From owner-freebsd-security@FreeBSD.ORG Mon Nov 29 21:19:55 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 800991065672; Mon, 29 Nov 2010 21:19:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6B5418FC1A; Mon, 29 Nov 2010 21:19:55 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id oATLJtIG095915; Mon, 29 Nov 2010 21:19:55 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id oATLJt5b095914; Mon, 29 Nov 2010 21:19:55 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 29 Nov 2010 21:19:55 GMT Message-Id: <201011292119.oATLJt5b095914@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-10:10.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2010 21:19:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-10:10.openssl Security Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2010-11-29 Credits: Georgi Guninski, Rob Hulswit Affects: FreeBSD 7.0 and later Corrected: 2010-11-26 22:50:58 UTC (RELENG_8, 8.1-STABLE) 2010-11-29 20:43:06 UTC (RELENG_8_1, 8.1-RELEASE-p2) 2010-11-29 20:43:06 UTC (RELENG_8_0, 8.0-RELEASE-p6) 2010-11-28 13:45:51 UTC (RELENG_7, 7.3-STABLE) 2010-11-29 20:43:06 UTC (RELENG_7_3, 7.3-RELEASE-p4) 2010-11-29 20:43:06 UTC (RELENG_7_1, 7.1-RELEASE-p16) CVE Name: CVE-2010-2939, CVE-2010-3864 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A race condition exists in the OpenSSL TLS server extension code parsing when used in a multi-threaded application, which uses OpenSSL's internal caching mechanism. The race condition can lead to a buffer overflow. [CVE-2010-3864] A double free exists in the SSL client ECDH handling code, when processing specially crafted public keys with invalid prime numbers. [CVE-2010-2939] III. Impact For affected server applications, an attacker may be able to utilize the buffer overflow to crash the application or potentially run arbitrary code with the privileges of the application. [CVE-2010-3864]. It may be possible to cause a DoS or potentially execute arbitrary in the context of the user connection to a malicious SSL server. [CVE-2010-2939] IV. Workaround No workaround is available, but CVE-2010-3864 only affects FreeBSD 8.0 and later. It should also be noted that CVE-2010-3864 affects neither the Apache HTTP server nor Stunnel. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.1, 7.3, 8.0 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch # fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch.asc [FreeBSD 8.x] # fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/secure/lib/libssl # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in 3) To update your vulnerable system via a binary patch: Systems running 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7_3 src/UPDATING 1.507.2.34.2.6 src/sys/conf/newvers.sh 1.72.2.16.2.8 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.2.1.4.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.19 src/sys/conf/newvers.sh 1.72.2.9.2.20 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.6.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.5 src/sys/conf/newvers.sh 1.83.2.10.2.6 src/crypto/openssl/ssl/s3_clnt.c 1.3.2.1.2.1 src/crypto/openssl/ssl/t1_lib.c 1.2.2.1.2.1 RELENG_8_0 src/UPDATING 1.632.2.7.2.9 src/sys/conf/newvers.sh 1.83.2.6.2.9 src/crypto/openssl/ssl/s3_clnt.c 1.3.4.1 src/crypto/openssl/ssl/t1_lib.c 1.2.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r215997 releng/7.3/ r216063 releng/7.1/ r216063 stable/8/ r215912 releng/8.0/ r216063 releng/8.1/ r216063 - ------------------------------------------------------------------------- VII. References https://bugzilla.redhat.com/show_bug.cgi?id=649304 http://www.openssl.org/news/secadv_20101116.txt http://www.mail-archive.com/openssl-dev@openssl.org/msg28043.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-10:10.openssl.