From owner-freebsd-questions@freebsd.org  Wed Sep  7 13:30:33 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 40D40BC6F51
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Wed,  7 Sep 2016 13:30:33 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
 [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.infracaninophile.co.uk",
 Issuer "infracaninophile.co.uk" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id CBD06E45
 for <freebsd-questions@freebsd.org>; Wed,  7 Sep 2016 13:30:32 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from zero-gravitas.local (unknown [85.199.232.226])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: m.seaman@infracaninophile.co.uk)
 by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 45F62150D
 for <freebsd-questions@freebsd.org>; Wed,  7 Sep 2016 13:30:29 +0000 (UTC)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none header.from=FreeBSD.org
Authentication-Results: smtp.infracaninophile.co.uk/45F62150D; dkim=none;
 dkim-atps=neutral
Subject: Re: libcurl vulnerability
To: freebsd-questions@freebsd.org
References: <DM3PR20MB0843BC5CC1D191F0D4F3A04480F80@DM3PR20MB0843.namprd20.prod.outlook.com>
From: Matthew Seaman <matthew@FreeBSD.org>
Message-ID: <b8594429-77e2-3758-ba52-8b0fcd6392a9@FreeBSD.org>
Date: Wed, 7 Sep 2016 14:30:22 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <DM3PR20MB0843BC5CC1D191F0D4F3A04480F80@DM3PR20MB0843.namprd20.prod.outlook.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="u1vQNRx5UH9qSAXbV8cTqMl0CxdEN6dT0"
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE,
 SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 smtp.infracaninophile.co.uk
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2016 13:30:33 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--u1vQNRx5UH9qSAXbV8cTqMl0CxdEN6dT0
Content-Type: multipart/mixed; boundary="JThi9WH1jMgpNA6hk7wMVr76j8lCUUohT";
 protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-questions@freebsd.org
Message-ID: <b8594429-77e2-3758-ba52-8b0fcd6392a9@FreeBSD.org>
Subject: Re: libcurl vulnerability
References: <DM3PR20MB0843BC5CC1D191F0D4F3A04480F80@DM3PR20MB0843.namprd20.prod.outlook.com>
In-Reply-To: <DM3PR20MB0843BC5CC1D191F0D4F3A04480F80@DM3PR20MB0843.namprd20.prod.outlook.com>

--JThi9WH1jMgpNA6hk7wMVr76j8lCUUohT
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2016/09/07 13:47, Gerard Seibert wrote:
> Does this vulnerability affect FreeBSD?

The ftp/curl port will be built against the base system copy of openssl
by default, in which case this vulnerability won't affect it.

You can configure the port to link against libnss3.so in which case curl
presumably would be vulnerable.  The latest VuXML entry for curl

https://vuxml.freebsd.org/freebsd/e4bc70fc-5a2f-11e6-a1bc-589cfc0654e1.ht=
ml

only mentions CVE-2016-5420, and there doesn't appear to be anything
relevant listed against nss. Plus the version of curl in the ports at
the moment predates the fix in version 7.50.2.  I'd assume curl is
vulnerable if it is built with the NSS option turned on and if the nss
port is installed.

Please do raise a PR to report this to the maintainer of the curl port.

	Cheers,

	Matthew




--JThi9WH1jMgpNA6hk7wMVr76j8lCUUohT--

--u1vQNRx5UH9qSAXbV8cTqMl0CxdEN6dT0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQJ8BAEBCgBmBQJX0BZ0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnbtgP/1+DQOyXbeYoubaCFlDSUrdA
uBI3L+B2hh2jjUmzYtWWWhqXWGFYDBKxoZUMhdT57iwu0L8EVyz+ELn5IhuGL3G5
afrmsP4HbJh4Lx8fRNB9dxuBJzO/VhwiERgNww6s2iTY6sHSseWkRU6U44ggo3zI
JHr5hNnaD8hFKpw74HkWl8xY0zY1AqSd0em9OkhYvTdXtcsGAtoSY3vT0JCReU9p
S/e82cC2yZeJitwGIfulzNZUUT4ReXpEgZXk6Hd9xY/6qEau12AbRKIh/fqJGh9z
9fMUa9m+8UVwjGTE/JzfKRYIIyKl1h/W9CddW0YxU3T+pOHXG4q6soX+z6tIp4FV
96xfHd43J6HiM5NE6wmJ1ASa85tKoOn8rx+pPNTHg+ATiCI+8Rn0Zu3+FTWCWMq9
miDo3OI+AuJbIrWWtFfOZbomAVFNtgL9SVtDqXp197TbjVGyliWRLVWEPKp6isNU
BUJv6W27wqgadBwPWc7XBbJr6aVm5qTiePus78mMN0GM+NKpcJ2YaSiNvgxuv7kw
8biXHWvcow//p9Sy+5xFAoSCnvVdKOmHZnUh77I5+dEZfbaDGx3PXYpHtbG0EqvN
G8BKY4Ae/ADTw+DRk1+Z73xcBMtpNytwZL7su/mXrA8FaVbsxzHnjCqt5BJv6IBq
NhK75g0h1LwCk1hptQLb
=OGP7
-----END PGP SIGNATURE-----

--u1vQNRx5UH9qSAXbV8cTqMl0CxdEN6dT0--