From owner-freebsd-security@FreeBSD.ORG Thu Jun 5 15:27:05 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4A8BE696 for ; Thu, 5 Jun 2014 15:27:05 +0000 (UTC) Received: from mail-yh0-x230.google.com (mail-yh0-x230.google.com [IPv6:2607:f8b0:4002:c01::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 084FD2A0A for ; Thu, 5 Jun 2014 15:27:04 +0000 (UTC) Received: by mail-yh0-f48.google.com with SMTP id a41so970196yho.21 for ; Thu, 05 Jun 2014 08:27:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.org; s=irrelevant; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pbKNNdl+Rk580KJjsC1q7XXyHJJk9ityc0PD4jlGid4=; b=YZiKFZTfDrsCjvFlenHnBTeigSRnEs/Qmrd/mNEKeDXIDNsp4UFepzXbt8XORQ3vCt XAeWpkMJ6W488aB0K0TEK56tHbMER5AKwxjXg+6W0l9HJ6tjKD+I5ahJPmqiWmpuVqwv iGHhssd/Dsevw3PIcWjDv7x5lTVswxL80Rg14= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=pbKNNdl+Rk580KJjsC1q7XXyHJJk9ityc0PD4jlGid4=; b=GNdJbjhdwsqDRUr5vDveKg3XmJqHuq2X8FUJm36nCYt2HB/4zQqViaYSVLQ8m97+I2 k8vWlzR1tMByEeGpdVB1xfdRudOjZBa3dRTVtXSTPlBiplL/KHY3TmxTFZcBDQbyFg/X lwAm3n/y/wl4cB/1j3MsBLq0ziMI6Eriq9T0AOqjs8vP1w4HDdayh3ZJz2Bj0ii6cDKB z8vFVk1hu2JWOOtj49I4fvJIMdF3LdhmCp2IVgf/wYBevosSMCmJOr8bt4zRePq703qZ sHapqRoo3ctT34UzSB4wfrx0tnbvLVJcFr0aGfU0u4mgWDh/73t75eayuzKEPRTI0akZ EeDg== X-Gm-Message-State: ALoCoQmG18UrfvPqDJ0LtK57g2KP2B9yZ4Wiv9XFzhepAwnamkJEBbZzVI6UKMbsDvUqgy829iUy MIME-Version: 1.0 X-Received: by 10.236.151.116 with SMTP id a80mr85103106yhk.48.1401982024022; Thu, 05 Jun 2014 08:27:04 -0700 (PDT) Received: by 10.170.118.199 with HTTP; Thu, 5 Jun 2014 08:27:03 -0700 (PDT) X-Originating-IP: [94.31.26.101] In-Reply-To: <53908845.20900@lowlife.org> References: <201406051316.s55DGtGw041955@freefall.freebsd.org> <53908845.20900@lowlife.org> Date: Thu, 5 Jun 2014 16:27:03 +0100 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:14.openssl From: Simon Dick To: Jappe Reuling Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jun 2014 15:27:05 -0000 Mostly any third party ports that link against it... On 5 June 2014 16:09, Jappe Reuling wrote: > Hi, > > One, my appologies if it's a stupid one, question: the advisory is for > DTLS, hence UDP TLS, right? Normally you would run SSL (TLS a.o.) via TCP. > So what would use DTLS (in the base system) and could be vulnerable? A > mailserver using TLS and linked to the base system's openssl would be using > TCP...? > > Thanks in advance. > > Jappe > > > On 05/06/14 15:16, FreeBSD Security Advisories wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> >> ============================================================================= >> FreeBSD-SA-14:14.openssl Security >> Advisory >> The FreeBSD >> Project >> >> Topic: OpenSSL multiple vulnerabilities >> >> Category: contrib >> Module: openssl >> Announced: 2014-06-05 >> Affects: All supported versions of FreeBSD. >> Corrected: 2014-06-05 12:32:38 UTC (stable/10, 10.0-STABLE) >> 2014-06-05 12:33:23 UTC (releng/10.0, 10.0-RELEASE-p5) >> 2014-06-05 12:53:06 UTC (stable/9, 9.3-BETA1) >> 2014-06-05 12:53:06 UTC (stable/9, 9.3-BETA1-p2) >> 2014-06-05 12:33:23 UTC (releng/9.2, 9.2-RELEASE-p8) >> 2014-06-05 12:33:23 UTC (releng/9.1, 9.1-RELEASE-p15) >> 2014-06-05 12:32:38 UTC (stable/8, 8.4-STABLE) >> 2014-06-05 12:33:23 UTC (releng/8.4, 8.4-RELEASE-p12) >> CVE Name: CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470 >> >> For general information regarding FreeBSD Security Advisories, >> including descriptions of the fields above, security branches, and the >> following sections, please visit . >> >> I. Background >> >> FreeBSD includes software from the OpenSSL Project. The OpenSSL Project >> is >> a collaborative effort to develop a robust, commercial-grade, >> full-featured >> Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) >> and Transport Layer Security (TLS v1) protocols as well as a full-strength >> general purpose cryptography library. >> >> II. Problem Description >> >> Receipt of an invalid DTLS fragment on an OpenSSL DTLS client or server >> can >> lead to a buffer overrun. [CVE-2014-0195] >> >> Receipt of an invalid DTLS handshake on an OpenSSL DTLS client can lead >> the >> code to unnecessary recurse. [CVE-2014-0221] >> >> Carefully crafted handshake can force the use of weak keying material in >> OpenSSL SSL/TLS clients and servers. [CVE-2014-0224] >> >> Carefully crafted packets can lead to a NULL pointer deference in OpenSSL >> TLS