From owner-freebsd-security@FreeBSD.ORG Wed Jan 7 22:49:18 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EADE1106571F for ; Wed, 7 Jan 2009 22:49:18 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 70A948FC1C for ; Wed, 7 Jan 2009 22:49:18 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id n07MnDmR000274 for ; Wed, 7 Jan 2009 22:49:13 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.7.2 smtp.infracaninophile.co.uk n07MnDmR000274 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1231368554; bh=VKr9h85P2bFmmp mSb3knv+Z0CjLicB1h62MOfTPnE3k=; h=Message-ID:Date:From:MIME-Version: To:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<49653163.4070904@infracaninophile.co.uk>|Date:=20Wed,=2 007=20Jan=202009=2022:49:07=20+0000|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User -Agent:=20Thunderbird=202.0.0.19=20(X11/20090104)|MIME-Version:=201 .0|To:=20freebsd-security@freebsd.org|Subject:=20Re:=20FreeBSD=20Se curity=20Advisory=20FreeBSD-SA-09:02.openssl|References:=20<2009010 72137.n07LbHwD049781@freefall.freebsd.org>|In-Reply-To:=20<20090107 2137.n07LbHwD049781@freefall.freebsd.org>|X-Enigmail-Version:=200.9 5.6|Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D =0A=20protocol=3D"application/pgp-signature"=3B=0D=0A=20boundary=3D "------------enig0E9DB484F36D7C46F781B19C"; b=xunB8l51pdrzaiWjU8VCe hqYA2rm3EyjJdzm+vPAGRAUE5I+Znf3vod7T/si/iVDGkQELKSHAbpYz2F4bMuFnQ7x gH1PESp6OMFzI6RVCC1d/MbnHQnZ6cODXSmKBvznSS4tltJ7mQmApyZHfZAjNmdiaeq oYUKYQ6zv5+UrCJI= Message-ID: <49653163.4070904@infracaninophile.co.uk> Date: Wed, 07 Jan 2009 22:49:07 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.19 (X11/20090104) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200901072137.n07LbHwD049781@freefall.freebsd.org> In-Reply-To: <200901072137.n07LbHwD049781@freefall.freebsd.org> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig0E9DB484F36D7C46F781B19C" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (smtp.infracaninophile.co.uk [IPv6:::1]); Wed, 07 Jan 2009 22:49:14 +0000 (GMT) X-Virus-Scanned: ClamAV 0.94.2/8842/Wed Jan 7 14:06:50 2009 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:02.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2009 22:49:20 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig0E9DB484F36D7C46F781B19C Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable FreeBSD Security Advisories wrote: =20 > I. Background >=20 > FreeBSD includes software from the OpenSSL Project. The OpenSSL Projec= t is > a collaborative effort to develop a robust, commercial-grade, full-feat= ured > Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) > and Transport Layer Security (TLS v1) protocols as well as a full-stren= gth > general purpose cryptography library. >=20 > II. Problem Description >=20 > The EVP_VerifyFinal() function from OpenSSL is used to determine if a > digital signature is valid. The SSL layer in OpenSSL uses > EVP_VerifyFinal(), which in several places checks the return value > incorrectly and treats verification errors as a good signature. This > is only a problem for DSA and ECDSA keys. >=20 > III. Impact >=20 > For applications using OpenSSL for SSL connections, an invalid SSL > certificate may be interpreted as valid. This could for example be > used by an attacker to perform a man-in-the-middle attack. >=20 > Other applications which use the OpenSSL EVP API may similarly be > affected. The oCert advisory at http://ocert.org/advisories/ocert-2008-016.html lists BIND and NTP as affected packages. Don't the base system versions of those apps also need patching? Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig0E9DB484F36D7C46F781B19C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkllMWkACgkQ8Mjk52CukIzwxACfU95u+9VBD5XQRuzWWnvEl40X kbsAoIA3OqnlhuzB3dINZF+T2rcPK9Xc =haIW -----END PGP SIGNATURE----- --------------enig0E9DB484F36D7C46F781B19C--