From owner-freebsd-security@FreeBSD.ORG Wed Apr 9 08:48:27 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 71061846 for ; Wed, 9 Apr 2014 08:48:27 +0000 (UTC) Received: from lena.kiev.ua (lena.kiev.ua [82.146.51.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 34AB41751 for ; Wed, 9 Apr 2014 08:48:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lena.kiev.ua; s=3; h=In-Reply-To:Content-Type:Mime-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=5r9GE6UnH+3l9fpgGbCVqQj2a9Pew7N4rR5ek8V5bsM=; b=GBxUg1NgxGmHdeVD9jlH6y0KAAummn34LeTH0lAmoc/cOxWfbMy0iC9cy7LZG1T+7hNUgYCZcL/yLBifOZ68iEWyQYuX1ocOiv7XoOn7xP9ZR07iFUzIxrtTrlLwm7BtJ5p/wpujkYBC4p61ZcXlK48MmPzjDyt9g/G2bWfcDC4=; Received: from ip-384c.rusanovka-net.kiev.ua ([94.244.56.76] helo=bedside.lena.kiev.ua) by lena.kiev.ua with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.82 (FreeBSD)) (envelope-from ) id 1WXoBc-0008wu-ET; Wed, 09 Apr 2014 11:48:49 +0300 Received: from bedside.lena.kiev.ua (localhost.lena.kiev.ua [127.0.0.1]) by bedside.lena.kiev.ua (8.14.8/8.14.8) with ESMTP id s398mAPO005475; Wed, 9 Apr 2014 11:48:10 +0300 (EEST) (envelope-from Lena@lena.kiev.ua) Received: (from lena@localhost) by bedside.lena.kiev.ua (8.14.8/8.14.8/Submit) id s398m9OL005474; Wed, 9 Apr 2014 11:48:09 +0300 (EEST) (envelope-from Lena@lena.kiev.ua) Date: Wed, 9 Apr 2014 11:48:09 +0300 From: Lena@lena.kiev.ua To: Anton Shterenlikht Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl Message-ID: <20140409084809.GA2661@lena.kiev> Mail-Followup-To: Anton Shterenlikht , freebsd-security@freebsd.org References: <201404082334.s38NYDxr098590@freefall.freebsd.org> <201404090821.s398LMg7020616@mech-cluster241.men.bris.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201404090821.s398LMg7020616@mech-cluster241.men.bris.ac.uk> User-Agent: Mutt/1.4.2.3i Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 08:48:27 -0000 > >systems that do not use OpenSSL to implement > >the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) > >protocols implementation and do not use the ECDSA implementation from OpenSSL > >are not vulnerable. > > Please help me find out if my systems are vulnerable. > > I use authenticated sendmail with security/cyrus-sasl2: > > # grep SENDMAIL /etc/make.conf > SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2 > SENDMAIL_LDFLAGS+= -L/usr/local/lib > SENDMAIL_LDADD+= -lsasl2 > # > > I also use ssh-keygen(1). > > Am I affected? Port mail/sendmail-sasl (sendmail+tls+sasl2-8.14.8) depends on the openssl port. You need to upgrade the security/openssl port to openssl-1.0.1_10 and restart sendmail. SSH is not affected. > Is it possible to list a few sample base OS > programs or libraries which are affected? Besides ports, only FreeBSD 10 base is affected. The recipe was posted here: ldd /usr/bin/* /usr/sbin/* /bin/* 2>/dev/null | less /ssl