 2021-08-24 18:30:22 UTC (stable/12, 12.2-STABLE) 2021-08-24 18:32:19 UTC (releng/12.2, 12.2-RELEASE-p10) CVE Name: CVE-2021-3711, CVE-2021-3712 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description There are two issues fixed in this security advisory: A bug in the SM2 decryption implementation incorrectly calculates a buffer needed to hold the plaintext leading to a potential buffer overflow. [CVE-2021-3711] ASN1_STRING structures directly constructed, instead of using library functions, may not be NULL-terminated resulting in library functions causing a read buffer overrun. [CVE-2021-3712] III. Impact Specially crafted decrypted SM2 content could cause attacker chosen data to overflow the buffer changing application behavior or causing the application to crash. [CVE-2021-3711] A specially crafted malicious string can cause an application that directly constructs the ASN1_STRING structure to crash or disclose memory contents. [CVE-2021-3712] IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.0] # fetch https://security.FreeBSD.org/patches/SA-21:16/openssl.13.patch # fetch https://security.FreeBSD.org/patches/SA-21:16/openssl.13.patch.asc # gpg --verify openssl.13.patch.asc [FreeBSD 12.2] # fetch https://security.FreeBSD.org/patches/SA-21:16/openssl.12.patch # fetch https://security.FreeBSD.org/patches/SA-21:16/openssl.12.patch.asc # gpg --verify openssl.12.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 9d31ae318711 stable/13-n246940 releng/13.0/ 2261c814b7fa releng/13.0-n244759 stable/12/ r370385 releng/12.2/ r370396 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmElV18ACgkQ05eS9J6n 5cLnrA//XoiClJmvm+5GKDzP6IbDIxRyS7NkDxMWY/7Q/QvPs8fFrFdXiD4qJOcz VTElfioKTv2X7j+X5TO4zRKjg86Lb94gSXtgOLeK2tWticksZ3o5WPLXXjI0ohBo M1VhMJoJc3p2Oam9yPOdfnllCTJYV5ZqmcBL2FZCYWdkebZWkpHgrImZ53yQ87jm IK4fy+El47l3Jb2K6P5S1eeW3e3CElbkUgNkSIJsl5Z9hdrTrd3We6FSE8QQjXn+ OsQw5s6VDhHzFG34x9CIhqpjWQTX5izdlaeSunMXHwe3Vp5CoRpl/sq1r53PJG1j nnY7X4Csgbv48rRm6KXOCHDzEatNvmdnBmEzcanIUXer//tra97Zd/wlWepV0hwK T4TcJly/74DH+tW6TQ78/UC0EkxeTqc/I1Qu41jBIH1KDfDs7OqKiftHo2wOJjQa 43DlAr6eEbRAZ2l1e+ATJs0r6ao1BCUnB+Fpc4cnBLaft9G3DYCAmWI4wUKRSRAU n880U3kjSTtVDfLTkUQ33QSg0uqduVEjt9XWe/SV9RoL8xHqtvk/CIS+aFAqPbR4 62yaTQCrUdidkeqn7/XVScCuZ27bWCJpqWHGtihTnm3yfM09NtYIjozyngf2duaJ 0RFuewl1kvYo5Xsu54TuO36dQQdmJU0qayKEpWZ1+NadgJUMAJY= =8I/t -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Aug 24 20:53:05 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 767F0660E88 for ; Tue, 24 Aug 2021 20:53:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvLsr5lK4z4qKc; Tue, 24 Aug 2021 20:53:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1629838385; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=r3BmyrdJRpdLRHBRQkPgkGTn7h4XflSpOPnVp1ymhmM=; b=E6sKVEAJfpvjwAAeA8VznFsIhQb2CirhQgUnBhtWIH/cBrYR9+RPQlI1v0OgabaujtgQt9 UXTve+QrfOBq9Yuf9F7XxH9/To/6iCxUtNT06gDjQCWGbB9/PTsnhYoe+Zp3oJI/lhlzFi mclKxwQOdvFb6xIzLlek1MhJIg/3QahFBPhAphn41VpbtN8kxfmQebOzrpu0Yo12LNzdzy 7G383V/gIOEldQAqluMYyrZeZWOJJicZd1hq6OODlkxygL2kb9iH1BDqmkkAyz/aadQB0u HtrkBARNAqasObOQLeS8AlJKv0zzmVaI5YOZVMaN/xRhjGpvsWDPN7IOYvYUqg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 3EC17759C; Tue, 24 Aug 2021 20:53:04 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:17.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210824205304.3EC17759C@freefall.freebsd.org> Date: Tue, 24 Aug 2021 20:53:04 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1629838385; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=r3BmyrdJRpdLRHBRQkPgkGTn7h4XflSpOPnVp1ymhmM=; b=oYOgP0QNxboqnrbLNy/hESe7hd9D980vfD/ODa81zvRU9qm1XCxREg+MI7V74K0/KamU3w kQYD7Sy/t0tzxa/hpJtiCXzRv4rXhHmVJlkLakmDmfbzQxKEDxbjL3v8B6rFJlBYyBSFRi 2hfGeV0UoURYwuMedI8zk0j+dHzQxme9FXgbfsCz9fr+lVSW2Ja6pxUthPOtU083YbdXUz WotXBqKyRGGvYuOBT8hBfc0//ptfb1QN/H21Cj2gZ3BQEISkSaqWYqB2BhEQ6tVFDwm6ya JdbthmZwGtyTlKzjwpJZcqq/QSwokvNW3T7yAgu4S3ha06pHWKUj5sFPmVj00Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1629838385; a=rsa-sha256; cv=none; b=VzfQn9xyuzi7XsSwHEHKdEwAIZdH1skWASzOoayQi6ok7dV9Xf9VxVMo0ZFAn/scVzBmZ0 X/ve8EvAMa88CAf1EvhFBtZk1d8NzziEhT2qjOGuCJSl9wq1yd9uKA3RXCFAZJ6mUnfOgN aSrx2BzowqyLz6cRIkj2yLF3IzWyqYJtLryimf3zRFlpORvwVt6H88FcLhAglU2mcmuKro rZga9mThvZaR6jmiOEszx9Z/kfyMpgtlOUjjdSDyw7mmWb+dZO1vNrHNu9LaJN1FZJmVhq epwJSElONkHk8SuX0TID4c/LwtSXhvavzLkIm1SqYlvwQHNoBjOLGWkuDWxgWA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2021 20:53:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:17.openssl Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSL Category: contrib Module: openssl Announced: 2021-08-24 Affects: FreeBSD 12.2 and FreeBSD 11.4 Corrected: 2021-02-18 23:55:09 UTC (stable/12, 12.2-STABLE) 2021-08-24 18:32:22 UTC (releng/12.2, 12.2-RELEASE-p10) 2021-02-19 16:21:03 UTC (stable/11, 11.4-STABLE) 2021-08-24 18:31:34 UTC (releng/11.4, 11.4-RELEASE-p13) CVE Name: CVE-2021-23840, CVE-2021-23841 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description This advisory covers two distinct OpenSSL issues: Calls to EVP_CipherUpdate(), EVP_EncryptUpdate() and EVP_DecryptUpdate() may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. [CVE-2021-23840] The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). [CVE-2021-23841] III. Impact The integer overflow in EVP_*Update() could cause applications to behave incorrectly or crash leading to a potential denial of service attack. The X509_issuer_and_serial_hash() issue may result in a NULL pointer dereference and a crash leading to a potential denial of service attack. IV. Workaround No workaround is available. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.2] # fetch https://security.FreeBSD.org/patches/SA-21:17/openssl.12.patch # fetch https://security.FreeBSD.org/patches/SA-21:17/openssl.12.patch.asc # gpg --verify openssl.12.patch.asc [FreeBSD 11.4] # fetch https://security.FreeBSD.org/patches/SA-21:17/openssl.11.patch # fetch https://security.FreeBSD.org/patches/SA-21:17/openssl.11.patch.asc # gpg --verify openssl.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/12/ r369284 releng/12.2/ r370397 stable/11/ r369299 releng/11.4/ r370389 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmElV18ACgkQ05eS9J6n 5cIngA/9Hncs91cNHSVTuvNvrATmpxpnCyiphivR297oiDKRCOoHxA7W8AAigSQH gNM8XGZ8aANmoGfh7M86V5Dvlq0qeRn0Pe8cEus53OumEqpbSkMu97ftv7gFkM/S +uEEoNA+pK/lrupQQ7gAHwWbzaNumJwGXpH/FLh865TjngvI2hFW41TfMxHQvymf tAIzRdg/QYASnXTXBn56ad0i34v+/Z4Cz6XFJ4bBkqPJpiCvzJPWB37CSxw1D6YM 4w5yBhu7db1VJKLP89/YnRnsB4ryOE5cCGtg086pa2DdacB63XTEgc/m90UtfHYl Dk6LVr79SqFPDRukNCTBozcwkHr8aKSg1eR4o2vV3yfq5OUhHmCA9FXstyxXPYe+ DjtSG8X9m/XKiz4Eok2EIv3PwBT29M3lVnKG20kvpxoguOUTg4VLtyyDIZxKmNpY XC3OAmUViDS9iEA8uqKjUEt5YEsNvs6qIKasZHdznST04nuEimIiMUOD57odwL7M rAeJu4GBPHJqNQsfFPRddjrVimnUtGHFDW5r4JtqPP5sZZCIBplWuMzay875EYCL amYGuewZhsacUSgUktsFPrM9z8rd24k86IPn3PEIwsVbubDDz40Q1/v1McgquZ0n boUnhYSRG5qVgOItsikahk1OpQMQhsXDRo6RotGdl90pqdngNjQ= =T3/+ -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Aug 24 21:36:51 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A24B466705F for ; Tue, 24 Aug 2021 21:36:51 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-ot1-f45.google.com (mail-ot1-f45.google.com [209.85.210.45]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvMrL51dTz3PSm; Tue, 24 Aug 2021 21:36:50 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-ot1-f45.google.com with SMTP id y14-20020a0568302a0e00b0051acbdb2869so43168217otu.2; Tue, 24 Aug 2021 14:36:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ggshsU+Lwmitdf2ay152wwDIwccGyiZG7EjZ9mGPfJo=; b=FZ4b0Tf+o3xko0AE8DgiaWhjr2XG90DLWkVeXLZirPrEuMvb5Vsi06QZ1NaTBlXWRo 2JeNhn0dlHdVJKoXd/u6Yp0eFrgXWU470EIOu2Rz80Z6/v17ZAOtFIZt2PObLMMs9Hda MaVkKDxiIjMuDLT/8ufYP0yZSx86fpJoSheCnDupTOqoIRc5qlX+ngDoHzd5GSV6vL+O df9Z6WjgRT6moiM5O4DnsxojL4UlZo3S/LczDlCQp4adA2bKF16Jwr2073F2Kj5nGw/v lBY0MbnPAyq2eMc4ulEkgkPdOjPwRNemYLUbcxYSsTD72zWsBNF7jvThr52BvAKbN/6a TgMw== X-Gm-Message-State: AOAM532CAzARySVHwvMFdJEFW4q86YQIaZ1sR2wb6dCPXXLJoj6lvAc2 