FreeBSD Mail Archives

Date:      Wed, 09 Apr 2014 09:50:25 -0500
From:      Karl Denninger <karl@denninger.net>
To:        Steven Hartland <killing@multiplay.co.uk>, freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
Message-ID:  <53455E31.90100@denninger.net>
In-Reply-To: <8A7E8A9A8B034A3498601347FFFF088C@multiplay.co.uk>
References:  <mailman.384.1397005594.1401.freebsd-security@freebsd.org> <20140409142136.GA871@faust.sbb.rs> <53455877.5020006@denninger.net> <8A7E8A9A8B034A3498601347FFFF088C@multiplay.co.uk>

index | next in thread | previous in thread | raw e-mail


[-- Attachment #1 --]

On 4/9/2014 9:47 AM, Steven Hartland wrote:
> ----- Original Message ----- From: "Karl Denninger" <karl@denninger.net>
>
>
>
> On 4/9/2014 9:21 AM, Zoran Kolic wrote:
>>> Advisory claims 10.0 only to be affected. Patches to
>>> branch 9 are not of importance on the same level?
>>>
>>>
>> 9 (and before) were only impacted if you loaded the newer OpenSSL 
>> from ports.  A fair number of people did, however, as a means of 
>> preventing BEAST attack vectors.
>>
>> If you did, then you need to update that and have all your private 
>> keys re-issued.  If you did not then you never had the buggy code in 
>> the first place.
>
> Actually they are vulnerable without any ports install just not to
> CVE-2014-0160 only CVE-2014-0076, both of which where fixed by
> SA-14:06.openssl
>
>    Regards
>    Steve
Good point -- there is that other advisory in there so "base" 8.x and 
9.x users should update as well.

However, the other problem does not involve the same sort of 
vulnerability to remote "grabs" of data, including authentication 
credentials (and worse, private key data.)

-- 
-- Karl
karl@denninger.net



[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��O0�K0�3�0
	*�H��
0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��
	 customer-service@cudasystems.net0
130824190344Z
180823190344Z0[10	UUS10UFlorida10UKarl Denninger1!0	*�H��
	karl@denninger.net0�"0
	*�H��
�0�
���b����i՞�]�����MN�Կ���aw�x�?�`�)'�Ҵ�cWg�R@Bl��Wh+	�u}ApdC���FJV�й���~�FOL��}��EW�^��bچY��p3�K&��ׂ��(R�
��l�xڝ.x��z?�����6��&n�s��J���+1v�9v/�(kq�Īp[�v�jc�K%f�ϻe���?iq]z����������
��lyzF��O'�ppdX//��Lw(���3����������J���IA�*��S�#�����՟��H��[f|CGqJK�o��oy��.oE�����u�Ow$��/��섀$삻J���9b�����������|����AP~8�]D1������Y�I<"�"�"Y^��T�2�iQ�2����b��	yH���)��]�	Ƶ�0y$�_N6X���q�M�C �9�՘	����X�gώj��G�T�P"�#��n���ˋ"B�k��1���0��0	U00	`�H��B�0U�0,	`�H��B
OpenSSL Generated Certificate0U|8�������˴�d�[2�0U#0�]��Af�4U3�x��&^"408	`�H��B+)https://cudasystems.net:11443/revoked.crl0
	*�H��
�gB���wH]����j�\�x�`(�&��g���W�3��2�"��Uf^�.��^Iϱ�
�k!�DQ��Ag{(�w������/��)\N��'[��oRW���@��C���HO���>��)X��r�TNɘ��!�u`��xt5(��=f\-l3��<����@C��6��mn��hv�#����#�����1Ń�b�H�͍���_N�q
a�ʷ?rk���$^�9�TI�a�!�k����h��,D���-ct��1�
0�0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��
	 customer-service@cudasystems.net0	+��;0	*�H��
	1	*�H��
0	*�H��
	1
140409145025Z0#	*�H��
	1ыP��d���yR%Ӽz�0l	*�H��
	1_0]0	`�He*0	`�He0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71��0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��
	 customer-service@cudasystems.net0��*�H��
	1�����0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��
	 customer-service@cudasystems.net0
	*�H��
�H�H�<�����&E��J�
9(:�S��3���Dڔ��<�>�����"��1eZ��H�WE����Q�%Ϣ�U��_����fO�v
H�R��$Za-��rmӱɋ}�a����$K�^[��8���+s
h����`g��bj\�܉��[�$���ċ�ßpXC��<�t ��H��hC���t�]�i�-AndU{�ʵm�$V�#N���h�wA-�����g
�;S�M�vx��ʖ��Q<����������6��h|g
�{�	M�+��c�QxC~&�V�h:[N�������P���"Wi6�����A�%���E���y��/M��ʞ��L��D	l���y��b��|\;<�����{~���XC&>4�=aY9��2�t$��c�Z��JW��a2Y6�����)Dg�q��Z����-�(�ʨ�B�C�h���='o��8Tnԕ�o���	ھ�Df�7�_VS�d��(��1�Øk�z�B�ͻQ�/�RH�^�˒

home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53455E31.90100>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation