From owner-freebsd-security@FreeBSD.ORG Fri Oct 5 16:13:09 2007 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5FDA016A419; Fri, 5 Oct 2007 16:13:09 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 1729913C4A5; Fri, 5 Oct 2007 16:13:09 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.8/8.13.8) with ESMTP id l95GD8PA096756; Fri, 5 Oct 2007 12:13:08 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id l95GD8C0022932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 5 Oct 2007 12:13:08 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200710051613.l95GD8C0022932@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 05 Oct 2007 12:13:34 -0400 To: "Simon L. Nielsen" From: Mike Tancsa In-Reply-To: <20071005160502.GA1222@zaphod.nitro.dk> References: <46FD7595.8090506@FreeBSD.org> <200710032349.l93Nn8Co011720@lava.sentex.ca> <20071005160502.GA1222@zaphod.nitro.dk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSL bufffer overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Oct 2007 16:13:09 -0000 At 12:05 PM 10/5/2007, Simon L. Nielsen wrote: >On 2007.10.03 19:49:31 -0400, Mike Tancsa wrote: > > At 05:43 PM 9/28/2007, Stefan Esser wrote: > >> I did not see any commits to the OpenSSL code, recently; is anybody > >> going to commit the fix? > >> > >> See http://www.securityfocus.com/archive/1/480855/30/0 for details ... > > > > How serious is this particular issue ? Is it easily exploitable, or > > difficult to do ? Are some apps more at risk of exploitation > than others ? > > e.g. ssh,apache ? > >(/me kicks mutt again for not showing new mails in mailboxes...) > >Anyway, I don't think it's very likely many people are affected by >this since not many programs call SSL_get_shared_ciphers(). No >application in the base system calls SSL_get_shared_ciphers acording >to grep, other than openssl(1)'s built in ssl client/server. > >I also did a quick grep in apache 2.2 (I think it was 2.2) and it >didn't reference the function either, but this was a quick check so if >it matters to anyone, check yourself. Thanks! I did the same grep, but wasnt sure whether or not that particular function (SSL_get_shared_ciphers) got called by another function in OpenSSL which was originally called by some of the big apps like sendmail,apache and sshd ---Mike