Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 19 Apr 2024 08:46:42 -0700
From:      Gordon Tetlow <gordon@tetlows.org>
To:        "Wall, Stephen" <stephen.wall@redcom.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound
Message-ID:  <B56958C8-B281-4711-99A8-1CAA39C0FF74@tetlows.org>
In-Reply-To: <MW4PR09MB928443FF56B90D1C644AE493EE0D2@MW4PR09MB9284.namprd09.prod.outlook.com>
References:  <MW4PR09MB928443FF56B90D1C644AE493EE0D2@MW4PR09MB9284.namprd09.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
You are likely on your own here.

I=E2=80=99m surprised the base system kinit ever worked with OpenSSL in FIPS=
 mode. Given the age of the Heimdal code (and I believe dependence on algori=
thms that should be deprecated), I would strongly suggest looking at Kerbero=
s in ports as a path forward as they will likely be better supported with mo=
dern crypto.

Gordon

> On Apr 19, 2024, at 08:12, Wall, Stephen <stephen.wall@redcom.com> wrote:
>=20
> =EF=BB=BF
>>=20
>> FreeBSD-SA-24:03.unbound                                    Security Advi=
sory
>>=20
>> Topic:          Multiple vulnerabilities in unbound
>=20
> Since upgrading to p6 in response to this SA, we've found that kinit has s=
tarted
> failing for us. This looks to be due to aaf2c7fdb8 [1], when it attempts t=
o load
> the legacy OpenSSL provider, which we do not install on our systems.
> Furthermore, it loads the default provider as well, which we specifically d=
o not
> load when systems are configured for FIPS operation.
>=20
> What is our exposure if we simple revert this commit?  Are there any CVE's=

> associated with it?  Is there a way to disable the ciphers at build time t=
hat
> can trigger the segfaults?
>=20
> Or am I on my own resolving this because we do not use the legacy provider=
 (I.e.
> not a default system)?
>=20
> Thanks for your consideration.
>=20
> - Steve Wall
>=20
> [1] https://cgit.freebsd.org/src/commit/?h=3Dreleng/14.0&id=3Daaf2c7fdb81a=
1dd9de9fc77c9313f4e60e68fa76

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B56958C8-B281-4711-99A8-1CAA39C0FF74>