From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 01:50:44 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5828EDB for ; Thu, 10 Apr 2014 01:50:44 +0000 (UTC) Received: from mail-yh0-x22b.google.com (mail-yh0-x22b.google.com [IPv6:2607:f8b0:4002:c01::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 178271D94 for ; Thu, 10 Apr 2014 01:50:44 +0000 (UTC) Received: by mail-yh0-f43.google.com with SMTP id b6so3254396yha.30 for ; Wed, 09 Apr 2014 18:50:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=85fuvEftKIX7QNbvgFdF72tbbmYOdAOJ6ULLb7ucHIk=; b=0N/1zvo4bW1xSot8H6GQkwk8GCxx0i7yL0D2ot2xq0GeUk5uDZrfmN9H8h6ETz1/Qa Bos8fZ8x6wdNoZ0Io/+T/+xgOpF5a+3PT597X8Hs05Vm5MQpWft1DC0CAsJZ7TtJdfy3 seiiEAtWJPbJ18BDIVZ50RRXz1giXXf34pKxXsE3W5BnJoOGmAsvWh9+ppItBKYSQEtx rme40uuImOHv3HCitzxyzhDBIKBo+S+oP+zwNQe1VPLvQsbCsrSOmsMwIO7J3N/xdPuZ UDZewHMCH7H+cd6Hea+ZKsiA7mThtGDh2kZ/zOEpX8xtlY3vIMfcZjHvaSRkz/DzU9kX 9zSw== MIME-Version: 1.0 X-Received: by 10.236.52.74 with SMTP id d50mr18951248yhc.44.1397094643227; Wed, 09 Apr 2014 18:50:43 -0700 (PDT) Received: by 10.170.221.214 with HTTP; Wed, 9 Apr 2014 18:50:43 -0700 (PDT) In-Reply-To: References: Date: Thu, 10 Apr 2014 09:50:43 +0800 Message-ID: Subject: Re: freebsd-security Digest, Vol 482, Issue 1 From: Ke-li Dong To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 01:50:44 -0000 help 2014-04-08 20:00 GMT+08:00 : > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org > > You can reach the person managing the list at > freebsd-security-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. http://heartbleed.com/ (Thomas Steen Rasmussen) > 2. Re: http://heartbleed.com/ (Xin Li) > 3. Re: http://heartbleed.com/ (Mike Tancsa) > 4. Re: http://heartbleed.com/ (Xin Li) > 5. Re: http://heartbleed.com/ (Bryan Drewery) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 07 Apr 2014 22:49:54 +0200 > From: Thomas Steen Rasmussen > To: freebsd-security@freebsd.org > Subject: http://heartbleed.com/ > Message-ID: <53430F72.1040307@gibfest.dk> > Content-Type: text/plain; charset=ISO-8859-1 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > http://heartbleed.com/ describes an openssl vulnerability published > today. We are going to need an advisory for the openssl in base in > FreeBSD 10 and we are also going to need an updated port. > > The implications of this vulnerability are pretty massive, > certificates will need to be replaced and so on. I don't want to > repeat the page, so go read that. > > Best regards, > > > /Thomas Steen Rasmussen > > ps. there is a bit on the openssl site too: > https://www.openssl.org/news/secadv_20140407.txt > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (MingW32) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJTQw9yAAoJEHcv938JcvpYcFgP/iH3j6n7PgkCwSsN3qG9F37c > A6TOGbKudIeJdO76YXiU2T+FjbMThB86KuSan2iTM4h5wTLENVLvafJmBJtIKRH8 > bMZUqsUONYBSd4HpZKxbg9s8Yfy2gU0dTbs10OZ/dZw6qEr5Pd0WK6BDZ5h0ggTj > 0gF4r+FHWAe/8GgxOnfVEcmyMa+VUB46ZMmpwlCC3SG0wMAs/LJHORyl283OqyT5 > fwNfeDjInsPAgZORdR2+PZTgshwL0ogOINyGSKrLV1psQg2hEMgRT4GvO37IlhHS > qstYleB0yLiq9ayRFyj3mg2/OMq7/26ft09fHeF19VjnysClxT7lwZEaPDkbxH7j > qC1rpo1yeGuBPPdFnjbZVP5rxLR1jnQZFgTwOafjjock8ZW1ktUXOg1Upe276sv9 > NrPmNzDUkuMp7tlYEuDC2MsxQNSjeCo86FdMGCH+/c+DbRqBidELFH8SYEgzK2kj > TiT8tmBjdLC8PL+1SvBV4hLgapFJp2nvXsxyuJc2teRntKdgjFObQPEzb+iM/zFA > mSOjuGUh28qABlqQ32B04VDBOQRUs6zWDe0cssspajqfx7T7wVaE1FGBDUUt0QkN > B45cs2ql0OG5XB03GLsJv0tSdymzwohlBmoqmA08mKVWILFdkL/zzSY8Mw0oTfUa > GWD5kOI/wytuF5svXFnP > =gj4I > -----END PGP SIGNATURE----- > > > ------------------------------ > > Message: 2 > Date: Mon, 07 Apr 2014 14:02:45 -0700 > From: Xin Li > To: Thomas Steen Rasmussen , > freebsd-security@freebsd.org > Subject: Re: http://heartbleed.com/ > Message-ID: <53431275.4080906@delphij.net> > Content-Type: text/plain; charset="iso-8859-1" > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, Thomas, > > On 04/07/14 13:49, Thomas Steen Rasmussen wrote: > > Hello, > > > > http://heartbleed.com/ describes an openssl vulnerability > > published today. We are going to need an advisory for the openssl > > in base in FreeBSD 10 and we are also going to need an updated > > port. > > > > The implications of this vulnerability are pretty massive, > > certificates will need to be replaced and so on. I don't want to > > repeat the page, so go read that. > > We are already working on this but building, reviewing, etc. would > take some time. > > Attached is the minimal fix (extracted from upstream git repository) > we are intending to use in the advisory for those who want to apply a > fix now, please DO NOT use any new certificates before applying fixes. > > Cheers, > - -- > Xin LI https://www.delphij.net/ > FreeBSD - The Power to Serve! Live free or die > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (FreeBSD) > > iQIcBAEBCgAGBQJTQxJ1AAoJEJW2GBstM+nsz6AP/2m28eIzuF/JFhyZB7rkLAZR > vP9P0Tu1Vupwd6FN5X9m1O4t5ORhMfn5Y8SuxemHPg8NncaEptg43rs+TED4ucGd > ulyFLJsAZtCDlTTVRAuhp3PfvNllBcoG6a+sWg0qjDqxnzWpPZShCP8ay9g/3q4W > ceYJigXyi7KtKuNlc2YXlC5CA5NpKV9zsc0KhZj/PIq9qLiv+JYUriz1BRE8J+5P > CusO3usNgwHFx0XppMQRXxg/iSYnqs/YM6btENgsOBlRsCJkfSPbxE1z6Vmp0h27 > mOWiBLIOOR97WfYHCUHUHg+1bpJKz6VXUDHbNjjoaaLWg2D4HCkqgm45mgKZBHwh > 6SZUR90WthBbbFwJ3vY+wdARBO1V3RBg64ACZfYEIimqtGKZ5VaJgmYFLZc33RQr > O6Gpt7KeiwxaPYe/18zIiBULKeGBtQXettKpw4KOrkKSfnZePNxQIiqQmzLmfzXW > VwgRYlAAhjmv/ROCdnQJiKQKnloo9xUEPtk1ngmw6ThJJuDGS+Mcm1pWwbvMPF5/ > cWXprDXW4/Hws8GCXbZxYRrC0xQ0zDL+K589H/3pTWV5ijnI/CpM1gzvd0NH/H4+ > LQNILNJ+p2Uhp3D7yoz1bQC8gV2XeXROeNGEuY3VRyNbnv3z65mjWry/4QZo+kp6 > NcKVrUpKLG4odhL7BXBF > =7rU5 > -----END PGP SIGNATURE----- > -------------- next part -------------- > Index: crypto/openssl/ssl/d1_both.c > =================================================================== > --- crypto/openssl/ssl/d1_both.c (revision 264059) > +++ crypto/openssl/ssl/d1_both.c (working copy) > @@ -1458,26 +1458,36 @@ dtls1_process_heartbeat(SSL *s) > unsigned int payload; > unsigned int padding = 16; /* Use minimum padding */ > > + if (s->msg_callback) > + s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, > + &s->s3->rrec.data[0], s->s3->rrec.length, > + s, s->msg_callback_arg); > + > /* Read type and payload length first */ > + if (1 + 2 + 16 > s->s3->rrec.length) > + return 0; /* silently discard */ > hbtype = *p++; > n2s(p, payload); > + if (1 + 2 + payload + 16 > s->s3->rrec.length) > + return 0; /* silently discard per RFC 6520 sec. 4 */ > pl = p; > > - if (s->msg_callback) > - s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, > - &s->s3->rrec.data[0], s->s3->rrec.length, > - s, s->msg_callback_arg); > - > if (hbtype == TLS1_HB_REQUEST) > { > unsigned char *buffer, *bp; > + unsigned int write_length = 1 /* heartbeat type */ + > + 2 /* heartbeat length */ + > + payload + padding; > int r; > > + if (write_length > SSL3_RT_MAX_PLAIN_LENGTH) > + return 0; > + > /* Allocate memory for the response, size is 1 byte > * message type, plus 2 bytes payload length, plus > * payload, plus padding > */ > - buffer = OPENSSL_malloc(1 + 2 + payload + padding); > + buffer = OPENSSL_malloc(write_length); > bp = buffer; > > /* Enter response type, length and copy payload */ > @@ -1488,11 +1498,11 @@ dtls1_process_heartbeat(SSL *s) > /* Random padding */ > RAND_pseudo_bytes(bp, padding); > > - r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + > payload + padding); > + r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, > write_length); > > if (r >= 0 && s->msg_callback) > s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, > - buffer, 3 + payload + padding, > + buffer, write_length, > s, s->msg_callback_arg); > > OPENSSL_free(buffer); > Index: crypto/openssl/ssl/t1_lib.c > =================================================================== > --- crypto/openssl/ssl/t1_lib.c (revision 264059) > +++ crypto/openssl/ssl/t1_lib.c (working copy) > @@ -2486,16 +2486,20 @@ tls1_process_heartbeat(SSL *s) > unsigned int payload; > unsigned int padding = 16; /* Use minimum padding */ > > + if (s->msg_callback) > + s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, > + &s->s3->rrec.data[0], s->s3->rrec.length, > + s, s->msg_callback_arg); > + > /* Read type and payload length first */ > + if (1 + 2 + 16 > s->s3->rrec.length) > + return 0; /* silently discard */ > hbtype = *p++; > n2s(p, payload); > + if (1 + 2 + payload + 16 > s->s3->rrec.length) > + return 0; /* silently discard per RFC 6520 sec. 4 */ > pl = p; > > - if (s->msg_callback) > - s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, > - &s->s3->rrec.data[0], s->s3->rrec.length, > - s, s->msg_callback_arg); > - > if (hbtype == TLS1_HB_REQUEST) > { > unsigned char *buffer, *bp; > > ------------------------------ > > Message: 3 > Date: Mon, 07 Apr 2014 22:27:09 -0400 > From: Mike Tancsa > To: d@delphij.net, freebsd-security@freebsd.org > Subject: Re: http://heartbleed.com/ > Message-ID: <53435E7D.5000801@sentex.net> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 4/7/2014 5:02 PM, Xin Li wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > Hi, Thomas, > > > > On 04/07/14 13:49, Thomas Steen Rasmussen wrote: > >> Hello, > >> > >> http://heartbleed.com/ describes an openssl vulnerability > >> published today. We are going to need an advisory for the openssl > >> in base in FreeBSD 10 and we are also going to need an updated > >> port. > >> > >> The implications of this vulnerability are pretty massive, > >> certificates will need to be replaced and so on. I don't want to > >> repeat the page, so go read that. > > > > We are already working on this but building, reviewing, etc. would > > take some time. > > > > Hi, > The webpage lists > > FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c) > > I take it this is only if you installed from the ports no ? > > ---Mike > > > > > -- > ------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/ > > > ------------------------------ > > Message: 4 > Date: Mon, 07 Apr 2014 19:29:18 -0700 > From: Xin Li > To: Mike Tancsa , d@delphij.net, > freebsd-security@freebsd.org > Subject: Re: http://heartbleed.com/ > Message-ID: <53435EFE.4010103@delphij.net> > Content-Type: text/plain; charset=ISO-8859-1 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 4/7/14, 7:27 PM, Mike Tancsa wrote: > > On 4/7/2014 5:02 PM, Xin Li wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 > >> > >> Hi, Thomas, > >> > >> On 04/07/14 13:49, Thomas Steen Rasmussen wrote: > >>> Hello, > >>> > >>> http://heartbleed.com/ describes an openssl vulnerability > >>> published today. We are going to need an advisory for the > >>> openssl in base in FreeBSD 10 and we are also going to need an > >>> updated port. > >>> > >>> The implications of this vulnerability are pretty massive, > >>> certificates will need to be replaced and so on. I don't want > >>> to repeat the page, so go read that. > >> > >> We are already working on this but building, reviewing, etc. > >> would take some time. > >> > > > > Hi, The webpage lists > > > > FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c) > > > > I take it this is only if you installed from the ports no ? > > That's correct. OpenSSL shipped with the base system in these two > releases are not vulnerable because they don't support the extension. > > Cheers, > > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJTQ179AAoJEJW2GBstM+nsIa4P/RAXDidWzc01T2ghX4uNFtod > C2Wd2k2B6i24LcV3PPub6dQjRI9sMxh9Q/7bIqXctThJ41U9s44P7Zvf6T7Xh/LY > YM4FBAFKNiMC+WZsS78pGW6pYIULml66El7sb/G6DNOzjezWlD3MwnPo2S0nibQJ > BDJ0pU3BH0A2rvyDWmF7aAveJtEuFPCCovytadStHiFZk3nKMwdN0ariLVq8JFlU > s5uqf0rWRXuYIIJ2/Fv9XxUHWi0RrvyXojfdPVNIhEppmdswCzxyb+PLOBbWuZZp > 9ma/ELuo8VJmmsP2A0zX2PriejfFtTR7vXP8V3VwP8RvS2YRFH44Bmyllxn2eYYI > HbemABH2A5rCiMbEu32AGX7i1HikWScwKNIEJbK35BEIb9g3UGRFuxeRw9J6mTyd > 44hMRO1YeyHv/nuSQ+g+d+nzB1dBYSq7YbG5UAPs0v+5fbnoPTU/28olKx1br83H > BZdO+y8VUppNnRWL2wvnsbd1M8/nGABNBD9tco9ftlN0jUpFtSXkPEt20JWwZS/l > HiD328EnTJKgB5nllizsCDIgaTDUYMeH6Bf8QJ54t+Cfu6sS1YYCv2/ycu5tKfqv > yRU6ypV82kye/fRBkFj4JwCOXcPozm+9uPAG9bk1355w+EyKmMrba79BvwtQ+uUj > PXJpfmZifPnNDBTXrg2d > =FDDO > -----END PGP SIGNATURE----- > > > ------------------------------ > > Message: 5 > Date: Mon, 07 Apr 2014 21:41:25 -0500 > From: Bryan Drewery > To: freebsd-security@freebsd.org > Subject: Re: http://heartbleed.com/ > Message-ID: <534361D5.6070109@FreeBSD.org> > Content-Type: text/plain; charset="iso-8859-1" > > On 4/7/2014 3:49 PM, Thomas Steen Rasmussen wrote: > > Hello, > > > > http://heartbleed.com/ describes an openssl vulnerability published > > today. We are going to need an advisory for the openssl in base in > > FreeBSD 10 and we are also going to need an updated port. > > > > The implications of this vulnerability are pretty massive, > > certificates will need to be replaced and so on. I don't want to > > repeat the page, so go read that. > > > > Best regards, > > > > > > /Thomas Steen Rasmussen > > > > ps. there is a bit on the openssl site too: > > https://www.openssl.org/news/secadv_20140407.txt > > The port has been updated. 1.0.1_10 has the fix. > > -- > Regards, > Bryan Drewery > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 553 bytes > Desc: OpenPGP digital signature > URL: < > http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140407/07e15f81/attachment-0001.sig > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > > ------------------------------ > > End of freebsd-security Digest, Vol 482, Issue 1 > ************************************************ >