Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 07 Jan 2009 22:49:07 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-09:02.openssl
Message-ID:  <49653163.4070904@infracaninophile.co.uk>
In-Reply-To: <200901072137.n07LbHwD049781@freefall.freebsd.org>
References:  <200901072137.n07LbHwD049781@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
FreeBSD Security Advisories wrote:
 
> I.   Background
> 
> FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is
> a collaborative effort to develop a robust, commercial-grade, full-featured
> Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
> and Transport Layer Security (TLS v1) protocols as well as a full-strength
> general purpose cryptography library.
> 
> II.  Problem Description
> 
> The EVP_VerifyFinal() function from OpenSSL is used to determine if a
> digital signature is valid.  The SSL layer in OpenSSL uses
> EVP_VerifyFinal(), which in several places checks the return value
> incorrectly and treats verification errors as a good signature.  This
> is only a problem for DSA and ECDSA keys.
> 
> III. Impact
> 
> For applications using OpenSSL for SSL connections, an invalid SSL
> certificate may be interpreted as valid.  This could for example be
> used by an attacker to perform a man-in-the-middle attack.
> 
> Other applications which use the OpenSSL EVP API may similarly be
> affected.

The oCert advisory at http://ocert.org/advisories/ocert-2008-016.html
lists BIND and NTP as affected packages.  Don't the base system versions
of those apps also need patching?

	Cheers,

	Matthew


-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkllMWkACgkQ8Mjk52CukIzwxACfU95u+9VBD5XQRuzWWnvEl40X
kbsAoIA3OqnlhuzB3dINZF+T2rcPK9Xc
=haIW
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49653163.4070904>