From owner-freebsd-stable@FreeBSD.ORG Mon Oct 20 11:36:01 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8ABBD407 for ; Mon, 20 Oct 2014 11:36:01 +0000 (UTC) Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.81]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 492757ED for ; Mon, 20 Oct 2014 11:36:00 +0000 (UTC) Received: from smtp.greenhost.nl ([213.108.104.138]) by smarthost1.greenhost.nl with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1XgBFf-0006i9-C1 for freebsd-stable@freebsd.org; Mon, 20 Oct 2014 13:35:57 +0200 Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: freebsd-stable@freebsd.org Subject: Re: Fwd: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl References: <201409091104.s89B4uhi067535@freefall.freebsd.org> Date: Mon, 20 Oct 2014 13:35:50 +0200 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Ronald Klop" Message-ID: In-Reply-To: User-Agent: Opera Mail/12.17 (Win32) X-Authenticated-As-Hash: 398f5522cb258ce43cb679602f8cfe8b62a256d1 X-Virus-Scanned: by clamav at smarthost1.samage.net X-Spam-Level: / X-Spam-Score: -0.2 X-Spam-Status: No, score=-0.2 required=5.0 tests=ALL_TRUSTED, BAYES_50 autolearn=disabled version=3.3.2 X-Scan-Signature: 6819b1e11a0bfca853cb5292ba4954a6 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2014 11:36:01 -0000 Install port security/ca_root_nss and use: fetch --ca-cert=/usr/local/share/certs/ca-root-nss.crt http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch That works. And still checks validity of the https server as long as you trust the ca_root_nss port. But I think it is kind of lame the default certificates from base don't work out of the box. Ronald. On Mon, 20 Oct 2014 12:22:32 +0200, tethys ocean wrote: > I am using FreeBSD 10.0-STABLE on my servers. But according to this > mail > I tried > > [FreeBSD 10.0] > # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch > # fetch > http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch.asc > # gpg --verify openssl-10.0.patch.asc > > But my server say this below: > > fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch > Certificate verification failed for /C=US/ST=UT/L=Salt Lake City/O=The > USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware > 675119676:error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1180: > fetch: http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch: > Authentication error > > What should I do ? > > thanx > > > > ---------- Forwarded message ---------- > From: FreeBSD Security Advisories > Date: Tue, Sep 9, 2014 at 2:04 PM > Subject: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl > To: FreeBSD Security Advisories > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-14:18.openssl Security > Advisory > The FreeBSD > Project > > Topic: OpenSSL multiple vulnerabilities > > Category: contrib > Module: openssl > Announced: 2014-09-09 > Affects: All supported versions of FreeBSD. > Corrected: 2014-08-07 21:04:42 UTC (stable/10, 10.0-STABLE) > 2014-09-09 10:09:46 UTC (releng/10.0, 10.0-RELEASE-p8) > 2014-08-07 21:06:34 UTC (stable/9, 9.3-STABLE) > 2014-09-09 10:13:46 UTC (releng/9.3, 9.3-RELEASE-p1) > 2014-09-09 10:13:46 UTC (releng/9.2, 9.2-RELEASE-p11) > 2014-09-09 10:13:46 UTC (releng/9.1, 9.1-RELEASE-p18) > 2014-08-07 21:06:34 UTC (stable/8, 8.4-STABLE) > 2014-09-09 10:13:46 UTC (releng/8.4, 8.4-RELEASE-p15) > CVE Name: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, > CVE-2014-3510, > CVE-2014-3509, CVE-2014-3511, CVE-2014-3512, > CVE-2014-5139 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > FreeBSD includes software from the OpenSSL Project. The OpenSSL Project > is > a collaborative effort to develop a robust, commercial-grade, > full-featured > Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) > and Transport Layer Security (TLS