Date: Fri, 19 Apr 2024 15:11:51 +0000 From: "Wall, Stephen" <stephen.wall@redcom.com> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: RE: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound Message-ID: <MW4PR09MB928443FF56B90D1C644AE493EE0D2@MW4PR09MB9284.namprd09.prod.outlook.com> In-Reply-To: <20240328075102.10441343C@freefall.freebsd.org>
index | next in thread | previous in thread | raw e-mail
> FreeBSD-SA-24:03.unbound Security Advisory > > Topic: Multiple vulnerabilities in unbound Since upgrading to p6 in response to this SA, we've found that kinit has started failing for us. This looks to be due to aaf2c7fdb8 [1], when it attempts to load the legacy OpenSSL provider, which we do not install on our systems. Furthermore, it loads the default provider as well, which we specifically do not load when systems are configured for FIPS operation. What is our exposure if we simple revert this commit? Are there any CVE's associated with it? Is there a way to disable the ciphers at build time that can trigger the segfaults? Or am I on my own resolving this because we do not use the legacy provider (I.e. not a default system)? Thanks for your consideration. - Steve Wall [1] https://cgit.freebsd.org/src/commit/?h=releng/14.0&id=aaf2c7fdb81a1dd9de9fc77c9313f4e60e68fa76home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MW4PR09MB928443FF56B90D1C644AE493EE0D2>