From owner-freebsd-security@FreeBSD.ORG Wed Apr 9 08:21:54 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6E8191D8 for ; Wed, 9 Apr 2014 08:21:54 +0000 (UTC) Received: from eu1sys200aog108.obsmtp.com (eu1sys200aog108.obsmtp.com [207.126.144.125]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7483A154D for ; Wed, 9 Apr 2014 08:21:53 +0000 (UTC) Received: from mail-wi0-f169.google.com ([209.85.212.169]) (using TLSv1) by eu1sys200aob108.postini.com ([207.126.147.11]) with SMTP ID DSNKU0UDBM3v9MmpUvTu9XTg+WCkKfjaRbbU@postini.com; Wed, 09 Apr 2014 08:21:53 UTC Received: by mail-wi0-f169.google.com with SMTP id hm4so9123507wib.4 for ; Wed, 09 Apr 2014 01:21:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:date:from:message-id:to:subject:reply-to :in-reply-to; bh=l78CeqreGH3rTBgAoorZ+BPJliaXi+weHDJNHWNp7Bw=; b=UybaF9Cp2k+w/wrYVH1OysOa2/cv/xy3JTuvT9FAYpH4NJ6PRg8cFrab+JaQhZYsKC FGO37SiKvM3hICPiq0oElYsMVl8yheKECk4Oxdalx7rFUIAJ+pwxT56Vm2qoBie/pGR4 yPF8UATH2OPMSErR7oluUH3PWMuXCa6+Pt+ER6kp7n6Bjvz4UQtaodtfM1DKSTlJP447 JutjfpgfzJ2tL/9hxn8HHX+x7pVLRwdRaANujpIsDMENRVCu/tpLf6mdBrpTeNeq9p3E OY4CYwuyXrVwC3CtApL9y572SaB4FRcZ6zzttgUiuFvQ5qU9uhtFi2K3q2WB+e06y/9x 3TBQ== X-Received: by 10.180.98.165 with SMTP id ej5mr8587039wib.33.1397031684359; Wed, 09 Apr 2014 01:21:24 -0700 (PDT) X-Gm-Message-State: ALoCoQlKL1CclHvQ2TamMM+SFjIAWnv3BdbKoGjuIRJnuxPtRrLwjcokuLKyknyEW/hsZHm3C5eGjPMoCFhMkO7u9c/G04LuziDqex2KeqeG1S48vM/pHlLe7lasHR+hWXSS7k/pFMNZrDHwwxwy9yguZeaULg+Rcw== X-Received: by 10.180.98.165 with SMTP id ej5mr8587021wib.33.1397031684237; Wed, 09 Apr 2014 01:21:24 -0700 (PDT) Received: from mech-cluster241.men.bris.ac.uk (mech-cluster241.men.bris.ac.uk. [137.222.187.241]) by mx.google.com with ESMTPSA id rx9sm476641wjb.20.2014.04.09.01.21.23 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Apr 2014 01:21:23 -0700 (PDT) Sender: Anton Shterenlikht Received: from mech-cluster241.men.bris.ac.uk (localhost [127.0.0.1]) by mech-cluster241.men.bris.ac.uk (8.14.8/8.14.6) with ESMTP id s398LM72020617 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 9 Apr 2014 09:21:22 +0100 (BST) (envelope-from mexas@mech-cluster241.men.bris.ac.uk) Received: (from mexas@localhost) by mech-cluster241.men.bris.ac.uk (8.14.8/8.14.6/Submit) id s398LMg7020616 for freebsd-security@freebsd.org; Wed, 9 Apr 2014 09:21:22 +0100 (BST) (envelope-from mexas) Date: Wed, 9 Apr 2014 09:21:22 +0100 (BST) From: Anton Shterenlikht Message-Id: <201404090821.s398LMg7020616@mech-cluster241.men.bris.ac.uk> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl In-Reply-To: <201404082334.s38NYDxr098590@freefall.freebsd.org> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: mexas@bris.ac.uk List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 08:21:54 -0000 >From owner-freebsd-security-notifications@freebsd.org Wed Apr 9 00:37:34 2014 > >IV. Workaround > >No workaround is available, but systems that do not use OpenSSL to implement >the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) >protocols implementation and do not use the ECDSA implementation from OpenSSL >are not vulnerable. Please help me find out if my systems are vulnerable. I use authenticated sendmail with security/cyrus-sasl2: # grep SENDMAIL /etc/make.conf SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS+= -L/usr/local/lib SENDMAIL_LDADD+= -lsasl2 # I also use ssh-keygen(1). Am I affected? Is it possible to list a few sample base OS programs or libraries which are affected? Apologies if I completely misunderstood the advisory. Thanks