From owner-freebsd-security@FreeBSD.ORG Sat Aug 30 18:53:53 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 18DA1292 for ; Sat, 30 Aug 2014 18:53:53 +0000 (UTC) Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EA1BD1C66 for ; Sat, 30 Aug 2014 18:53:52 +0000 (UTC) Received: from berryeater.riseup.net (berryeater-pn.riseup.net [10.0.1.120]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id AD854547F1 for ; Sat, 30 Aug 2014 18:47:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1409424442; bh=vmkJrkKMj8eBXj3f1q7wfNVbyrU3XdVfZzoLuIzmnWc=; h=Date:From:To:Subject:From; b=Mu9jf7FcbSyLHEAz8SejEiNehurJDa/Baw2UewZ5XSbc/UwRjVHtUgSi4ISLW+sMn M2WGoV3EXsvTXqyDkXHV68F2wjOTHGIP9UyHQSMvxieiCW3R/pCik1HjhFGCE/qJJW xM/2M9dJJjEon9r/cUTG2AHvdzqTaU8aB+kh601k= Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: pkubaj) with ESMTPSA id 9995C42AAC Message-ID: <54021C36.6070709@riseup.net> Date: Sat, 30 Aug 2014 20:47:18 +0200 From: Piotr Kubaj User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: OpenSSL SA Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Vu4xAbcqW2TGFDXj6lT2k1B2E5rRFfI3H" X-Virus-Scanned: clamav-milter 0.98.4 at mx1 X-Virus-Status: Clean X-Mailman-Approved-At: Sun, 31 Aug 2014 04:14:32 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Aug 2014 18:53:53 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Vu4xAbcqW2TGFDXj6lT2k1B2E5rRFfI3H Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello. According to https://www.openssl.org/news/secadv_20140806.txt there's been a known SA in OpenSSL for 24 days. Since then security/openssl has been updated and there have been updates to head and stable{8,9,10} but there hasn't been any FreeBSD SA. Is it that so@ has somehow forgotten about it, or the vulnerable features are off in bas= e? --Vu4xAbcqW2TGFDXj6lT2k1B2E5rRFfI3H Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJUAhw2AAoJEC9nKukRsfY+HF0QAKMI3Zvr72p+l/c0hjH9CGPx +7FvLWN+GosMYodFNv+YzEvVcpfVf2zBQFEL55vlz7X1xyN13CyULKfQDc/lnWTL cNbS52lepNNzvlfVd3eoq5O2u+ccAg19tABu/N8Kizuyid5V6uS3jHeb2yuoCrna wun4EfLGOZYwJjAQTzs4m9eocO84rr9i0DZJBIDKaZNqd4XuwmhI0YntujprAS6Y tB2Fo+1GbPzYOVKn9FLW5C574loYXUHcTK+dvQVcIZXjLpTkhAe6W/1KBksmduJm r1jE/1xXLWHY1L4syMwl6Dg01Ow1ZjPrbk08nZ+B0W4bik0mNtytfmX2AApUftRM DQ3XtP8QUzD/M0Gfzgkh2i+AssBvuv8qhG6BiufD/D8/2qwTCm8Ix5KAsAnGzzAO b9Gu5CF7cTfgAJGxw4vKWH6HKP6tSNquyu7PMA5+735s7VjaK58CMAwpJtERAOmM hLfrfbVIFzevQFqR3TqMpE2FmxYlokcK6xlsnX6L/DfalhZUYm0mMiDBNX6BobzH 4ZVVZRrIezFGIzciaUIEX+xi/8QNWo0EDHuo9GPsYtZ0v2eCv0faC7ePRWTDH1eW kuzL7QedzelB21KCoge15C97i8YU6VaaO1bJcAToUsSrEQRC2TrDVc65lRhz5gM+ O57cdqGemCxXZOZqzv3B =cuXt -----END PGP SIGNATURE----- --Vu4xAbcqW2TGFDXj6lT2k1B2E5rRFfI3H-- From owner-freebsd-security@FreeBSD.ORG Sun Aug 31 15:02:20 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A8CC8F05 for ; Sun, 31 Aug 2014 15:02:20 +0000 (UTC) Received: from mail-qa0-f42.google.com (mail-qa0-f42.google.com [209.85.216.