From owner-freebsd-security@FreeBSD.ORG Thu Jan 8 07:47:57 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B3DF106564A for ; Thu, 8 Jan 2009 07:47:57 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.freebsd.org (Postfix) with ESMTP id 2F1F38FC1A for ; Thu, 8 Jan 2009 07:47:55 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 14297 invoked by uid 399); 8 Jan 2009 07:21:16 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 8 Jan 2009 07:21:16 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4965A96A.4020604@FreeBSD.org> Date: Wed, 07 Jan 2009 23:21:14 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.19 (X11/20090102) MIME-Version: 1.0 To: matt donovan References: <200901072137.n07LbHwD049781@freefall.freebsd.org> <49653163.4070904@infracaninophile.co.uk> <28283d910901071730if218355pdde2752cccc79b44@mail.gmail.com> In-Reply-To: <28283d910901071730if218355pdde2752cccc79b44@mail.gmail.com> X-Enigmail-Version: 0.95.7 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:02.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2009 07:47:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 matt donovan wrote: > On Wed, Jan 7, 2009 at 5:49 PM, Matthew Seaman < > m.seaman@infracaninophile.co.uk> wrote: >> The oCert advisory at http://ocert.org/advisories/ocert-2008-016.html >> lists BIND and NTP as affected packages. Don't the base system versions >> of those apps also need patching? > I was told they don't but I believe they do since it's the code inside of > ntp and bind don't check the return code correctly from what I can tell for > the OpenSSL EVP API Please see: https://www.isc.org/node/373 Unless you are using DNSSEC to verify signatures you're not vulnerable at all. As usual for non-critical upgrades I will upgrade the ports first so that those that need the new version(s) can easily get to them in a hurry, then upgrade the base(s) over the next day or two. hth, Doug - -- This .signature sanitized for your protection -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEAREDAAYFAkllqWoACgkQyIakK9Wy8PsIgACg1+vOtfCdZcw2Wirybm4lLpWD VUEAnisZEkFBM4I3+8YmLp97Y/z/i8OG =Uelm -----END PGP SIGNATURE-----