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 iEYEARECAAYFAkz0FdsACgkQFdaIBMps37JjAgCcC7NSDXR7P4d2y4XFF/Ce9sG1 Bs8An36Pjplsfovx6Im/NCnVgHtVgj5x =xU/h -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Nov 30 15:23:11 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B3D491065672 for ; Tue, 30 Nov 2010 15:23:11 +0000 (UTC) (envelope-from michael.scheidell@secnap.com) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [204.89.241.253]) by mx1.freebsd.org (Postfix) with ESMTP id 7DDF98FC1C for ; Tue, 30 Nov 2010 15:23:11 +0000 (UTC) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [10.70.1.253]) by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id E01D02B7CD0 for ; Tue, 30 Nov 2010 10:01:26 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secnap.net; h= content-transfer-encoding:content-type:content-type:subject :subject:mime-version:user-agent:from:from:date:date:message-id; s=dkim; t=1291129286; x=1292943686; bh=RBv305WsUbOe2gzbR+ndsmKi P/oS629nc3UoyN9qebA=; b=ByFOSGQCsuZ7XWVO7ff/RQtwUBvtNEyKgp8wk+fh 4cSmWBoydVxX4UPF3XS4Sj0v802gIdKA4vgoiIN7q03+qByWTCwf3RK6cQ8nOiKz pi0FL2sG9sf21FuMRguisoYxFSmZW66gsw6RA0UDWteNuHxGndSHXxUZw12Irn9q ipg= X-Amavis-Modified: Mail body modified (using disclaimer) - mx1.secnap.com.ionspam.net X-Virus-Scanned: SpammerTrap(r) VPS-1500 2.13 at mx1.secnap.com.ionspam.net Received: from USBCTDC001.secnap.com (usbctdc001.secnap.com [10.70.1.1]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.secnap.com.ionspam.net (Postfix) with ESMTPS id 3196C2B7CB9 for ; Tue, 30 Nov 2010 10:01:26 -0500 (EST) Received: from macintosh.secnap.com (10.70.3.3) by USBCTDC001.secnap.com (10.70.1.1) with Microsoft SMTP Server (TLS) id 14.0.702.0; Tue, 30 Nov 2010 10:01:26 -0500 Message-ID: <4CF511C7.3050702@secnap.net> Date: Tue, 30 Nov 2010 10:01:27 -0500 From: Michael Scheidell User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6 MIME-Version: 1.0 To: Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit Subject: any interest in tripwire commercial? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2010 15:23:11 -0000 Any interest in Tripwire Commercial version? I have a client who wants to allow their enterprise tripwire console to be able to monitor the servers that do the real work (the freebsd servers) as well as the token windows servers which are being monitored now. What version would you like to see it on? one of the .[135] versions for long life? 7.3? amd64? 8.1? is i386 ok, as long as all the libraries exist? does everyone put 32 bit compatibility libraries in their amd64 builds? ______________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ ______________________________________________________________________ From owner-freebsd-security@FreeBSD.ORG Tue Nov 30 17:15:51 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A969106564A for ; Tue, 30 Nov 2010 17:15:51 +0000 (UTC) (envelope-from m@micheas.net) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4BD288FC08 for ; Tue, 30 Nov 2010 17:15:50 +0000 (UTC) Received: by qwj9 with SMTP id 9so510353qwj.13 for ; Tue, 30 Nov 2010 09:15:50 -0800 (PST) MIME-Version: 1.0 Received: by 10.224.2.79 with SMTP id 15mr388199qai.388.1291135472226; Tue, 30 Nov 2010 08:44:32 -0800 (PST) Received: by 10.220.193.141 with HTTP; Tue, 30 Nov 2010 08:44:32 -0800 (PST) In-Reply-To: <4CF511C7.3050702@secnap.net> References: <4CF511C7.3050702@secnap.net> Date: Tue, 30 Nov 2010 08:44:32 -0800 Message-ID: From: Micheas Herman To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: any interest in tripwire commercial? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2010 17:15:51 -0000 On Tue, Nov 30, 2010 at 7:01 AM, Michael Scheidell w= rote: > Any interest in Tripwire Commercial version? Maybe > I have a client who wants to allow their enterprise tripwire console to b= e > able to monitor the servers that do the real work (the freebsd servers) a= s > well as the token windows servers which are being monitored now. > > What version would you like to see it on? one of the .[135] versions for > long life? > > 7.3? amd64? 