client code if anonymous ECDH ciphersuites are enabled. >> [CVE-2014-3470] >> >> III. Impact >> >> A remote attacker may be able to run arbitrary code on a vulnerable client >> or server by sending invalid DTLS fragments to an OpenSSL DTLS client or >> server. [CVE-2014-0195] >> >> A remote attacker who can send an invalid DTLS handshake to an OpenSSL >> DTLS >> client can crash the remote OpenSSL DTLS client. [CVE-2014-0221] >> >> A remote attacker who can send a carefully crafted handshake can force the >> use of weak keying material between a vulnerable client and a vulnerable >> server and decrypt and/or modify traffic from the attacked client and >> server in a man-in-the-middle (MITM) attack. [CVE-2014-0224] >> >> A remote attacker who can send carefully crafted packets can cause OpenSSL >> TLS client to crash. [CVE-2014-3470] >> >> IV. Workaround >> >> No workaround is available. >> >> V. Solution >> >> Perform one of the following: >> >> 1) Upgrade your vulnerable system to a supported FreeBSD stable or >> release / security branch (releng) dated after the correction date. >> >> 2) To update your vulnerable system via a source code patch: >> >> The following patches have been verified to apply to the applicable >> FreeBSD release branches. >> >> a) Download the relevant patch from the location below, and verify the >> detached PGP signature using your PGP utility. >> >> [FreeBSD 10.0] >> # fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-10.patch >> # fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-10.patch.asc >> # gpg --verify openssl-10.patch.asc >> >> [FreeBSD 9.x and 8.x] >> # fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-9.patch >> # fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-9.patch.asc >> # gpg --verify openssl-9.patch.asc >> >> b) Apply the patch. Execute the following commands as root: >> >> # cd /usr/src >> # patch < /path/to/patch >> >> c) Recompile the operating system using buildworld and installworld as >> described in . >> >> Restart all deamons using the library, or reboot the system. >> >> 3) To update your vulnerable system via a binary patch: >> >> Systems running a RELEASE version of FreeBSD on the i386 or amd64 >> platforms can be updated via the freebsd-update(8) utility: >> >> # freebsd-update fetch >> # freebsd-update install >> >> VI. Correction details >> >> The following list contains the correction revision numbers for each >> affected branch. >> >> Branch/path Revision >> - >> ------------------------------------------------------------------------- >> stable/8/ r267103 >> releng/8.4/ r267104 >> stable/9/ r267106 >> releng/9.1/ r267104 >> releng/9.2/ r267104 >> stable/10/ r267103 >> releng/10.0/ r267104 >> - >> ------------------------------------------------------------------------- >> >> To see which files were modified by a particular revision, run the >> following command, replacing NNNNNN with the revision number, on a >> machine with Subversion installed: >> >> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >> >> Or visit the following URL, replacing NNNNNN with the revision number: >> >> >> >> VII. References >> >> >> >> >> >> >> >> >> >> >> >> The latest revision of this advisory is available at >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.22 (FreeBSD) >> >> iQIcBAEBCgAGBQJTkGuTAAoJEO1n7NZdz2rnomEP/AzIur2b4KXcOJnPSq+Fgz2E >> ThZnGpYaWGQXkBnPcARtLUN+98UQkdcVOpDXExdTP/mz+fRH5P14qBCwgFXfMX1a >> Ins6M696pAyBE+SHjFMwX/pSA402Y2LFcfUgq1f9oBKPM77+X/9J4z4NPXB72qTp >> ULLTBVtHiqwlcO6bD+YlpE5AfvoKoUI0MmmkuA4R1zmY/JBgDqN68oiTn7KwRp5m >> v44uVuGF+gGMMkN5oZmXqn89+CbRjDkyk9gvHhe1VXZLfZi6GDlayNMpuBdj9laU >> 3jpMMqwXGF45j524Ai03U/lAzO7Fn1Zl87dlElPk1BMaVmG8uGFipiULPQqsyUC9 >> rchzXxtDM7VVA/p7G3Vn6RHbOPeNCxhuFonq1WxVBrXImIw23PRWDlYx+Kve5trH >> gJvztI6CkD0f6NOf7HM7LYU1slvGFykFhoGeurxFVfKT2YlulL6HcRx4QPFE33c1 >> W57wPHUvZ2w8hO0OU1zX1pz1qE6je+DoSTq7bob5ExXmDWCu2LElmKXW67N2tGYq >> kNetRkTR9qwDlmexrcyAVgR45a/9oe/p9taTgm2/8ITzaHjexYcGn/tL7Mc9pYCa >> Dj9FP0D52foKj3PjVfSZc/8kgJklKhtugDvbK74MmruA6vUELRrY84O2kfpgAzLj >> KfE2eBuieG9+Pdpk011t >> =/CUF >> -----END PGP SIGNATURE----- >> _______________________________________________ >> freebsd-security-notifications@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications >> To unsubscribe, send any mail to >> "freebsd-security-notifications-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"