From owner-freebsd-security@FreeBSD.ORG Sat Apr 17 17:56:48 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D81C106564A for ; Sat, 17 Apr 2010 17:56:48 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id B9D2E8FC17 for ; Sat, 17 Apr 2010 17:56:47 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o3HHuhH5053776 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sat, 17 Apr 2010 18:56:43 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4BC9F65B.3030909@infracaninophile.co.uk> Date: Sat, 17 Apr 2010 18:56:43 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Tim Gustafson References: <1576323409.700861271520073086.JavaMail.root@mail-01.cse.ucsc.edu> In-Reply-To: <1576323409.700861271520073086.JavaMail.root@mail-01.cse.ucsc.edu> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-security@freebsd.org, APseudoUtopia Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Apr 2010 17:56:48 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 17/04/2010 17:01:13, Tim Gustafson wrote: >> This isn't an answer to your question, but you could >> always use OpenSSL from the ports tree. > > I'm hesitant to do so because in the past I've had problem when I've > used the ports to upgrade base OS-level stuff, like OpenSSL or Sendmail, > then the buildworld cycle overwrites the ports library and the ports > library overwrites the OS-level stuff and so on, which in the past has > caused general mayhem. This is why you *don't* want to use the overwrite base option. It has it's uses, but for most people it's better to steer clear. Instead, install OpenSSL 1.0.0 from ports. Make sure your /etc/make.conf contains this: WITH_OPENSSL_PORT= yes Then rebuild any ports that link against any of the OpenSSL shlibs. Only ported software gets linked against the ports version of OpenSSL, so you might want to switch to the ports version of eg. sendmail. Note that there are still security bugs in many versions up to and including 0.9.8m, and you should probably upgrade to at least 0.9.8n: http://www.openssl.org/news/secadv_20100324.txt > It seems to me that the exploits purported to exist in 0.9.8k are > serious enough to merit an upgrade to 0.9.8l for everyone. Is there > a reason why you wouldn't want to upgrade to 0.9.8l? The bugs in 0.9.8k (to do with MITM code injection) were worked around at the time by disabling session renegotiation. Most of the time this is invisible to end users and solves the vulnerability, but some applications might cease to work. If your base system is patched up to date or you've at least applied this: http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc then it will contain a small patch to the SSL libraries with the work around as above. The OpenSSL version number wasn't bumped, so idiot security scans will still think you are vulnerable to the MITM attack even though that is not the case. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvJ9lsACgkQ8Mjk52CukIz5zQCfdf9K0ageAUSDhSlOKJ0V3RGl NM8An3tKJnm0wbccS6EPrtcUTT9IURPa =PZm3 -----END PGP SIGNATURE-----