From owner-svn-doc-all@freebsd.org  Thu Jul  9 17:29:14 2015
Return-Path: <owner-svn-doc-all@freebsd.org>
Delivered-To: svn-doc-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 572D0997CB7;
 Thu,  9 Jul 2015 17:29:14 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3AD07190D;
 Thu,  9 Jul 2015 17:29:14 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.70])
 by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t69HTEbJ072119;
 Thu, 9 Jul 2015 17:29:14 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by repo.freebsd.org (8.14.9/8.14.9/Submit) id t69HTDw1072117;
 Thu, 9 Jul 2015 17:29:13 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201507091729.t69HTDw1072117@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI <delphij@FreeBSD.org>
Date: Thu, 9 Jul 2015 17:29:13 +0000 (UTC)
To: doc-committers@freebsd.org, svn-doc-all@freebsd.org,
 svn-doc-head@freebsd.org
Subject: svn commit: r46942 - in head/share: security/advisories xml
X-SVN-Group: doc-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-doc-all@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "SVN commit messages for the entire doc trees \(except for &quot;
 user&quot; , &quot; projects&quot; , and &quot; translations&quot;
 \)" <svn-doc-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-doc-all>,
 <mailto:svn-doc-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-doc-all/>
List-Post: <mailto:svn-doc-all@freebsd.org>
List-Help: <mailto:svn-doc-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-doc-all>,
 <mailto:svn-doc-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2015 17:29:14 -0000

Author: delphij
Date: Thu Jul  9 17:29:12 2015
New Revision: 46942
URL: https://svnweb.freebsd.org/changeset/doc/46942

Log:
  Add SA-15:12.openssl for today's OpenSSL advisory.  Note that this affects
  -STABLE only so no patch is associated with it.

Added:
  head/share/security/advisories/FreeBSD-SA-15:12.openssl.asc   (contents, props changed)
Modified:
  head/share/xml/advisories.xml

Added: head/share/security/advisories/FreeBSD-SA-15:12.openssl.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:12.openssl.asc	Thu Jul  9 17:29:12 2015	(r46942)
@@ -0,0 +1,110 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:12.openssl                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          OpenSSL alternate chains certificate forgery vulnerability
+
+Category:       contrib
+Module:         openssl
+Announced:      2015-07-09
+Credits:        Adam Langley/David Benjamin (Google/BoringSSL), OpenSSL
+Affects:        FreeBSD 10.1-STABLE after 2015-06-11 and prior to the
+                correction date.
+Corrected:      2015-07-09 17:17:22 UTC (stable/10, 10.2-PRERELEASE,
+                                         10.2-BETA1)
+CVE Name:       CVE-2015-1793
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is
+a collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
+and Transport Layer Security (TLS v1) protocols as well as a full-strength
+general purpose cryptography library.
+
+II.  Problem Description
+
+During certificate verification, OpenSSL will attempt to find an alternative
+certificate chain if the first attempt to build such a chain fails, unless
+the application explicitly specifies X509_V_FLAG_NO_ALT_CHAINS.
+
+An error in the implementation of this logic could erroneously mark
+certificate as trusted when they should not.
+
+III. Impact
+
+An attacker could cause certain checks on untrusted certificates, such as the
+CA (certificate authority) flag, to be bypassed, which would enable them to
+use a valid leaf certificate to act as a CA and issue an invalid certificate.
+
+IV.  Workaround
+
+No workaround is available.
+
+NOTE WELL: This issue does not affect earlier FreeBSD releases, including the
+supported 8.4, 9.3 and 10.1-RELEASE because the alternative certificate chain
+feature was not introduced in these releases.  Only 10.1-STABLE after
+2015-06-11 and prior to the correction date is affected.
+
+V.   Solution
+
+Upgrade your vulnerable system to the latest supported FreeBSD stable/10
+branch dated after the correction date.
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r285330
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://www.openssl.org/news/secadv_20150709.txt>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:12.openssl.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVnq6lAAoJEO1n7NZdz2rntOsP/A07ZJWDt2DpN5h2En0fE+tL
+tIB2uSV0pcoUAZExLjft5IDMau/zbZd/JFXczR5RRollu0jaETcpWYzXzjtAQ4IG
+ZEKwvjdThN0naKk0F0DOjAm84ukIds9zR4JZ2KpJmzZnChzZYoF21ZkGPBMMlVhZ
+4T9GNTiphdz3HsWx57r2WSapMlys0U0f32xOfYr1iUMRVkNNJfnkFSSxA2MEwuBl
+/HzVLYOpVEGn/V3I+USQ1KmwMhTtJ+JY6WQlv0k/UKgrQHjdsKjoDwMwWT7UJgPZ
+j7bvYKftXMYl22KDTlyvZA1c0YZ8kyP9bd+dz6NogCgiNUcIux/wTgMmbnbauZXb
+pV+MAAAXKfeUoU94qXRD0QHRDXYt34buSswTtPI3LuVeLkqVk/ZdQATZYqMmCcCZ
+4XNtdefKN/HZIq9Lx5N1F1a4MQn3MgbNPUNRfDLtwDFp2w9nMA2XoP8j4oLHul3z
+umFwrEDtO8yojjj6qFGaAjpKktwYfq7/+ISFTYFpWLO3pb2QUw+3S+rWmrclyyd9
+xMOt2+tMpq46ESydmDSBXkgEQ6yL5XWA4FY+6VvWJrhM49DiP+FzpxZMpAKDHFmf
+55L1mjSttHxU3G6/b1VPkRnphgqG03j1+nmyL+fIjHGa1ojvInzxuGcDgAJvUWkc
+kMEkVjlnca3CDs5zADOX
+=iBF6
+-----END PGP SIGNATURE-----

Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml	Wed Jul  8 21:01:40 2015	(r46941)
+++ head/share/xml/advisories.xml	Thu Jul  9 17:29:12 2015	(r46942)
@@ -11,6 +11,14 @@
       <name>7</name>
 
       <day>
+        <name>9</name>
+
+        <advisory>
+          <name>FreeBSD-SA-15:12.openssl</name>
+        </advisory>
+      </day>
+
+      <day>
         <name>7</name>
 
         <advisory>