Date: Fri, 19 Apr 2024 08:46:42 -0700 From: Gordon Tetlow <gordon@tetlows.org> To: "Wall, Stephen" <stephen.wall@redcom.com> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound Message-ID: <B56958C8-B281-4711-99A8-1CAA39C0FF74@tetlows.org> In-Reply-To: <MW4PR09MB928443FF56B90D1C644AE493EE0D2@MW4PR09MB9284.namprd09.prod.outlook.com>
index | next in thread | previous in thread | raw e-mail
You are likely on your own here. I’m surprised the base system kinit ever worked with OpenSSL in FIPS mode. Given the age of the Heimdal code (and I believe dependence on algorithms that should be deprecated), I would strongly suggest looking at Kerberos in ports as a path forward as they will likely be better supported with modern crypto. Gordon > On Apr 19, 2024, at 08:12, Wall, Stephen <stephen.wall@redcom.com> wrote: > > >> >> FreeBSD-SA-24:03.unbound Security Advisory >> >> Topic: Multiple vulnerabilities in unbound > > Since upgrading to p6 in response to this SA, we've found that kinit has started > failing for us. This looks to be due to aaf2c7fdb8 [1], when it attempts to load > the legacy OpenSSL provider, which we do not install on our systems. > Furthermore, it loads the default provider as well, which we specifically do not > load when systems are configured for FIPS operation. > > What is our exposure if we simple revert this commit? Are there any CVE's > associated with it? Is there a way to disable the ciphers at build time that > can trigger the segfaults? > > Or am I on my own resolving this because we do not use the legacy provider (I.e. > not a default system)? > > Thanks for your consideration. > > - Steve Wall > > [1] https://cgit.freebsd.org/src/commit/?h=releng/14.0&id=aaf2c7fdb81a1dd9de9fc77c9313f4e60e68fa76home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B56958C8-B281-4711-99A8-1CAA39C0FF74>