3+JI7rPw5SUlBzBG01uj93G7gx9CwAZzxEvAKDHAGiC9+j8= X-Google-Smtp-Source: ABdhPJyUN72cpn9Q6kpqXMFIjAyjGjJ8xSHWZ2lPWhiO/H+zW63w96SrHQNUqTudZE2oJFcy8uVTT4ETHdfaVPusmmM= X-Received: by 2002:a9d:450c:: with SMTP id w12mr34224982ote.18.1629841004486; Tue, 24 Aug 2021 14:36:44 -0700 (PDT) MIME-Version: 1.0 From: Alan Somers Date: Tue, 24 Aug 2021 15:36:33 -0600 Message-ID: Subject: Wrong patch link in FreeBSD-EN-21:24.libcrypto To: freebsd-security@freebsd.org, FreeBSD Security Officer X-Rspamd-Queue-Id: 4GvMrL51dTz3PSm X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of asomers@gmail.com designates 209.85.210.45 as permitted sender) smtp.mailfrom=asomers@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FREEFALL_USER(0.00)[asomers]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_NA(0.00)[freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; RWL_MAILSPIKE_GOOD(0.00)[209.85.210.45:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[209.85.210.45:from]; FORGED_SENDER(0.30)[asomers@freebsd.org,asomers@gmail.com]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_NEQ_ENVFROM(0.00)[asomers@freebsd.org,asomers@gmail.com]; MAILMAN_DEST(0.00)[freebsd-security] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2021 21:36:51 -0000 The just published errata notice contains a bad url. is: fetch https://security.FreeBSD.org/patches/EN-21:17/libcrypto.patch should be: https://security.FreeBSD.org/patches/EN-21:24/libcrypto.patch -Alan From owner-freebsd-security@freebsd.org Tue Aug 24 22:51:23 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D3FFD6687A3 for ; Tue, 24 Aug 2021 22:51:23 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-vk1-xa34.google.com (mail-vk1-xa34.google.com [IPv6:2607:f8b0:4864:20::a34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvPVM5Vw9z4VMn for ; Tue, 24 Aug 2021 22:51:23 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-vk1-xa34.google.com with SMTP id n200so6016477vke.11 for ; Tue, 24 Aug 2021 15:51:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=i2IN+7I3N+rTqoRtDU0RZW5q2HOHNtpS7gD743jBvXQ=; b=P5rCn1HaYFgI/Was2X7vxExQptQBwcHDHkbligzJm/w87LHFnz79Q3fjVpthiHW/Ro MCv9I7s7BntmgmeR0rcySG7aBDkzCaZQCei+y6M9S5Di1/lj3NyUzhP4id+aUZnc5bJ0 yByrRStH8yA2MO+I6BeBuhe8Nd+Xo4CsK+OyXWcnzYqw/Ivf4b3T+Fkf3t9C4QbPg+F2 Ex3+57k1AGuZxLjFl7aeICUyDBoSzL1ipbf6ZKo1otdT7hdx3H+bixqm0LaGlQuSelil Bs002RtTeOQGr9SPLilLn2ccnT+T6FkCgBg2bZPAOqe+AB9XBMtAYM2keUfR9/iAsTE0 kkkg== X-Gm-Message-State: AOAM531n8wrpmG+5HbU967QjwmACueqBICYYc1mC/VebKVsg8VZ/r0Tm K7TMqzxln/b6Ln5Y/rl/oLiqk53JTB37LayppG/A X-Google-Smtp-Source: ABdhPJw+/1FACnUeN1KNBLZS0nbW5+fR9dBNHOc4djraNVXTEpWvOMQqoLhwcrZHmM+nUqmC1hO4F8gag4RKAIxj9KU= X-Received: by 2002:a1f:7d84:: with SMTP id y126mr27936658vkc.12.1629845483435; Tue, 24 Aug 2021 15:51:23 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Gordon Tetlow Date: Tue, 24 Aug 2021 15:51:12 -0700 Message-ID: Subject: Re: Wrong patch link in FreeBSD-EN-21:24.libcrypto To: Alan Somers Cc: freebsd-security , FreeBSD Security Officer X-Rspamd-Queue-Id: 4GvPVM5Vw9z4VMn X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2021 22:51:23 -0000 There's always one. Thanks for the check. I've just pushed this to the website with the corrected link. It should be corrected in the next 5-10 minutes online. Regards, Gordon On Tue, Aug 24, 2021 at 2:36 PM Alan Somers wrote: > The just published errata notice contains a bad url. > is: fetch https://security.FreeBSD.org/patches/EN-21:17/libcrypto.patch > should be: https://security.FreeBSD.org/patches/EN-21:24/libcrypto.patch > > -Alan > From owner-freebsd-security@freebsd.org Tue Aug 24 22:53:31 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 94311668B38 for ; Tue, 24 Aug 2021 22:53:31 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com [209.85.210.49]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvPXq3V0Lz4WJD; Tue, 24 Aug 2021 22:53:31 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-ot1-f49.google.com with SMTP id