FreeBSD Mail Archives

Date:      Wed, 09 Apr 2014 09:50:25 -0500
From:      Karl Denninger <karl@denninger.net>
To:        Steven Hartland <killing@multiplay.co.uk>, freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
Message-ID:  <53455E31.90100@denninger.net>
In-Reply-To: <8A7E8A9A8B034A3498601347FFFF088C@multiplay.co.uk>
References:  <mailman.384.1397005594.1401.freebsd-security@freebsd.org> <20140409142136.GA871@faust.sbb.rs> <53455877.5020006@denninger.net> <8A7E8A9A8B034A3498601347FFFF088C@multiplay.co.uk>

This is a cryptographically signed message in MIME format.

--------------ms090108010701060802090401
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: quoted-printable


On 4/9/2014 9:47 AM, Steven Hartland wrote:
> ----- Original Message ----- From: "Karl Denninger" <karl@denninger.net=
>
>
>
>
> On 4/9/2014 9:21 AM, Zoran Kolic wrote:
>>> Advisory claims 10.0 only to be affected. Patches to
>>> branch 9 are not of importance on the same level?
>>>
>>>
>> 9 (and before) were only impacted if you loaded the newer OpenSSL=20
>> from ports.  A fair number of people did, however, as a means of=20
>> preventing BEAST attack vectors.
>>
>> If you did, then you need to update that and have all your private=20
>> keys re-issued.  If you did not then you never had the buggy code in=20
>> the first place.
>
> Actually they are vulnerable without any ports install just not to
> CVE-2014-0160 only CVE-2014-0076, both of which where fixed by
> SA-14:06.openssl
>
>    Regards
>    Steve
Good point -- there is that other advisory in there so "base" 8.x and=20
9.x users should update as well.

However, the other problem does not involve the same sort of=20
vulnerability to remote "grabs" of data, including authentication=20
credentials (and worse, private key data.)

