From owner-freebsd-security@FreeBSD.ORG Mon Apr 26 11:18:52 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8CA21065676 for ; Mon, 26 Apr 2010 11:18:52 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id 73A3B8FC15 for ; Mon, 26 Apr 2010 11:18:52 +0000 (UTC) Received: from 45.86.213.193.static.cust.telenor.com ([193.213.86.45] helo=[192.168.3.109]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1O6MKr-000Gnb-Mh; Mon, 26 Apr 2010 13:18:45 +0200 Mime-Version: 1.0 (Apple Message framework v1078) Content-Type: text/plain; charset=iso-8859-1 From: =?iso-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <4BD10D03.7010201@p6m7g8.com> Date: Mon, 26 Apr 2010 13:18:45 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <6079C36A-480B-42E6-8717-E9436EFC1130@anduin.net> References: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> <4BD10D03.7010201@p6m7g8.com> To: Philip M. Gollucci X-Mailer: Apple Mail (2.1078) Cc: Tim Gustafson , freebsd-security@freebsd.org Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2010 11:18:52 -0000 On Apr 23, 2010, at 4:59 AM, Philip M. Gollucci wrote: > On 4/21/2010 1:55 AM, Eirik =D8verby wrote: >> It is a misconseption to think that one _has to_ run the latest = version (as suggested by dumb network scans) in order to remain = compliant (PCI DSS or otherwise). What is needed is that the issues = found are either patched or documented to be not applicable. > I completely agree; however, having just achieved PCI certification = for > $work in *this* month -- 2 different (unamed pci auditing firms) = refused > to accept openssl had been patched without version number changes. Then you should report this to the PCI council. Besides, a common problem with PCI DSS auditors is that they seem to = think that the PCI council are their clients, not you, and subsequently = treat you like trash. Fact is YOU are the client, you are paying for = their service, and you should be paying for their expertise - which is = often sorely lacking. After asking for a Unix-knowledgeable auditor, we got a guy who had to = ask - and required proof - that grep supported regular expressions.=20 > Kind of odd considering they said my httpd 2.2.14 was vunlerable to = the > windows mod_issapi cve on fbsd but accepted on face value that we = can't > possibly be since its not windows and not loaded. Yet the version # > didn't change here. >=20 > Additionally odd, they did accept that 2.2.14 disabled ssl = functionality > to prevent the issue though not fix it. Yet again the version # = didn't > change. This is as it should be. Though they seem to have arrived at this = conclusion through incompetency rather than through a pragmatic = approach. > Interestingly we have some other equipment that requires the client > renegotiation but b/c we are leasing it rather then own it, its out of > scope. At this point they are wrong as well. Our VLAN switches were within = scope (as they should be) even though they are simply a part of the ISP = service. We even had to cut off remote management for the switches in = order to ensure that the ISP could only manage them on-site and with our = approval and presence. > IMHO, its simply easier to always mod the version string in some way > rather then trying to argue with them. Wish I had thought about that one before ;) /Eirik= From owner-freebsd-security@FreeBSD.ORG Tue Apr 27 15:54:16 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E4822106564A for ; Tue, 27 Apr 2010 15:54:16 +0000 (UTC) (envelope-from seklecki@noc.cfi.pgh.pa.us) Received: from mx04.pub.collaborativefusion.com (mx04.pub.collaborativefusion.com [206.210.72.84]) by mx1.freebsd.org (Postfix) with ESMTP id 956028FC13 for ; Tue, 27 Apr 2010 15:54:16 +0000 (UTC) Received: from [127.0.0.1] ([206.210.89.202]) by mx04.pub.collaborativefusion.com (StrongMail Enterprise 4.1.1.4(4.1.1.4-47689)); Tue, 27 Apr 2010 11:39:32 -0400 X-VirtualServerGroup: Default X-MailingID: 00000::00000::00000::00000::::1084 X-SMHeaderMap: mid="X-MailingID" X-Destination-ID: freebsd-security@freebsd.org X-SMFBL: ZnJlZWJzZC1zZWN1cml0eUBmcmVlYnNkLm9yZw== DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=noc.cfi.pgh.pa.us; s=noc_cfi_pgh_pa_us_key_dkim; l=1307; t=1272382772; i=@noc.cfi.pgh.pa.us; h=Message-ID:Date:From: Reply-To:Organization:User-Agent:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; bh=gZyP1gLtdXtw5fcEATYa7+LHREA=; b=WHA87JsiHRKMhMMAeLMancSzbPP5m LjU2S0EmL742k0ui+il9pDEUwAaPqJepwYsr0h6LoXoTgy++8stTqA/cfPYfMNGV npkeBNWzm0G3PHhfBxceCM99qZHDSUrWqRL Message-ID: <4BD70348.6010901@noc.cfi.pgh.pa.us> Date: Tue, 27 Apr 2010 11:31:20 -0400 From: "Brian A. Seklecki (CFI NOC)" Organization: Collaborative Fusion, Inc. (DRP NOC) User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Remko Lodder References: <1264017412.18129.38.