From nobody Mon Apr 8 14:17:14 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VCrn83Kjxz5H60p; Mon, 8 Apr 2024 14:19:08 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor.nl2k.ab.ca (doctor.nl2k.ab.ca [204.209.81.1]) by mx1.freebsd.org (Postfix) with SMTP id 4VCrn73Zrdz400v; Mon, 8 Apr 2024 14:19:07 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=quarantine) header.from=nl2k.ab.ca; spf=pass (mx1.freebsd.org: domain of doctor@doctor.nl2k.ab.ca designates 204.209.81.1 as permitted sender) smtp.mailfrom=doctor@doctor.nl2k.ab.ca Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97.1 (FreeBSD)) (envelope-from ) id 1rtpoA-00000000PXz-1snG; Mon, 08 Apr 2024 08:17:14 -0600 Date: Mon, 8 Apr 2024 08:17:14 -0600 From: The Doctor To: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: [tomas@openssl.org: OpenSSL Security Advisory] Message-ID: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spamd-Bar: / X-Spamd-Result: default: False [-0.40 / 15.00]; INTRODUCTION(2.00)[]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_MEDIUM(-0.98)[-0.980]; DMARC_POLICY_ALLOW(-0.50)[nl2k.ab.ca,quarantine]; R_SPF_ALLOW(-0.20)[+a]; NEURAL_SPAM_SHORT(0.17)[0.175]; ONCE_RECEIVED(0.10)[]; RCVD_NO_TLS_LAST(0.10)[]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6171, ipnet:204.209.81.0/24, country:CA]; RCVD_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; R_DKIM_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_NONE(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org,freebsd-ports@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MISSING_XM_UA(0.00)[] X-Rspamd-Queue-Id: 4VCrn73Zrdz400v Thought they say low, I believe this is high as TLS 1.3 is becoming a default. ----- Forwarded message from Tomas Mraz ----- Date: Mon, 8 Apr 2024 13:59:11 +0000 From: Tomas Mraz To: openssl-project@openssl.org, openssl-users@openssl.org, openssl-announce@openssl.org Subject: OpenSSL Security Advisory -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL Security Advisory [8th April 2024] ========================================== Unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511) ======================================================================== Severity: Low Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. OpenSSL 3.2, 3.1, 3.0, 1.1.1 are vulnerable to this issue. OpenSSL 3.2 users should upgrade to OpenSSL 3.2.2 once it is released. OpenSSL 3.1 users should upgrade to OpenSSL 3.1.6 once it is released. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.14 once it is released. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1y once it is released (premium support customers only). Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. The fix is also available in commit e9d7083e (for 3.2), commit 7e4d731b (for 3.1) and commit b52867a9 (for 3.0) in the OpenSSL git repository. It is available to premium support customers in commit 5f8d2577 (for 1.1.1). This issue was reported on 27th February 2024 by Manish Patidar (Hewlett Packard Enterprise). The fix was developed by Matt Caswell. General Advisory Notes ====================== URL for this Security Advisory: https://www.openssl.org/news/secadv/20240408.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmYT9+oACgkQUnRmohyn nm1jPRAAlvRaeTjSlW7PULpYxAfCrCfLlMzdC15ybP1mO12ixsbdBN4qRxcXWGFP TMqseW1pTCvcfQzEjSzswkio6kjBCh8iN3jSEPCJSIW7FWsZBpIZLwdqytp1pMaL D8Pe1B542dztrCQy+1pobHpxH8EbFVLX8X9VR0nbH2xx6a3cspGc+JwS7RRQzvK3 a27fW+KM/dyjRE8SGbFzxcgparZTcKDhB2WsjW4Hm0Z62J4v/mkxeC30SOrgH4j2 PBsjJW0XqxOdwM40aKqRPXfjnFwDWOaXVZDjARzT9+olnt01WJiXTpnuKKYQ9y1C 4rmUJo+qbxDnsTg+cjBiZGgsEGqH6Fu/VCw6cJF4Wj0+dZDpvludwTtLh4IRaeCp FqO6HWkdPg+qe9yKBvvqvf84i2kOvmSu4bVrJ5Zh524G3tYj43Uq76IiTSoLxM61 xmSVG3n0ri8H7aiavIjuq8U75uPhqmylwAIbL5wjEuIJayuprCINyBLAcV5VAprs avXD6D2XBXLFFDLZ4GEDuNIOWVxO3mGGxZ0kulpGWhESIGJaZk7Rvd+xr3jLtxwT dWdakCmOFtFIAcAdyYow4D5vCJr1p4iaLD3RCvle5bu3KIcThzWHo0ZnTygjyWt6 EgE0LExGT/1RTdtsXQaFQxzKd+gy4gdGfgl0u8ycYbMENKJ/tpE= =rMVW -----END PGP SIGNATURE----- ----- End forwarded message ----- -- Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen What worth the power of law that won't stop lawlessness? -unknown From nobody Tue Apr 9 00:18:42 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VD65C12Xsz5G7gV; Tue, 9 Apr 2024 00:18:55 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id 4VD65B2LNgz4cRp; Tue, 9 Apr 2024 00:18:54 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=ilk.org; spf=pass (mx1.freebsd.org: domain of freebsd-security-local@be-well.ilk.org designates 23.30.133.173 as permitted sender) smtp.mailfrom=freebsd-security-local@be-well.ilk.org Received: from lowell-Ubuntu.lan (lowell-Ubuntu.lan [172.30.250.95]) by be-well.ilk.org (Postfix) with ESMTP id D943F36E23; Mon, 08 Apr 2024 20:18:42 -0400 (EDT) Received: by lowell-Ubuntu.lan (Postfix, from userid 1147) id 6628510803C3; Mon, 8 Apr 2024 20:18:42 -0400 (EDT) From: Lowell Gilbert To: The Doctor Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: Re: [tomas@openssl.org: OpenSSL Security Advisory] In-Reply-To: (The Doctor's message of "Mon, 8 Apr 2024 08:17:14 -0600") References: Reply-To: freebsd-security@freebsd.org Date: Mon, 08 Apr 2024 20:18:42 -0400 Message-ID: <4434rv1j8d.fsf@be-well.ilk.org> User-Agent: Gnus/5.13 (Gnus v5.13) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.60 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; NEURAL_HAM_SHORT(-0.90)[-0.899]; DMARC_POLICY_ALLOW(-0.50)[ilk.org,none]; R_SPF_ALLOW(-0.20)[+a]; MIME_GOOD(-0.10)[text/plain]; RCVD_NO_TLS_LAST(0.10)[]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; ASN(0.00)[asn:7922, ipnet:23.30.0.0/15, country:US]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; HAS_REPLYTO(0.00)[freebsd-security@freebsd.org]; REPLYTO_DOM_NEQ_FROM_DOM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-ports@freebsd.org,freebsd-security@freebsd.org]; RCPT_COUNT_THREE(0.00)[3] X-Rspamd-Queue-Id: 4VD65B2LNgz4cRp The Doctor writes: > Thought they say low, I believe this is high as TLS 1.3 is becoming a default. I think the low priority comes from the fact that even though a lot of systems use TLS 1.3, only an extremely small number of them meet all of the conditions for this to be exploited. Be well. From nobody Thu Apr 11 17:26:11 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VFmnh2HKmz5HmND for ; Thu, 11 Apr 2024 17:26:16 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VFmng2kBkz4MkB; Thu, 11 Apr 2024 17:26:15 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF policy when checking 3.97.99.32) smtp.mailfrom=cy.schubert@cschubert.com Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id uvRgrfk4f2Ui5uyBhr5Y7U; Thu, 11 Apr 2024 17:26:13 +0000 Received: from spqr.komquats.com ([70.66.152.170]) by cmsmtp with ESMTPSA id uyBgrRBZIByQruyBhrUwib; Thu, 11 Apr 2024 17:26:13 +0000 X-Authority-Analysis: v=2.4 cv=UOF+Hzfy c=1 sm=1 tr=0 ts=66181d35 a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17 a=kj9zAlcOel0A:10 a=raytVjVEu-sA:10 a=iLNU1ar6AAAA:8 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=Rv85_cpjsJkZ13xHD5cA:9 a=CjuIK1q_8ugA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id B32A5DBF; Thu, 11 Apr 2024 10:26:11 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 7FE6A3AD; Thu, 11 Apr 2024 10:26:11 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= cc: "Chen, Alvin W" , Gordon Tetlow , Shawn Webb , "freebsd-security@freebsd.org" Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected In-reply-to: <86v84t5vio.fsf@ltc.des.dev> References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> <86v84t5vio.fsf@ltc.des.dev> Comments: In-reply-to =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= message dated "Sun, 07 Apr 2024 12:15:11 +0200." List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 11 Apr 2024 10:26:11 -0700 Message-Id: <20240411172611.7FE6A3AD@slippy.cwsent.com> X-CMAE-Envelope: MS4xfNLVH+JGHwNPkiKa6NSrMKXVODLe34cg8ew0+snUAUb4Vna5uCZDvujhp4QmqdeOLS9G3hnteIV6+j/+LzeEjjTwCJTlAAmsBd+JlYOd4rQSyIaWfdGT djTyJiRjEgN3gFQbdwreI65I+Zs93e8nBfpjIVmhte9n3ON5YgSxiRK865gkUQifvgyYosB8K+3Q1lkhLomiUGTV3u3w7LgAqj2RjXHUDqkdoMgKqNpbOU6p y5F5CKrfn37seny9q5304khoPgdnLhfkyQM08AzcnZNPQlAG33Aqa+hDdXWx4yq7ScwfRApfRr9u4XTwACZZ2Bs211Zm0wsH6dUaAt6AKOs= X-Spamd-Bar: - X-Spamd-Result: default: False [-1.22 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; AUTH_NA(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.52)[-0.522]; MV_CASE(0.50)[]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.32:from]; MIME_GOOD(-0.10)[text/plain]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; TO_DN_EQ_ADDR_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_SPF_NA(0.00)[no SPF record]; RCVD_COUNT_THREE(0.00)[4]; R_DKIM_NA(0.00)[]; RCPT_COUNT_FIVE(0.00)[5]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DMARC_NA(0.00)[cschubert.com]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; REPLYTO_EQ_FROM(0.00)[] X-Rspamd-Queue-Id: 4VFmng2kBkz4MkB In message <86v84t5vio.fsf@ltc.des.dev>, =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav? = w rites: > "Chen, Alvin W" writes: > > My understanding is: the 'xz' built from FreeBSD is not impacted, but > > the 'xz' built from Linux and run based on FreeBSD Linux ABI could be > > impacted. > > It is certainly possible to build liblzma with the backdoor on a Linux > host (or in a Linux jail on a FreeBSD host) and run it on a FreeBSD > host. However, the backdoor does nothing unless loaded into an sshd > process, so you would still not be affected unless you were running a > Linux sshd binary and that sshd binary loaded the backdoored liblzma. > FreeBSD's sshd binary (whether from base or ports) does not load > liblzma, and if it did, it would not be able to load a Linux version of > the library. The backdoor also required sshd be linked against liblsma (because libsystemd requires it). OpenSSH doesn't use liblzma by default. liblzma is a systemd requirement. BTW, Lasse Collin's GH account and the xz repo have been re-enabled. It was pointed out to me at $JOB yesterday that he's been busy repairing xz. Looking at his commits, he certainly has been. This is good news. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0