v1) protocols as well as a > full-strength > general purpose cryptography library. > > II. Problem Description > > The receipt of a specifically crafted DTLS handshake message may cause > OpenSSL > to consume large amounts of memory. [CVE-2014-3506] > > The receipt of a specifically crafted DTLS packet could cause OpenSSL to > leak > memory. [CVE-2014-3507] > > A flaw in OBJ_obj2txt may cause pretty printing functions such as > X509_name_oneline, X509_name_print_ex et al. to leak some information > from > the stack. [CVE-2014-3508] > > OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject > to > a denial of service attack. [CVE-2014-3510] > > The following problems affect FreeBSD 10.0-RELEASE and later: > > If a multithreaded client connects to a malicious server using a resumed > session and the server sends an ec point format extension it could write > up to 255 bytes to freed memory. [CVE-2014-3509] > > A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate > TLS 1.0 instead of higher protocol versions when the ClientHello message > is badly fragmented. [CVE-2014-3511] > > A malicious client or server can send invalid SRP parameters and overrun > an internal buffer. [CVE-2014-3512] > > A malicious server can crash the client with a NULL pointer dereference > by > specifying a SRP ciphersuite even though it was not properly negotiated > with the client. [CVE-2014-5139] > > III. Impact > > A remote attacker may be able to cause a denial of service (application > crash, large memory consumption), obtain additional information, > cause protocol downgrade. Additionally, a remote attacker may be able > to run arbitrary code on a vulnerable system if the application has been > set up for SRP. > > IV. Workaround > > No workaround is available. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 10.0] > # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch > # fetch > http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch.asc > # gpg --verify openssl-10.0.patch.asc > > [FreeBSD 9.3] > # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch > # fetch > http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch.asc > # gpg --verify openssl-9.3.patch.asc > > [FreeBSD 9.2, 9.1, 8.4] > # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch > # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch.asc > # gpg --verify openssl-9.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in . > > Restart all deamons using the library, or reboot the system. > > 3) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - > ------------------------------------------------------------------------- > stable/8/ r269687 > releng/8.4/ r271305 > stable/9/ r269687 > releng/9.1/ r271305 > releng/9.2/ r271305 > releng/9.3/ r271305 > stable/10/ r269686 > releng/10.0/ r271304 > - > ------------------------------------------------------------------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > > > > > > > > > > > > > > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJUDtUBAAoJEO1n7NZdz2rnOUoP/jNoEEPVt1RoVPQoOQc6vno5 > 2HXcCDsu0ql3kCNIIZ7E6TddfduzV04EMzBrIgulg7eXft+Lnx6HlEgJOo7QLImc > aWLWxjcbyby6wrbYOc+FLK11yx9/uZJF0VCdSeyzhy0EFD3tOZPsDMXKZmG7FRkg > 6A7ENJU25Mx8V1myzHw/VfDwAHCtXHliFVVE0CUku55pYnlhMeetu/wuB6KYbmgV > 1WUamiHEGl4Dh4Up7nGHYYm32kqZLaE+cf1Ovc2VGT98ZyXmCgDB4+8kkA/HZxxp > DRgQlojeQhahee5MmzD+wMJXlq6dekoo+JVf22+Nb+oNmlKT6/UxtUhCwW11MLUV > rnOMr3u1JCNvBc+3KroSmtFeEtqh7jx3Ag4w8lS5mJO+wX1/lilbsFxSS/9G65fy > LqHUQSxkuDJ1bNzPfKreBPyUmQlG5t/3DonIDCF9r3sefDN+kxqe1+RwjdNRM0ov > V7OH/AW1NBQtV/F/h0tKCcskvcJo9Q+inAohheLPnWkFj7F2tLNt5TAxsGy7WvFZ > MuQSAXpZkdh7OkhAhBM3Xk+EOv7Qk7zZL5HJ1Lpm6kfJ8wSb4etoUV7oELaDMBz8 > +9r+Vr9GtjSsec2a4tjNIixZKV9bzEhgKP5gsWD/JewhAzF+0bYNa9snOWxzpAYb > j+eW9IT7pEAJK9DtIsDd > =f4To > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > >