From owner-freebsd-security@FreeBSD.ORG Mon Apr 6 18:58:10 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F01F410656F3 for ; Mon, 6 Apr 2009 18:58:10 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.freebsd.org (Postfix) with ESMTP id A6BE48FC35 for ; Mon, 6 Apr 2009 18:58:10 +0000 (UTC) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.14.3/8.14.3) with ESMTP id n36IhGxl052471 for ; Mon, 6 Apr 2009 14:43:16 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200904061843.n36IhGxl052471@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 06 Apr 2009 14:44:01 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Openssl advisory ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Apr 2009 18:58:11 -0000 Just wondering if this impacts FreeBSD's version in any significant way ? http://www.openssl.org/news/secadv_20090325.txt ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Mon Apr 6 20:54:26 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71A3A10657A0 for ; Mon, 6 Apr 2009 20:54:26 +0000 (UTC) (envelope-from mark@foster.cc) Received: from QMTA14.emeryville.ca.mail.comcast.net (qmta14.emeryville.ca.mail.comcast.net [76.96.27.212]) by mx1.freebsd.org (Postfix) with ESMTP id 5A26E8FC14 for ; Mon, 6 Apr 2009 20:54:26 +0000 (UTC) (envelope-from mark@foster.cc) Received: from OMTA10.emeryville.ca.mail.comcast.net ([76.96.30.28]) by QMTA14.emeryville.ca.mail.comcast.net with comcast id cD7u1b0030cQ2SLAELhHoP; Mon, 06 Apr 2009 20:41:17 +0000 Received: from [10.2.1.100] ([216.254.13.253]) by OMTA10.emeryville.ca.mail.comcast.net with comcast id cLh11b00d5TbLEG8WLh4iZ; Mon, 06 Apr 2009 20:41:14 +0000 Message-ID: <49DA68DC.1040608@foster.cc> Date: Mon, 06 Apr 2009 13:41:00 -0700 From: Mark Foster User-Agent: Thunderbird 2.0.0.21 (X11/20090318) MIME-Version: 1.0 To: Mike Tancsa References: <200904061843.n36IhGxl052471@lava.sentex.ca> In-Reply-To: <200904061843.n36IhGxl052471@lava.sentex.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, secteam@FreeBSD.org Subject: Re: Openssl advisory ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Apr 2009 20:54:27 -0000 Mike Tancsa wrote: > > Just wondering if this impacts FreeBSD's version in any significant way ? > > http://www.openssl.org/news/secadv_20090325.txt > > ---Mike > Looks like ports/133156 is being kept open for the base issue. http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/133156 It should probably be re-assigned to secteam@ -- I hate rascists. Mark D. Foster http://mark.foster.cc/ | http://conshell.net/ From owner-freebsd-security@FreeBSD.ORG Thu Apr 9 22:02:09 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0849310656D4; Thu, 9 Apr 2009 22:02:09 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id AFE1E8FC22; Thu, 9 Apr 2009 22:02:08 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=RBlIDivdTId6QGmq5sIMXzcbQjX4V+nCRZGknxyOSwIvpaVPoKwgwv+QBnvMidK/2EEgGbSJWbKYXlqXucJ4hlWtHhIZ9wVii+lHNVWaQK/4PBu5nSgz+4d0UopLb+UhG0Sz3m2KZE7L6R1mbrLkcjzlG5nN16U5j1Ds1rQ4arw=; Received: from amnesiac.at.no.dns ([91.78.249.107]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1Ls20l-000MBA-Ts; Fri, 10 Apr 2009 01:42:16 +0400 Date: Fri, 10 Apr 2009 01:42:13 +0400 From: Eygene Ryabinkin To: Mike Tancsa Message-ID: <9JcZBMdMQ7dwCWEdjJLVlfrtgTg@7qgLKkvX/1U6eu9avhKQpU/1pEI> References: <200904061843.n36IhGxl052471@lava.sentex.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200904061843.n36IhGxl052471@lava.sentex.ca> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org, secteam@freebsd.org Subject: Re: Openssl advisory ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Apr 2009 22:02:09 -0000 Mike, *, good day. Mon, Apr 06, 2009 at 02:44:01PM -0400, Mike Tancsa wrote: > Just wondering if this impacts FreeBSD's version in any significant way ? > > http://www.openssl.org/news/secadv_20090325.txt DoS is probably the likiest item that will be visible: CMS is disabled by-default in upstream version and isn't yet present in FreeBSD's OpenSSL (checked 7-STABLE and 8-CURRENT) and the third issue is only present on platforms where sizeof (void *) > sizeof (long). I guess that there could be such platforms (and compilers) on FreeBSD that will produce such result, but I can't name anything. I only know that M$'s Visual Studio will produce sizeof(long) == 4 and sizeof(void *) == 8 on the 64-bit branch. By the way, there is other. older OpenSSL issue that looks unpatched, http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/126446 Side-channel attacks are often hard to conduct and some special curcumstances should hold, but when it is done properly, this could yield very sound results, for example, http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf http://www.openssl.org/news/secadv_20030317.txt Perhaps the second issue could be patched as well? The patch touches only Montgomery multiplication routine and should not interfere with anything else, so it should be rather safe to fix this vulnerability in terms of possible regressions. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #