From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 00:42:33 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F922106567F for ; Mon, 14 Jul 2008 00:42:33 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id 991338FC16 for ; Mon, 14 Jul 2008 00:42:32 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 10564 invoked by uid 399); 14 Jul 2008 00:42:32 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 14 Jul 2008 00:42:32 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <487AA0F6.1010801@FreeBSD.org> Date: Sun, 13 Jul 2008 17:42:30 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.14 (X11/20080606) MIME-Version: 1.0 To: "Simon L. Nielsen" References: <20080713222344.GB15766@zaphod.nitro.dk> In-Reply-To: <20080713222344.GB15766@zaphod.nitro.dk> X-Enigmail-Version: 0.95.6 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL warning from dns/bind95 build...? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2008 00:42:33 -0000 Simon L. Nielsen wrote: > On 2008.07.11 13:14:09 -0700, Chuck Swiger wrote: > > [quote edited to contain important part] > >>> WARNING Your OpenSSL crypto library may be vulnerable to >>> WARNING one or more of the the following known security >>> WARNING flaws: >>> WARNING >>> WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and >>> WARNING CVE-2006-2940. >>> WARNING > [...] >> Is the version of OpenSSL now included with RELENG_6 (OpenSSL 0.9.7e-p1) >> OK, or is it at risk as reported? > > Just so there is no doubt - the base system OpenSSL isn't actually > vulnerable to those issues. They were fixed in SA-02:33.openssl, > FreeBSD-SA-06:19.openssl, and FreeBSD-SA-06:23.openssl. > > The BIND build system just has no way to see this since they were > patched instead of upgraded. ... hence the false economy of not doing a "standard" upgrade of the version in the base. :) It's nice to know that for the particular set of problems listed in this version of BIND's warning message our users should not be at risk though. I used the ports openssl on my 6-stable boxes without problems, but I did not have that many ports installed, and I nuked the base openssl first. YMMV. Doug -- This .signature sanitized for your protection