8.1? I tend to use the most current version that I have tested. (IE most current) I generally use AMD64, but also i386. > is i386 ok, as long as all the libraries exist? Probably. > does everyone put 32 bit compatibility libraries in their amd64 builds? > ______ Never, unless running cosed source software. It seems to triple your attack surface area. You are vulnerable to 64bit exploits, 32bit exploits and exploits of the translation layer. Sort of lame of security software to increase your vulnerability. ________________________________________________________________ > This email has been scanned and certified safe by SpammerTrap(r). For > Information please see http://www.secnap.com/products/spammertrap/ > ______________________________________________________________________ > =A0_______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" > From owner-freebsd-security@FreeBSD.ORG Wed Dec 1 00:00:39 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 6FC7D106566B for ; Wed, 1 Dec 2010 00:00:39 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from xps.daemonology.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with SMTP id B2529153679 for ; Wed, 1 Dec 2010 00:00:18 +0000 (UTC) Received: (qmail 36334 invoked from network); 1 Dec 2010 00:00:18 -0000 Received: from unknown (HELO xps.daemonology.net) (127.0.0.1) by localhost with SMTP; 1 Dec 2010 00:00:18 -0000 Message-ID: <4CF59012.30004@freebsd.org> Date: Tue, 30 Nov 2010 16:00:18 -0800 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.11) Gecko/20100803 Thunderbird/3.0.6 MIME-Version: 1.0 To: freebsd security , FreeBSD Stable X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: FreeBSD supported branches update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2010 00:00:39 -0000 Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect the EoL (end-of-life) of FreeBSD 6.4 and FreeBSD 8.0. Since FreeBSD 6.4 was the last remaining supported release from the FreeBSD 6.x stable branch, support for the FreeBSD 6.x stable branch has also ended. The new list of supported branches is below and at < http://security.freebsd.org/ >. Users of FreeBSD 6.4 and 8.0 are advised to upgrade promptly to a newer release, either by downloading an updated source tree and building updates manually, or (for i386 and amd64 systems) using the FreeBSD Update utility as described in the relevant release announcement. The FreeBSD Ports Management Team wishes to remind users that November 30 is also the end of support for the Ports Collection for both FreeBSD 6.4 RELEASE and the FreeBSD 6.x STABLE branch. Neither the infrastructure nor individual ports are guaranteed to work on these FreeBSD versions after that date. A CVS tag will be created for users who cannot upgrade for some reason, at which time these users are advised to stop tracking the latest ports CVS repository and use the RELEASE_6_EOL tag instead. The current supported branches and expected EoL dates are: +---------------------------------------------------------------------+ | Branch | Release | Type | Release date | Estimated EoL | |-----------+------------+--------+-----------------+-----------------| |RELENG_7 |n/a |n/a |n/a |last release + 2y| |-----------+------------+--------+-----------------+-----------------| |RELENG_7_1 |7.1-RELEASE |Extended|January 4, 2009 |January 31, 2011 | |-----------+------------+--------+-----------------+-----------------| |RELENG_7_3 |7.3-RELEASE |Extended|March 23, 2010 |March 31, 2012 | |-----------+------------+--------+-----------------+-----------------| |RELENG_7_4 |7.4-RELEASE |Extended|not yet |release + 2 years| |-----------+------------+--------+-----------------+-----------------| |RELENG_8 |n/a |n/a |n/a |last release + 2y| |-----------+------------+--------+-----------------+-----------------| |RELENG_8_1 |8.1-RELEASE |Extended|July 23, 2010 |July 31, 2012 | |-----------+------------+--------+-----------------+-----------------| |RELENG_8_2 |8.2-RELEASE |Normal |not yet |release + 1 year | +---------------------------------------------------------------------+