a20-20020a0568300b9400b0051b8ca82dfcso29516186otv.3; Tue, 24 Aug 2021 15:53:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FmHcOqZ6S2vArnNbDnO+XuQ/Ev6YkVYr/eQqBWUFAGs=; b=WOW2oqnh65lWtp5BYyS+IS2z99Ff4sFnt2Wy1/SpLmg2OGTkUlF0MQ6yTQKL1xY1cr P+koHRcSVismVVpGBKXK7AvmDXljepg8udQze0Pq38WE4zXTyJJ/coknbHZeRtDspfiz hVFcAGjvZx5+XjznCk+i8RXSqhUxOFs6T9ovYXkgKqv/pSro0S8VgLfzB+6IgGG7sbQu He39W957dzHUkrFV1SwdGpsIkkkgMJ4FZ5lax2ljo7zPot3btYXyhIwx3xGgBNmMNpOb XAujfHaJtweOr2d2vfvn9+dDLVHGKZwJ/Zv1lcjmjP738q+F6LpLjBiic18g9/55j7bD X2VA== X-Gm-Message-State: AOAM531st1Jp904RjE6hyXlslBxMVb018KK7+qfC33DDUiyEThE1SgZ4 czIQmSUC+UKC02JpshwS8XLKuBQ3TDDfhUGFixuRXQgc X-Google-Smtp-Source: ABdhPJzIYSrSQgN89dtnZ3P/TWckkhgWQayGWhTlFtKD7j2mJ1WRsfFS+rM7ofMffo7kQQsfY4Et5KOkYUIWeQCOOq4= X-Received: by 2002:a9d:d04:: with SMTP id 4mr35367095oti.251.1629845605527; Tue, 24 Aug 2021 15:53:25 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Alan Somers Date: Tue, 24 Aug 2021 16:53:14 -0600 Message-ID: Subject: Re: Wrong patch link in FreeBSD-EN-21:24.libcrypto To: Gordon Tetlow Cc: freebsd-security , FreeBSD Security Officer X-Rspamd-Queue-Id: 4GvPXq3V0Lz4WJD X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2021 22:53:31 -0000 Sounds good. On Tue, Aug 24, 2021 at 4:51 PM Gordon Tetlow wrote: > There's always one. Thanks for the check. I've just pushed this to the > website with the corrected link. It should be corrected in the next 5-10 > minutes online. > > Regards, > Gordon > > On Tue, Aug 24, 2021 at 2:36 PM Alan Somers wrote: > >> The just published errata notice contains a bad url. >> is: fetch https://security.FreeBSD.org/patches/EN-21:17/libcrypto.patch >> should be: https://security.FreeBSD.org/patches/EN-21:24/libcrypto.patch >> >> -Alan >> > From owner-freebsd-security@freebsd.org Wed Aug 25 11:59:06 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 69F69673205 for ; Wed, 25 Aug 2021 11:59:06 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [IPv6:2607:f3e0:0:3::19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "pyroxene.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvkzF1xypz3ljf for ; Wed, 25 Aug 2021 11:59:05 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:914a:f85:546f:37bb] ([IPv6:2607:f3e0:0:4:914a:f85:546f:37bb]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 17PBx3Mu007640 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 25 Aug 2021 07:59:04 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl To: freebsd-security@freebsd.org References: <20210824205300.305BF72EF@freefall.freebsd.org> From: mike tancsa Message-ID: <44434c22-51c6-92cb-c9de-60fae4764347@sentex.net> Date: Wed, 25 Aug 2021 07:59:04 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: <20210824205300.305BF72EF@freefall.freebsd.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 4GvkzF1xypz3ljf X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::19 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [1.90 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; HFILTER_HELO_IP_A(1.00)[pyroxene2a.sentex.ca]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; HFILTER_HELO_NORES_A_OR_MX(0.30)[pyroxene2a.sentex.ca]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; DMARC_NA(0.00)[sentex.net]; NEURAL_SPAM_SHORT(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_IN_DNSWL_LOW(-0.10)[2607:f3e0:0:3::19:from] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2021 11:59:06 -0000 On 8/24/2021 4:53 PM, FreeBSD Security Advisories wrote: > > Branch/path                             Hash                     Revision > ------------------------------------------------------------------------- > stable/13/                              9d31ae318711    stable/13-n246940 > releng/13.0/                            2261c814b7fa  releng/13.0-n244759 > stable/12/                                                        r370385 > releng/12.2/                                                      r370396 > ------------------------------------------------------------------------- Hi All,     Was reading the original advisory at https://www.openssl.org/news/secadv/20210824.txt and it says "OpenSSL versions 1.0.2y and below are affected by this [CVE-2021-3712] issue." Does it not then impact RELENG11 ? % openssl version OpenSSL 1.0.2u-freebsd  20 Dec 2019 I know RELENG_11 support ends in about a month, but should it not be flagged ?     ---Mike From owner-freebsd-security@freebsd.org Wed Aug 25 15:22:56 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BB264675BDB for ; Wed, 25 Aug 2021 15:22:56 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvqVR6g2cz3hlb for ; Wed, 25 Aug 2021 15:22:55 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pl1-x62d.google.com with SMTP id q3so2702706plx.4 for ; Wed, 25 Aug 2021 08:22:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=E/fPSW5HUpEh6465yqF0+lIx4jFfuMpossiW0rozYgo=; b=Mpf7D32LpAEQQzGMBG1aF6dSGRDyy6gCwOD94DWo7ivTRWCz4UZrIuy+6Nn5BnSJxt Ci2JYffVHkT0ow+Wr+ySl/CqEpvZ4Jot/b/Fk/BkwLN3dutXuSilpLfdjxac5CLp8JyT o/DrzknmR+oeyDG9rj5eD7WH5wXWcBOzrENgFzjMrKod9Xx9/VDlivstL6GQFgaDZifm HcSBkCh9UTeGsK7xdAsmBhgVEw0I/XQ/t9I5OALikKj5gZhfO/WA9KE75NupAqZmICim Vbvievcgw4+A9+mJtyYvInO7DXzIbce1CxqucTyuW4Rg4e2qrtCzTLMtPgTlR2/UiHIV PwKQ== X-Gm-Message-State: AOAM531m7/Ie1rDADWJHD+WkjsezOLGSf2YSOH/fVNjN/0IL8MAkawxl gKTSYySMDaClTJnLvsTJ/6Us X-Google-Smtp-Source: ABdhPJzHachQyvQdu+61TE4N35OqGdbUkjdu8EdhvsBp1RBF/X2yzutPz31FYqMygU64hB9K4rrmIQ== X-Received: by 2002:a17:90a:2dc7:: with SMTP id q7mr11361128pjm.231.1629904968632; Wed, 25 Aug 2021 08:22:48 -0700 (PDT) Received: from smtpclient.apple (2603-8001-5e40-d300-b929-93db-7d6e-0ae1.res6.spectrum.com. [2603:8001:5e40:d300:b929:93db:7d6e:ae1]) by smtp.gmail.com with ESMTPSA id f13sm157909pfe.125.2021.08.25.08.22.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Aug 2021 08:22:48 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl From: Gordon Tetlow In-Reply-To: <44434c22-51c6-92cb-c9de-60fae4764347@sentex.net> Date: Wed, 25 Aug 2021 08:22:46 -0700 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20210824205300.305BF72EF@freefall.freebsd.org> <44434c22-51c6-92cb-c9de-60fae4764347@sentex.net> To: mike tancsa X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4GvqVR6g2cz3hlb X-Spamd-Bar: - X-Spamd-Result: default: False [-1.49 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[tetlows.org:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::62d:from]; HAS_GOOGLE_REDIR(0.01)[]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2021 15:22:56 -0000 > On Aug 25, 2021, at 4:59 AM, mike tancsa wrote: >=20 > On 8/24/2021 4:53 PM, FreeBSD Security Advisories wrote: >>=20 >> Branch/path Hash = Revision >> = ------------------------------------------------------------------------- >> stable/13/ 9d31ae318711 = stable/13-n246940 >> releng/13.0/ 2261c814b7fa = releng/13.0-n244759 >> stable/12/ = r370385 >> releng/12.2/ = r370396 >> = ------------------------------------------------------------------------- >=20 >=20 > Hi All, >=20 > Was reading the original advisory at > = https://www.google.com/url?q=3Dhttps://www.openssl.org/news/secadv/2021082= 4.txt&source=3Dgmail-imap&ust=3D1630497552000000&usg=3DAOvVaw21BGr3aGIh9CK= IH3efYzY4 and it says >=20 > "OpenSSL versions 1.0.2y and below are affected by this = [CVE-2021-3712] > issue." >=20 > Does it not then impact RELENG11 ? >=20 > % openssl version > OpenSSL 1.0.2u-freebsd 20 Dec 2019 >=20 > I know RELENG_11 support ends in about a month, but should it not be > flagged ? As we don't have a support contract with OpenSSL to get access to 1.0.2 = patches, we could only roll the 1.1.1 patches. Best, Gordon Hat: security-officer= From owner-freebsd-security@freebsd.org Wed Aug 25 15:32:13 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7A74E6762C1 for ; Wed, 25 Aug 2021 15:32:13 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [IPv6:2607:f3e0:0:3::19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "pyroxene.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Gvqj85Crrz3lNb for ; Wed, 25 Aug 2021 15:32:12 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:914a:f85:546f:37bb] ([IPv6:2607:f3e0:0:4:914a:f85:546f:37bb]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 17PFWB0A081083 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 25 Aug 2021 11:32:11 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl To: Gordon Tetlow Cc: freebsd-security@freebsd.org References: <20210824205300.305BF72EF@freefall.freebsd.org> <44434c22-51c6-92cb-c9de-60fae4764347@sentex.net> From: mike tancsa Message-ID: Date: Wed, 25 Aug 2021 11:32:11 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 4Gvqj85Crrz3lNb X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::19 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [1.91 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; HFILTER_HELO_IP_A(1.00)[pyroxene2a.sentex.ca]; HFILTER_HELO_NORES_A_OR_MX(0.30)[pyroxene2a.sentex.ca]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; DMARC_NA(0.00)[sentex.net]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_IN_DNSWL_LOW(-0.10)[2607:f3e0:0:3::19:from]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_SHORT(1.00)[0.995]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; HAS_GOOGLE_REDIR(0.01)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2021 15:32:13 -0000 On 8/25/2021 11:22 AM, Gordon Tetlow wrote: > Hi All, >> Was reading the original advisory at >> https://www.google.com/url?q=https://www.openssl.org/news/secadv/20210824.txt&source=gmail-imap&ust=1630497552000000&usg=AOvVaw21BGr3aGIh9CKIH3efYzY4 and it says >> >> "OpenSSL versions 1.0.2y and below are affected by this [CVE-2021-3712] >> issue." >> >> Does it not then impact RELENG11 ? >> >> % openssl version >> OpenSSL 1.0.2u-freebsd 20 Dec 2019 >> >> I know RELENG_11 support ends in about a month, but should it not be >> flagged ? > As we don't have a support contract with OpenSSL to get access to 1.0.2 patches, we could only roll the 1.1.1 patches. Hi Gordon,     I was thinking more in terms of just a mention that RELENG_11 is indeed vulnerable, no ?     ---Mike From owner-freebsd-security@freebsd.org Wed Aug 25 15:35:57 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D22A56764D6 for ; Wed, 25 Aug 2021 15:35:57 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvqnT1Bj7z3lyp for ; Wed, 25 Aug 2021 15:35:57 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pg1-x531.google.com with SMTP id q68so68039pga.9 for ; Wed, 25 Aug 2021 08:35:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=TRgiBkU6DrQNum0YDttCQoldaFO4bO2b03h9plMCxYg=; b=LP/nZgZuBtM2SyoECHJGaW9I8X1nkDjD0B+Wk6hhlOK2dIV9nlt+E/8+5oQIYIABmG gzAIw9H3V8FuP9k0U9ZlcmY0nBbu/UTIVW2iWddE36Qkm5I4aQcj97Hv5v6AZdUJ9sHQ UwfOYPnieiU8HJ5PF9rJ+ypcsamwYWzdA+2WIIv4OkK/PzuEfBS2myqOXWD07jPk7mbN U+YP1xuNvilvRMojVPhoGbS7fgm5mGOCH4OZfiBgOZnuPF81zG43dXv3vMJDDFhYk4su s6Sxmbq9EcIm7EjYtqhupFtJ0sGuuFhaRg7SXyJ/vriaYr8MMiiKckwDIeUVmWn6ZGNh Qk8Q== X-Gm-Message-State: AOAM533BvyASRYi7PxhDyi1kjWIRdYe34Gfy7ohTVmxoXc2rMO5Zragc uJGhUbh/79ZacRNRycVcQAWW X-Google-Smtp-Source: ABdhPJwtW6QTWXsYw1c6wwfWlHfDZ9OW0srUxgm9s6pgSWtigL6rBYy6xMcXZVTld11SsrQYEQbOZw== X-Received: by 2002:a05:6a00:c81:b029:30e:21bf:4c15 with SMTP id a1-20020a056a000c81b029030e21bf4c15mr45010600pfv.70.1629905755937; Wed, 25 Aug 2021 08:35:55 -0700 (PDT) Received: from smtpclient.apple (2603-8001-5e40-d300-b929-93db-7d6e-0ae1.res6.spectrum.com. [2603:8001:5e40:d300:b929:93db:7d6e:ae1]) by smtp.gmail.com with ESMTPSA id u7sm62733pju.13.2021.08.25.08.35.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Aug 2021 08:35:55 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl From: Gordon Tetlow In-Reply-To: Date: Wed, 25 Aug 2021 08:35:54 -0700 Cc: freebsd-security Content-Transfer-Encoding: quoted-printable Message-Id: <7137A3E8-7B53-452B-8187-9F873A68A228@tetlows.org> References: <20210824205300.305BF72EF@freefall.freebsd.org> <44434c22-51c6-92cb-c9de-60fae4764347@sentex.net> To: mike tancsa X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4GvqnT1Bj7z3lyp X-Spamd-Bar: - X-Spamd-Result: default: False [-1.49 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[tetlows.org:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::531:from]; HAS_GOOGLE_REDIR(0.01)[]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2021 15:35:57 -0000 > On Aug 25, 2021, at 8:32 AM, mike tancsa wrote: >=20 > On 8/25/2021 11:22 AM, Gordon Tetlow wrote: >> Hi All, >>> Was reading the original advisory at >>> = https://www.google.com/url?q=3Dhttps://www.google.com/url?q%3Dhttps://www.= openssl.org/news/secadv/20210824.txt%26source%3Dgmail-imap%26ust%3D1630497= 552000000%26usg%3DAOvVaw21BGr3aGIh9CKIH3efYzY4&source=3Dgmail-imap&ust=3D1= 630510336000000&usg=3DAOvVaw1DOZPIolrilgltIWdl61D6 and it says >>>=20 >>> "OpenSSL versions 1.0.2y and below are affected by this = [CVE-2021-3712] >>> issue." >>>=20 >>> Does it not then impact RELENG11 ? >>>=20 >>> % openssl version >>> OpenSSL 1.0.2u-freebsd 20 Dec 2019 >>>=20 >>> I know RELENG_11 support ends in about a month, but should it not be >>> flagged ? >> As we don't have a support contract with OpenSSL to get access to = 1.0.2 patches, we could only roll the 1.1.1 patches. >=20 > Hi Gordon, >=20 > I was thinking more in terms of just a mention that RELENG_11 is > indeed vulnerable, no ? I hear you. We don't really have a way of doing that with our existing = SA setup. It's oriented to releasing patches; it is not equipped to = notify users of vulnerabilities that we do not have a patch for. Let me = think on how we might support such a thing and discuss with the team. Thanks, Gordon= From owner-freebsd-security@freebsd.org Wed Aug 25 15:42:47 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9B05E676667 for ; Wed, 25 Aug 2021 15:42:47 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from unsane.co.uk (fbsd.rdg.namesco.net [213.246.108.13]) by mx1.freebsd.org (Postfix) with ESMTP id 4GvqxL0B2jz3nvx for ; Wed, 25 Aug 2021 15:42:46 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from MacBook-Air.local (unknown [81.174.148.213]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by unsane.co.uk (Postfix) with ESMTPSA id D65C230019 for ; Wed, 25 Aug 2021 16:42:38 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=unsane.co.uk; s=251017; t=1629906159; bh=WoAn8YsTcIbm24bdycISMtLcphsvLzi1GEP2i8HzrA0=; h=To:References:From:Subject:Date:In-Reply-To; b=f+dFTh+7a+mSvU14YrMcoWG2EpcIM5sYgEBKUGMZWNYvbw/DZd5l6+TwD9sopo6zC kZd+FXI1pb3bjrUcWUs0NWtyubi68dkFU51BYnxw+XourrHGsQNZGIR0fhCZ4t5A5m e32PoavNrIHLDlr5PEyF2YmrWiCNQX0hYNs17XaM= To: freebsd-security@freebsd.org References: <20210824205300.305BF72EF@freefall.freebsd.org> <44434c22-51c6-92cb-c9de-60fae4764347@sentex.net> From: Vincent Hoffman-Kazlauskas Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl Message-ID: Date: Wed, 25 Aug 2021 16:42:38 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4GvqxL0B2jz3nvx X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=unsane.co.uk header.s=251017 header.b=f+dFTh+7; dmarc=pass (policy=none) header.from=unsane.co.uk; spf=pass (mx1.freebsd.org: domain of vince@unsane.co.uk designates 213.246.108.13 as permitted sender) smtp.mailfrom=vince@unsane.co.uk X-Spamd-Result: default: False [-0.98 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[unsane.co.uk:s=251017]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; DKIM_TRACE(0.00)[unsane.co.uk:+]; DMARC_POLICY_ALLOW(-0.50)[unsane.co.uk,none]; NEURAL_HAM_SHORT(-0.09)[-0.094]; RCVD_NO_TLS_LAST(0.10)[]; HAS_GOOGLE_REDIR(0.01)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8622, ipnet:213.246.64.0/18, country:GB]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2021 15:42:47 -0000 On 25/08/2021 16:22, Gordon Tetlow via freebsd-security wrote: > >> On Aug 25, 2021, at 4:59 AM, mike tancsa wrote: >> >> On 8/24/2021 4:53 PM, FreeBSD Security Advisories wrote: >>> >>> Branch/path Hash Revision >>> ------------------------------------------------------------------------- >>> stable/13/ 9d31ae318711 stable/13-n246940 >>> releng/13.0/ 2261c814b7fa releng/13.0-n244759 >>> stable/12/ r370385 >>> releng/12.2/ r370396 >>> ------------------------------------------------------------------------- >> >> >> Hi All, >> >> Was reading the original advisory at >> https://www.google.com/url?q=https://www.openssl.org/news/secadv/20210824.txt&source=gmail-imap&ust=1630497552000000&usg=AOvVaw21BGr3aGIh9CKIH3efYzY4 and it says >> >> "OpenSSL versions 1.0.2y and below are affected by this [CVE-2021-3712] >> issue." >> >> Does it not then impact RELENG11 ? >> >> % openssl version >> OpenSSL 1.0.2u-freebsd 20 Dec 2019 >> >> I know RELENG_11 support ends in about a month, but should it not be >> flagged ? > > As we don't have a support contract with OpenSSL to get access to 1.0.2 patches, we could only roll the 1.1.1 patches. I may have the wrong end of the stick but https://www.openssl.org/news/vulnerabilities.html says "Fixed in OpenSSL 1.0.2za (git commit) (Affected 1.0.2-1.0.2y)" with the git commit linked being https://github.com/openssl/openssl/commit/ccb0a11145ee72b042d10593a64eaf9e8a55ec12 Is this not eligible for inclusion? I do however appreciate that as support ends so soon resources are best used on the longer lived versions. Regards, Vince > > Best, > Gordon > Hat: security-officer > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@freebsd.org Wed Aug 25 18:20:14 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 474F8658C85 for ; Wed, 25 Aug 2021 18:20:14 +0000 (UTC) (envelope-from SRS0=cgzw=NQ=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvvR05n9mz54Xt for ; Wed, 25 Aug 2021 18:20:12 +0000 (UTC) (envelope-from SRS0=cgzw=NQ=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 3C4E428416 for ; Wed, 25 Aug 2021 20:20:04 +0200 (CEST) Received: from illbsd.quip.test (ip-78-45-215-131.net.upcbroadband.cz [78.45.215.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 614AA28411 for ; Wed, 25 Aug 2021 20:20:03 +0200 (CEST) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:16.openssl To: freebsd-security@freebsd.org References: <20210824205300.305BF72EF@freefall.freebsd.org> <44434c22-51c6-92cb-c9de-60fae4764347@sentex.net> <7137A3E8-7B53-452B-8187-9F873A68A228@tetlows.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <7d35f093-e125-3328-e7b1-c4012fcd6106@quip.cz> Date: Wed, 25 Aug 2021 20:20:02 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <7137A3E8-7B53-452B-8187-9F873A68A228@tetlows.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4GvvR05n9mz54Xt X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of "SRS0=cgzw=NQ=quip.cz=000.fbsd@elsa.codelab.cz" has no SPF policy when checking 94.124.105.4) smtp.mailfrom="SRS0=cgzw=NQ=quip.cz=000.fbsd@elsa.codelab.cz" X-Spamd-Result: default: False [2.11 / 15.00]; RCVD_TLS_LAST(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; ARC_NA(0.00)[]; NEURAL_SPAM_SHORT(0.91)[0.911]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; DMARC_NA(0.00)[quip.cz]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=cgzw=NQ=quip.cz=000.fbsd@elsa.codelab.cz]; RECEIVED_SPAMHAUS_PBL(0.00)[78.45.215.131:received]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=cgzw=NQ=quip.cz=000.fbsd@elsa.codelab.cz]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2021 18:20:14 -0000 On 25/08/2021 17:35, Gordon Tetlow via freebsd-security wrote: [...] >> Hi Gordon, >> >> I was thinking more in terms of just a mention that RELENG_11 is >> indeed vulnerable, no ? > > I hear you. We don't really have a way of doing that with our existing SA setup. It's oriented to releasing patches; it is not equipped to notify users of vulnerabilities that we do not have a patch for. Let me think on how we might support such a thing and discuss with the team. Will it be published (marked as vulnerable) in vuln.xml so users of security/base-audit will be notified? Kind regards Miroslav Lachman