--=20
-- Karl
karl@denninger.net



--------------ms090108010701060802090401
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFTzCC
BUswggQzoAMCAQICAQgwDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMRAwDgYDVQQI
EwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM
TEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExLzAtBgkqhkiG9w0BCQEWIGN1c3Rv
bWVyLXNlcnZpY2VAY3VkYXN5c3RlbXMubmV0MB4XDTEzMDgyNDE5MDM0NFoXDTE4MDgyMzE5
MDM0NFowWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExFzAVBgNVBAMTDkthcmwg
RGVubmluZ2VyMSEwHwYJKoZIhvcNAQkBFhJrYXJsQGRlbm5pbmdlci5uZXQwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQC5n2KBrBmG22nVntVdvgKCB9UcnapNThrW1L+dq6th
d9l4mj+qYMUpJ+8I0rTbY1dn21IXQBoBQmy8t1doKwmTdQ59F0FwZEPt/fGbRgBKVt3Quf6W
6n7kRk9MG6gdD7V9vPpFV41e+5MWYtqGWY3ScDP8SyYLjL/Xgr+5KFKkDfuubK8DeNqdLniV
jHo/vqmIgO+6NgzPGPgmbutzFQXlxUqjiNAAKzF2+Tkddi+WKABrcc/EqnBb0X8GdqcIamO5
SyVmuM+7Zdns7D9pcV16zMMQ8LfNFQCDvbCuuQKMDg2F22x5ekYXpwjqTyfjcHBkWC8vFNoY
5aFMdyiN/Kkz0/kduP2ekYOgkRqcShfLEcG9SQ4LQZgqjMpTjSOGzBr3tOvVn5LkSJSHW2Z8
Q0dxSkvFG2/lsOWFbwQeeZSaBi5vRZCYCOf5tRd1+E93FyQfpt4vsrXshIAk7IK7f0qXvxP4
GDli5PKIEubD2Bn+gp3vB/DkfKySh5NBHVB+OPCoXRUWBkQxme65wBO02OZZt0k8Iq0i4Rci
WV6z+lQHqDKtaVGgMsHn6PoeYhjf5Al5SP+U3imTjF2aCca1iDB5JOccX04MNljvifXgcbJN
nkMgrzmm1ZgJ1PLur/ADWPlnz45quOhHg1TfUCLfI/DzgG7Z6u+oy4siQuFr9QT0MQIDAQAB
o4HWMIHTMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdDwQEAwIF4DAsBglg
hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHw4
+LnuALyLA5Cgy7T5ZAX1WzKPMB8GA1UdIwQYMBaAFF3U3hpBZq40HB5VM7B44/gmXiI0MDgG
CWCGSAGG+EIBAwQrFilodHRwczovL2N1ZGFzeXN0ZW1zLm5ldDoxMTQ0My9yZXZva2VkLmNy
bDANBgkqhkiG9w0BAQUFAAOCAQEAZ0L4tQbBd0hd4wuw/YVqEBDDXJ54q2AoqQAmsOlnoxLO
31ehM/LvrTIP4yK2u1VmXtUumQ4Ao15JFM+xmwqtEGsh70RRrfVBAGd7KOZ3GB39FP2TgN/c
L5fJKVxOqvEnW6cL9QtvUlcM3hXg8kDv60OB+LIcSE/P3/s+0tEpWPjxm3LHVE7JmPbZIcJ1
YMoZvHh0NSjY5D0HZlwtbDO7pDz9sZf1QEOgjH828fhtborkaHaUI46pmrMjiBnY6ujXMcWD
pxtikki0zY22nrxfTs5xDWGxyrc/cmucjxClJF6+OYVUSaZhiiHfa9Pr+41okLgsRB0AmNwE
f6ItY3TI8DGCBQowggUGAgEBMIGjMIGdMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlk
YTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExDMRwwGgYD
VQQDExNDdWRhIFN5c3RlbXMgTExDIENBMS8wLQYJKoZIhvcNAQkBFiBjdXN0b21lci1zZXJ2
aWNlQGN1ZGFzeXN0ZW1zLm5ldAIBCDAJBgUrDgMCGgUAoIICOzAYBgkqhkiG9w0BCQMxCwYJ
KoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDA0MDkxNDUwMjVaMCMGCSqGSIb3DQEJBDEW
BBTRi1AH6NVk66/8t3lSJdO8GnofyjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjAL
BglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA
MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG0BgkrBgEEAYI3EAQxgaYwgaMwgZ0xCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoT
EEN1ZGEgU3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExLzAtBgkq
hkiG9w0BCQEWIGN1c3RvbWVyLXNlcnZpY2VAY3VkYXN5c3RlbXMubmV0AgEIMIG2BgsqhkiG
9w0BCRACCzGBpqCBozCBnTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExEjAQBgNV
BAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExMQzEcMBoGA1UEAxMTQ3Vk
YSBTeXN0ZW1zIExMQyBDQTEvMC0GCSqGSIb3DQEJARYgY3VzdG9tZXItc2VydmljZUBjdWRh
c3lzdGVtcy5uZXQCAQgwDQYJKoZIhvcNAQEBBQAEggIASOBI1388yBC9nrgdwhImRfzKSqsN
OSg631O/2TOdH8/fRNqUBAPa5TzUPoTVwI6wIo64MWVagKhIF+WFVwNF76Di2e1/Uaglz6Kw
VdnCX4icye1mT712DRBIuFL7hiRaYS335nJt07HJiwgcfR7nYYiBf4SkJAhLsF5b/hfEOPKE
2PQrcw1o6cX642BnpsdialzF3Imw9FvHJPuJlsSLmBPDn3BYQ4C6PKl0IKMY10iYoBloQ4LK
0hl0n136adEtQW5kf1V7rcq1bbYkVpwjTsfeyGiTd0Et1Bbu3cLbZw3gEjtT5aRNvHZ4+vjK
lp29UTzW7cDm2ujx3fqTNqjAaHxnDbV7twlN+RMrwNtjA+qTUQ94Q34m1BpWoGg6W07onsf0
x//l5FCA38oiV2k20dvP09hBsyWisdFF0sC1DnkH7bgvTY6Iyp4ela9Mm4NECWzQA6aGHXnF
6QZi564QrA98XDs8+o0MHp2d1Ht+rgYR5LveWEMmGT40FfQ9GB1hA1k5tbUym3Qksepj/lry
9EpXgvxhMlk2m5qBo9YpRGfln3Gp0FqMD7jxDs8t7CjKyqj0QotDxWii8rWgA4g9J2+2rThU
btSVDNBvrMbiCdq+EYVEZvM3mF9WUxbYZMncKLTUEDHrvcOYDGv3erYQQoDNu1HtL+WGUkjo
G16hy5IAAAAAAAA=
--------------ms090108010701060802090401--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53455E31.90100>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation