Date: Wed, 07 Jan 2009 22:49:07 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:02.openssl Message-ID: <49653163.4070904@infracaninophile.co.uk> In-Reply-To: <200901072137.n07LbHwD049781@freefall.freebsd.org> References: <200901072137.n07LbHwD049781@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig0E9DB484F36D7C46F781B19C Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable FreeBSD Security Advisories wrote: =20 > I. Background >=20 > FreeBSD includes software from the OpenSSL Project. The OpenSSL Projec= t is > a collaborative effort to develop a robust, commercial-grade, full-feat= ured > Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) > and Transport Layer Security (TLS v1) protocols as well as a full-stren= gth > general purpose cryptography library. >=20 > II. Problem Description >=20 > The EVP_VerifyFinal() function from OpenSSL is used to determine if a > digital signature is valid. The SSL layer in OpenSSL uses > EVP_VerifyFinal(), which in several places checks the return value > incorrectly and treats verification errors as a good signature. This > is only a problem for DSA and ECDSA keys. >=20 > III. Impact >=20 > For applications using OpenSSL for SSL connections, an invalid SSL > certificate may be interpreted as valid. This could for example be > used by an attacker to perform a man-in-the-middle attack. >=20 > Other applications which use the OpenSSL EVP API may similarly be > affected. The oCert advisory at http://ocert.org/advisories/ocert-2008-016.html lists BIND and NTP as affected packages. Don't the base system versions of those apps also need patching? Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig0E9DB484F36D7C46F781B19C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkllMWkACgkQ8Mjk52CukIzwxACfU95u+9VBD5XQRuzWWnvEl40X kbsAoIA3OqnlhuzB3dINZF+T2rcPK9Xc =haIW -----END PGP SIGNATURE----- --------------enig0E9DB484F36D7C46F781B19C--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49653163.4070904>