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> In-Reply-To: <1264017412.18129.38.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 27 Apr 2010 16:13:38 +0000 Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL CVE-2009-4355 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bseklecki@noc.cfi.pgh.pa.us, Netops List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2010 15:54:17 -0000 On 1/20/2010 2:56 PM, Brian A. Seklecki wrote: > Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as > well as with a provision/draft fix for CVE-2009-3555 > MITM/Renegotiation Venerability. All: Did anyone ever come to a finding on CVE-2009-4355? Using the comments in Redhat Bugzilla, I was never able to re-create it on RELENG_6_3. Of course, RELENG_6_3, RELENG_7_2, and RELENG_8 are still behind OpenSSL 0.9.8m. FreeBSD9-Current seems to have 1.x-latest - NetBSD fixed it in 5.0.2: http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto /dist/openssl/crypto/comp/Attic/c_zlib.c - RHEL/Fedora patched their OpenSSL RPMs months ago. Without widespread working DoS code in the wild, are we happy instead, with patches to userland/ports etc.? Apache httpd 2.2.15 and php5.3.2 in Ports? Thanks, ~BAS > I suspect we wont have a patch out for RELENG_6_3 by the 31st? > But I'm willing to maintain one for another few months. > > -------- Forwarded Message -------- > From: OpenSSL > Reply-to: openssl-users@openssl.org > To: openssl-users@openssl.org, openssl-announce@openssl.org > Subject: OpenSSL 1.0.0 beta5 release > Date: Wed, 20 Jan 2010 19:19:16 +0100 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 From owner-freebsd-security@FreeBSD.ORG Tue Apr 27 17:23:52 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 604971065677 for ; Tue, 27 Apr 2010 17:23:52 +0000 (UTC) (envelope-from lavalamp@spiritual-machines.org) Received: from mx04.pub.collaborativefusion.com (mx04.pub.collaborativefusion.com [206.210.72.84]) by mx1.freebsd.org (Postfix) with ESMTP id 29D438FC21 for ; Tue, 27 Apr 2010 17:23:51 +0000 (UTC) Received: from [127.0.0.1] ([206.210.89.202]) by mx04.pub.collaborativefusion.com (StrongMail Enterprise 4.1.1.4(4.1.1.4-47689)); Tue, 27 Apr 2010 13:32:00 -0400 X-VirtualServerGroup: Default X-MailingID: 00000::00000::00000::00000::::1375 X-SMHeaderMap: mid="X-MailingID" X-Destination-ID: freebsd-security@freebsd.org X-SMFBL: ZnJlZWJzZC1zZWN1cml0eUBmcmVlYnNkLm9yZw== Message-ID: <4BD71DA6.6020906@spiritual-machines.org> Date: Tue, 27 Apr 2010 13:23:50 -0400 From: "Brian A. Seklecki" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <1264017412.18129.38.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> In-Reply-To: <1264017412.18129.38.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 27 Apr 2010 17:27:54 +0000 Subject: Re: OpenSSL CVE-2009-4355 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2010 17:23:52 -0000 On 1/20/2010 2:56 PM, Brian A. Seklecki wrote: > Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as > well as with a provision/draft fix for CVE-2009-3555 > MITM/Renegotiation Venerability. All: Did anyone ever come to a finding on CVE-2009-4355? Using the comments in Redhat Bugzilla, I was never able to re-create it on RELENG_6_3. Of course, RELENG_6_3, RELENG_7_2, and RELENG_8 are still behind OpenSSL 0.9.8m. FreeBSD9-Current seems to have 1.x-latest - NetBSD fixed it in 5.0.2: http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto /dist/openssl/crypto/comp/Attic/c_zlib.c - RHEL/Fedora patched their OpenSSL RPMs months ago. Without widespread working DoS code in the wild, are we happy instead, with patches to userland/ports etc.? Apache httpd 2.2.15 and php5.3.2 in Ports? Thanks, ~BAS > I suspect we wont have a patch out for RELENG_6_3 by the 31st? > But I'm willing to maintain one for another few months. > > -------- Forwarded Message -------- > From: OpenSSL > Reply-to: openssl-users@openssl.org > To: openssl-users@openssl.org, openssl-announce@openssl.org > Subject: OpenSSL 1.0.0 beta5 release > Date: Wed, 20 Jan 2010 19:19:16 +0100 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1