From owner-freebsd-security@FreeBSD.ORG  Sun Jul 13 22:39:35 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BC954106564A
	for <freebsd-security@freebsd.org>;
	Sun, 13 Jul 2008 22:39:35 +0000 (UTC)
	(envelope-from simon@zaphod.nitro.dk)
Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38])
	by mx1.freebsd.org (Postfix) with ESMTP id 7557A8FC16
	for <freebsd-security@freebsd.org>;
	Sun, 13 Jul 2008 22:39:35 +0000 (UTC)
	(envelope-from simon@zaphod.nitro.dk)
Received: from zaphod.nitro.dk (unknown [192.168.3.39])
	by mx.nitro.dk (Postfix) with ESMTP id 31AA22DA438;
	Sun, 13 Jul 2008 22:23:13 +0000 (UTC)
Received: by zaphod.nitro.dk (Postfix, from userid 3000)
	id 629E3114C4; Mon, 14 Jul 2008 00:23:45 +0200 (CEST)
Date: Mon, 14 Jul 2008 00:23:45 +0200
From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Chuck Swiger <cswiger@mac.com>
Message-ID: <20080713222344.GB15766@zaphod.nitro.dk>
References: <DEB25E89-7447-4EA0-8800-23897C593756@mac.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <DEB25E89-7447-4EA0-8800-23897C593756@mac.com>
User-Agent: Mutt/1.5.16 (2007-06-09)
Cc: freebsd-security@freebsd.org, Doug Barton <dougb@FreeBSD.org>
Subject: Re: OpenSSL warning from dns/bind95 build...?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jul 2008 22:39:35 -0000

On 2008.07.11 13:14:09 -0700, Chuck Swiger wrote:

[quote edited to contain important part]

>> WARNING         Your OpenSSL crypto library may be vulnerable to
>> WARNING         one or more of the the following known security
>> WARNING         flaws:
>> WARNING
>> WARNING         CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and
>> WARNING         CVE-2006-2940.
>> WARNING
[...]
> Is the version of OpenSSL now included with RELENG_6 (OpenSSL 0.9.7e-p1)
> OK, or is it at risk as reported?

Just so there is no doubt - the base system OpenSSL isn't actually
vulnerable to those issues.  They were fixed in SA-02:33.openssl,
FreeBSD-SA-06:19.openssl, and FreeBSD-SA-06:23.openssl.

The BIND build system just has no way to see this since they were
patched instead of upgraded.

--
Simon L. Nielsen
Hats: Base system OpenSSL janitor and FreeBSD Security Team