From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 01:24:54 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 692A8E18 for ; Thu, 10 Apr 2014 01:24:54 +0000 (UTC) Received: from mail-yk0-x22d.google.com (mail-yk0-x22d.google.com [IPv6:2607:f8b0:4002:c07::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2B5501BF5 for ; Thu, 10 Apr 2014 01:24:54 +0000 (UTC) Received: by mail-yk0-f173.google.com with SMTP id 10so2930823ykt.4 for ; Wed, 09 Apr 2014 18:24:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Fb9018UIhuM/sou3BCNaYvctMTaS02cArphSYqLNZuY=; b=zQVkQI3BEsxcb8f+VL4ao/1aDbQuRWrUTpt6wQiKZo4fYRJ65XowzLZgtBrFRy3Qj4 Gu532m/qVVP36VNH+0t13Hwb9byFHpWjLycyKhnnprKIhTC1hbkI59ZTbnXQxMozMpBz H3ln5TMA3060X1NIWWzFrFk4RivqCLJ8Sliw0EdyexfgVfPVRX4Jz/tqeKBUHwByVxdH ziyNZAcpbxkRTZCuKC2ej4Itiwy3AhmXIgRMDc3VGpIfY/zIp7P7Bo1lOgWYbe+eXpzE Im2km4t/xMpmjndSskpXizFxpDcGe55nlWPS0uY767d2VE10w5oV/5OBu4gMst0/oMtM ldtw== MIME-Version: 1.0 X-Received: by 10.236.198.243 with SMTP id v79mr18208040yhn.87.1397093093414; Wed, 09 Apr 2014 18:24:53 -0700 (PDT) Received: by 10.170.221.214 with HTTP; Wed, 9 Apr 2014 18:24:53 -0700 (PDT) In-Reply-To: References: Date: Thu, 10 Apr 2014 09:24:53 +0800 Message-ID: Subject: Re: freebsd-security Digest, Vol 482, Issue 3 From: Ke-li Dong To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 01:24:54 -0000 help 2014-04-09 20:00 GMT+08:00 : > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org > > You can reach the person managing the list at > freebsd-security-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > (Anton Shterenlikht) > 2. Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > (Lena@lena.kiev.ua) > 3. Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > (Anton Shterenlikht) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 9 Apr 2014 09:21:22 +0100 (BST) > From: Anton Shterenlikht > To: freebsd-security@freebsd.org > Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > Message-ID: > <201404090821.s398LMg7020616@mech-cluster241.men.bris.ac.uk> > > >From owner-freebsd-security-notifications@freebsd.org Wed Apr 9 > 00:37:34 2014 > > > >IV. Workaround > > > >No workaround is available, but systems that do not use OpenSSL to > implement > >the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) > >protocols implementation and do not use the ECDSA implementation from > OpenSSL > >are not vulnerable. > > Please help me find out if my systems are vulnerable. > > I use authenticated sendmail with security/cyrus-sasl2: > > # grep SENDMAIL /etc/make.conf > SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2 > SENDMAIL_LDFLAGS+= -L/usr/local/lib > SENDMAIL_LDADD+= -lsasl2 > # > > I also use ssh-keygen(1). > > Am I affected? > > Is it possible to list a few sample base OS > programs or libraries which are affected? > > Apologies if I completely misunderstood the advisory. > > Thanks > > > > ------------------------------ > > Message: 2 > Date: Wed, 9 Apr 2014 11:48:09 +0300 > From: Lena@lena.kiev.ua > To: Anton Shterenlikht > Cc: freebsd-security@freebsd.org > Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > Message-ID: <20140409084809.GA2661@lena.kiev> > Content-Type: text/plain; charset=us-ascii > > > >systems that do not use OpenSSL to implement > > >the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS > v1) > > >protocols implementation and do not use the ECDSA implementation from > OpenSSL > > >are not vulnerable. > > > > Please help me find out if my systems are vulnerable. > > > > I use authenticated sendmail with security/cyrus-sasl2: > > > > # grep SENDMAIL /etc/make.conf > > SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2 > > SENDMAIL_LDFLAGS+= -L/usr/local/lib > > SENDMAIL_LDADD+= -lsasl2 > > # > > > > I also use ssh-keygen(1). > > > > Am I affected? > > Port mail/sendmail-sasl (sendmail+tls+sasl2-8.14.8) depends on the > openssl port. You need to upgrade the security/openssl port to > openssl-1.0.1_10 and restart sendmail. > > SSH is not affected. > > > Is it possible to list a few sample base OS > > programs or libraries which are affected? > > Besides ports, only FreeBSD 10 base is affected. The recipe was posted > here: > ldd /usr/bin/* /usr/sbin/* /bin/* 2>/dev/null | less > /ssl > > > ------------------------------ > > Message: 3 > Date: Wed, 9 Apr 2014 11:17:45 +0100 (BST) > From: Anton Shterenlikht > To: Lena@lena.kiev.ua, mexas@bris.ac.uk > Cc: freebsd-security@freebsd.org > Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl > Message-ID: > <201404091017.s39AHjhO024515@mech-cluster241.men.bris.ac.uk> > > >From Lena@lena.kiev.ua Wed Apr 9 10:43:40 2014 > > > >Port mail/sendmail-sasl (sendmail+tls+sasl2-8.14.8) depends on the > >openssl port. You need to upgrade the security/openssl port to > >openssl-1.0.1_10 and restart sendmail. > > I didn't know about this route of having authenticated > sendmail. It's not mentioned in the handbook: > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/SMTP-Auth.html > > Are you saying mail/sendmail-sasl implements > exactly the same functionality as rebuilding > the base OS sendmail, as mentioned in the handbook? > > Thanks > > Anton > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > > ------------------------------ > > End of freebsd-security Digest, Vol 482, Issue 3 > ************************************************ >