Date: Thu, 25 Mar 2021 16:05:20 -0600 From: The Doctor <doctor@doctor.nl2k.ab.ca> To: Matthew Seaman <matthew@freebsd.org> Cc: freebsd-questions@freebsd.org Subject: Re: [matt@openssl.org: [openssl] OpenSSL_1_1_1k create] Message-ID: <YF0JIDFtjlTRI5T/@doctor.nl2k.ab.ca> In-Reply-To: <71cce945-dc94-0fdf-eb3f-718bc0cce195@FreeBSD.org> References: <YFyW/cgImoTNzUtt@doctor.nl2k.ab.ca> <71cce945-dc94-0fdf-eb3f-718bc0cce195@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 25, 2021 at 03:38:54PM +0000, Matthew Seaman wrote:
> On 25/03/2021 13:58, The Doctor via freebsd-questions wrote:
> > Will the FreeBSD kernel need updating from 10 to 14 ?
> >
>
> Given that FreeBSD 10 is well out of support, then yes, if these OpenSSL
> problems are important for your use case, then you should upgrade. It
> might be obvious, but "out of support" means "no more security fixes" --
> not everyone seems to get that.
>
> You don't necessarily have to upgrade all the way to 14 (which isn't
> even a released version yet) -- there will be fixes for all of the
> security problems publicised in this OpenSSL release, even if that
> doesn't go as far as importing OpenSSL 1.1.1k on all branches.
>
Here is the full details
NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
=====================================================================
Severity: High
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits
the signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension then a NULL
pointer dereference will result, leading to a crash and a denial of service
attack.
A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which
is the default configuration). OpenSSL TLS clients are not impacted by this
issue.
All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions
should upgrade to OpenSSL 1.1.1k.
OpenSSL 1.0.2 is not impacted by this issue.
This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was
developed by Peter K??stle and Samuel Sapalski from Nokia.
Note
====
OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html
OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of these issues on OpenSSL 1.1.0 has not been analysed.
Users of these versions should upgrade to OpenSSL 1.1.1.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20210325.txt
Note: the online version of the advisory may be updated with additional details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-----BEGIN PGP SIGNATURE-----
> Cheers,
>
> Matthew
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b
The more polluted the mind, the more it thinks it knows good judgement.-unknown
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YF0JIDFtjlTRI5T/>