Date: Sat, 17 Apr 2010 18:56:43 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Tim Gustafson <tjg@soe.ucsc.edu> Cc: freebsd-security@freebsd.org, APseudoUtopia <apseudoutopia@gmail.com> Subject: Re: OpenSSL 0.9.8k -> 0.9.8l Message-ID: <4BC9F65B.3030909@infracaninophile.co.uk> In-Reply-To: <1576323409.700861271520073086.JavaMail.root@mail-01.cse.ucsc.edu> References: <1576323409.700861271520073086.JavaMail.root@mail-01.cse.ucsc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 17/04/2010 17:01:13, Tim Gustafson wrote: >> This isn't an answer to your question, but you could >> always use OpenSSL from the ports tree. > > I'm hesitant to do so because in the past I've had problem when I've > used the ports to upgrade base OS-level stuff, like OpenSSL or Sendmail, > then the buildworld cycle overwrites the ports library and the ports > library overwrites the OS-level stuff and so on, which in the past has > caused general mayhem. This is why you *don't* want to use the overwrite base option. It has it's uses, but for most people it's better to steer clear. Instead, install OpenSSL 1.0.0 from ports. Make sure your /etc/make.conf contains this: WITH_OPENSSL_PORT= yes Then rebuild any ports that link against any of the OpenSSL shlibs. Only ported software gets linked against the ports version of OpenSSL, so you might want to switch to the ports version of eg. sendmail. Note that there are still security bugs in many versions up to and including 0.9.8m, and you should probably upgrade to at least 0.9.8n: http://www.openssl.org/news/secadv_20100324.txt > It seems to me that the exploits purported to exist in 0.9.8k are > serious enough to merit an upgrade to 0.9.8l for everyone. Is there > a reason why you wouldn't want to upgrade to 0.9.8l? The bugs in 0.9.8k (to do with MITM code injection) were worked around at the time by disabling session renegotiation. Most of the time this is invisible to end users and solves the vulnerability, but some applications might cease to work. If your base system is patched up to date or you've at least applied this: http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc then it will contain a small patch to the SSL libraries with the work around as above. The OpenSSL version number wasn't bumped, so idiot security scans will still think you are vulnerable to the MITM attack even though that is not the case. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvJ9lsACgkQ8Mjk52CukIz5zQCfdf9K0ageAUSDhSlOKJ0V3RGl NM8An3tKJnm0wbccS6EPrtcUTT9IURPa =PZm3 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BC9F65B.3030909>