From owner-svn-doc-head@FreeBSD.ORG Thu Jun 18 05:43:46 2015 Return-Path: Delivered-To: svn-doc-head@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5051A4AC; Thu, 18 Jun 2015 05:43:46 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3CC409FC; Thu, 18 Jun 2015 05:43:46 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t5I5hkC3087611; Thu, 18 Jun 2015 05:43:46 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t5I5hjkE087605; Thu, 18 Jun 2015 05:43:45 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201506180543.t5I5hjkE087605@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Thu, 18 Jun 2015 05:43:45 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r46837 - in head/share: security/advisories security/patches/EN-15:08 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2015 05:43:46 -0000 Author: delphij Date: Thu Jun 18 05:43:44 2015 New Revision: 46837 URL: https://svnweb.freebsd.org/changeset/doc/46837 Log: Add EN-15:08.sendmail. Added: head/share/security/advisories/FreeBSD-EN-15:08.sendmail.asc (contents, props changed) head/share/security/patches/EN-15:08/ head/share/security/patches/EN-15:08/sendmail.patch (contents, props changed) head/share/security/patches/EN-15:08/sendmail.patch.asc (contents, props changed) Modified: head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-15:08.sendmail.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-15:08.sendmail.asc Thu Jun 18 05:43:44 2015 (r46837) @@ -0,0 +1,157 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-15:08.sendmail Errata Notice + The FreeBSD Project + +Topic: sendmail TLS/DH Interoperability Improvement + +Category: contrib +Module: sendmail +Announced: 2015-06-18 +Credits: Frank Seltzer, Gregory Shapiro +Affects: All supported versions of FreeBSD. +Corrected: 2015-06-17 02:39:10 UTC (stable/10, 10.1-STABLE) + 2015-06-18 05:36:45 UTC (releng/10.1, 10.1-RELEASE-p13) + 2015-06-17 03:11:25 UTC (stable/9, 9.3-STABLE) + 2015-06-18 05:36:45 UTC (releng/9.3, 9.3-RELEASE-p17) + 2015-06-17 03:22:18 UTC (stable/8, 8.4-STABLE) + 2015-06-18 05:36:45 UTC (releng/8.4, 8.4-RELEASE-p31) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +sendmail supports STARTTLS encrypted connections using DHE_EXPORT +ciphers. As part of that support, by default, sendmail employs 1024-bit +DH parameters for server connections and 512-bit DH parameters for +client connections. + +II. Problem Description + +In response to CVE-2015-4000 ("Logjam TLS vulnerability"), OpenSSL and +other encryption packages have begun rejecting 512-bit and lower DH +parameters during negotiation, thereby reducing interoperability. + +III. Impact + +In its default configuration, client connections from sendmail to other +SMTP servers will not be able to negotiate a STARTTLS encrypted session +with SMTP servers which reject 512-bit DH parameters. This may cause +mail deliverability issues for outbound mail. + +IV. Workaround + +To work around this interoperability, sendmail can be configured to use +a 1024 or 2048 bit DH parameter using these steps: + + 1. Edit /etc/mail/`hostname`.mc + 2. If a setting for confDH_PARAMETERS does not exist or + exists and is set to a string beginning with '5', + replace it with '1' for 1024-bit or '2' for 2048-bit. + 3. If a setting for confDH_PARAMETERS exists and is set to + a file path, create a new file with: + openssl dhparam -out /path/to/file 2048 + for 2048-bit or: + openssl dhparam -out /path/to/file 1024 + for 1024-bit. + 4. If you have modified your MSP submission configuration + file to enable STARTTLS (not enabled by default), repeat + the above steps for /etc/mail/`hostname`.submit.mc. + 5. Rebuild the .cf file(s): + cd /etc/mail/; make; make install + 6. Restart sendmail: + cd /etc/mail/; make restart + +Systems that do not use sendmail are not affected. + +V. Solution + +A change to the raise the default for sendmail client connections to +1024-bit DH parameters has been committed. + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch +# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch.asc +# gpg --verify sendmail.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the sendmail daemon(s), or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r284491 +releng/8.4/ r284536 +stable/9/ r284488 +releng/9.3/ r284536 +stable/10/ r284485 +releng/10.1/ r284536 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this Errata Notice is available at +https://security.FreeBSD.org/advisories/FreeBSD-EN-15:08.sendmail.asc +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.5 (FreeBSD) + +iQIcBAEBCgAGBQJVgllYAAoJEO1n7NZdz2rnsY0QAIKcqNxRed97fvmxvL9kX1In +CpdKO0Cso8EhCDOKJzmSYR49QZc6CNtPflbgbK2wktiHptmK87R+xODyIWBR1q8T +peMoevr942gCUZzrA259cLaWJGC7MZer5G9SIsB7cnMJox/QcHmQysDONfu1PRjf +T8T3/q24230PnBBJpR1SNDMOPAc1YLMetEZ3ue72ToG9pd6gAXN8I9N1ZUPY/6dd +9/urhdQnxlX5RB3JnqujueJvCrcstInZ8grtKOmTfPSUcWGL++dwu6YH34ORwKDh +wiI8U+qyg1Lq5vGx6srDOkGAhiSbYi177PV1RCNTxY28yGVvhiiSnLSsIesZBcoB +pVYcefBJeqcXNuQC5jsGKHEbti9X3bhHnThOaOBOvrooEGcc7/DuP02BZiNOWDvV +3axT+iFzJdZ1sZktdUQl65zqVBSDASTFz5uG/nTUFASj0W4+vVEghy6FAxlf3aBO +eV9tqxeUozt0nSb/44n2u2GHRplWWS1KEE3N+skN5IT4RfZaNvTVtZ0s1fRv6Jum +YNut6TGiVIyTACP0JjS2TkGC3kdPrqweZSQ6xnfrgOSCS+3w2nR1aqaGJ3aCIm/b +9ixFFIW03LhBH2fl4Y68+CbAlIgGd0zigbRds1IGxRSUxR8AKBngqC+KQUFCOSnY +snl4x6f2t36abWYgneaP +=mvxv +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-15:08/sendmail.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-15:08/sendmail.patch Thu Jun 18 05:43:44 2015 (r46837) @@ -0,0 +1,24 @@ +Index: contrib/sendmail/src/tls.c +=================================================================== +--- contrib/sendmail/src/tls.c ++++ contrib/sendmail/src/tls.c +@@ -650,7 +650,7 @@ + ** 1024 generate 1024 bit parameters + ** 2048 generate 2048 bit parameters + ** /file/name read parameters from /file/name +- ** default is: 1024 for server, 512 for client (OK? XXX) ++ ** default is: 1024 + */ + + if (bitset(TLS_I_TRY_DH, req)) +@@ -676,8 +676,8 @@ + } + if (dhparam == NULL) + { +- dhparam = srv ? "1" : "5"; +- req |= (srv ? TLS_I_DH1024 : TLS_I_DH512); ++ dhparam = "1"; ++ req |= TLS_I_DH1024; + } + else if (*dhparam == '/') + { Added: head/share/security/patches/EN-15:08/sendmail.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-15:08/sendmail.patch.asc Thu Jun 18 05:43:44 2015 (r46837) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.5 (FreeBSD) + +iQIcBAABCgAGBQJVglliAAoJEO1n7NZdz2rnAyoQAOEh0lpi5EEM5AkIOapisUzc +Rzd74KDnoPSe7o4WED5neaVpiaf5Z+erWUtXAZ2hcuDQqJi0YRSHJB9YrQxaSI0D +6IopQpsJqslC41Z4WKp13sGzfbANTYvmeKvrxOsz4q+YrzZpHKZYWwozjY0ZXQEK +QjnTNM+CBTZtvp4n+Avs9pPUfOXBqk/d7KDADnOOlai3NANBG3eZnfRSGNcyONBB +ogV8JPqDoubdwk/poNqXsu3aeWOzAAGnvtwhm7a03pxp+1iThmiGw/WRNQaADJq/ +ZDMQhtlCSpyApunesf8qw5LW1KhNU4w2hepVruakUNjHpthTmSLy5NcU8Vw1nZiw +JB6XOT0TGoUhu7zR1uGsKRe1WlBKwSbHk5GNgU2ND4GM1RpViZ3O3dwjAXUXWlFg +WX2LaUt/VO6YM0+Q+PlpKaHHk5c5/vzKNb0SXhPbUzLuBhdo3OID+g5s0QVjE3+E +p34YLwqsL0+oGH7m1+ki62x9oA7PXHn4Y9ye+MSqcK40eTB16Jwx+7pFdIt7zdn8 +20i1KaBK+zEkYaMpuhKECRBUFtb3sFMnvGj7li3LaRmcubB57J8Brs4mbrZb6spo +vkoBr2ntBPXhOeqzIa1eUgS+5DXsayjm7vn055AznzNqMe7wyA9MTEjZvMYcLAF6 +tQxxZbHkTZ7xsFDp5gaU +=7zXU +-----END PGP SIGNATURE----- Modified: head/share/xml/notices.xml ============================================================================== --- head/share/xml/notices.xml Wed Jun 17 14:37:13 2015 (r46836) +++ head/share/xml/notices.xml Thu Jun 18 05:43:44 2015 (r46837) @@ -11,6 +11,14 @@ 6 + 18 + + + FreeBSD-EN-15:08.sendmail + + + + 9