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6B9AD1FD8 for ; Sun, 31 Aug 2014 15:02:19 +0000 (UTC) Received: by mail-qa0-f42.google.com with SMTP id dc16so68576qab.1 for ; Sun, 31 Aug 2014 08:02:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Le6bwHO2wc7znvfhUs9tAfSMYuglLGwuPoZxA7/Do/A=; b=jfGnvCPY6jp/DfQk14DRcWkgUXSqorRcb6NuKcAYEt2G3XRyJoDtdjN8DyvbEW0ODC oliobxLzFL+UKaUCxosbl8oR9F1GKqn3VkOHIx+PYd2STueT1fKD+mv6st+YlO4hP5hp AdwCCnb1i85auzQ7KEkUdSeNwdQFPHaecRbQEhxUNw5DP9FeiYAnVtEy8lAx1k3sLPvk rLeO4G8L11Qcvr509A/K+kvN28I8W1ELw1oHsSYJgwH2g4D4ur7IukEYhLSGOiCRKXvG 8mvwbll5YbKQwTJ3n1ECLR+UmlDizId+7CQZW4k2ydFRbksCgBJkxCeXEkGLB73tIu3V GXtQ== X-Gm-Message-State: ALoCoQkVNSpfGZicmHKUoge4Gq6b6MhoHSQlRWpVdWn04CjE9iVuXGzOXo+RQmkxWwjWS7eo2OUg MIME-Version: 1.0 X-Received: by 10.140.18.211 with SMTP id 77mr33970191qgf.57.1409497332960; Sun, 31 Aug 2014 08:02:12 -0700 (PDT) Received: by 10.140.103.77 with HTTP; Sun, 31 Aug 2014 08:02:12 -0700 (PDT) In-Reply-To: <54021C36.6070709@riseup.net> References: <54021C36.6070709@riseup.net> Date: Sun, 31 Aug 2014 08:02:12 -0700 Message-ID: Subject: Re: OpenSSL SA From: Brandon Vincent To: Piotr Kubaj Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Aug 2014 15:02:20 -0000 On Sat, Aug 30, 2014 at 11:47 AM, Piotr Kubaj wrote: > Hello. According to https://www.openssl.org/news/secadv_20140806.txt > there's been a known SA in OpenSSL for 24 days. Since then > security/openssl has been updated and there have been updates to head > and stable{8,9,10} but there hasn't been any FreeBSD SA. Is it that so@ > has somehow forgotten about it, or the vulnerable features are off in base? It looks like OpenSSL 1.0.1i (which fixes all the issues in the SA from upstream) was merged into stable on August 7th. The announcement from FreeBSD was probably accidentally not published. Brandon Vincent From owner-freebsd-security@FreeBSD.ORG Sun Aug 31 15:12:01 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 54B2129A for ; Sun, 31 Aug 2014 15:12:01 +0000 (UTC) Received: from mail-qc0-f175.google.com (mail-qc0-f175.google.com [209.85.216.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 154861178 for ; Sun, 31 Aug 2014 15:12:00 +0000 (UTC) Received: by mail-qc0-f175.google.com with SMTP id c9so4440280qcz.34 for ; Sun, 31 Aug 2014 08:11:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=fM3Iu6r4gNoscqiH9mkBaDKgDRLDtzrcJCiVJRPwRUI=; b=NJovbzrYhgCG/NhcViWhtdwZ06tkRzRP3BCVIELmmePmCwHeaHqHXsVN+Pr1U0TBYR 7uygI8AHbk/IPIgKqDCLdGXrmZAdhx0cJQV7rqWGX5XjAQNyz2rsZ1x3oGA44H/czIr2 t7wI52Rz26UsZ0WejSmTj9CkOZ83Opw11sveUl9qgH5qutFAVlL8UFqTmuK4SwYy6eaM 74FtT0+HwlsdWCw1OGcdSQRCq6dPD5laSUSYJebZlG/69FPNk+pLZ8TD704w44Aq0oZz B/OIr5VgDhpSXkPCAX7y5JRZEvi7LeV6qSBqu8cRDB0bOiYBAzseQ446WX/GuoPR/SnO hRgQ== X-Gm-Message-State: ALoCoQm3o+ts7/ZSC9hiSZFpPpls2Ql8KGmM2AYv5NleLJZQ/jXdhuHX5RZR4YvlEwXTlLKirz3F MIME-Version: 1.0 X-Received: by 10.140.102.117 with SMTP id v108mr33917515qge.93.1409497913980; Sun, 31 Aug 2014 08:11:53 -0700 (PDT) Received: by 10.140.103.77 with HTTP; Sun, 31 Aug 2014 08:11:53 -0700 (PDT) In-Reply-To: <7e908bef-461c-4daf-a1c7-865e37be538c@email.android.com> References: <54021C36.6070709@riseup.net> <7e908bef-461c-4daf-a1c7-865e37be538c@email.android.com> Date: Sun, 31 Aug 2014 08:11:53 -0700 Message-ID: Subject: Re: OpenSSL SA From: Brandon Vincent To: Piotr Kubaj Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Aug 2014 15:12:01 -0000 On Sun, Aug 31, 2014 at 8:05 AM, Piotr Kubaj wrote: > Yes, I wrote in the original mail that there have been updates to stable/{8,9,10}. What I meant by the lack of SA is that there were no updates to releng/. releng/10.1 will not be created until October 3rd. releng/10.0 is frozen. https://www.freebsd.org/releng/ https://www.freebsd.org/releases/10.1R/schedule.html Brandon Vincent From owner-freebsd-security@FreeBSD.ORG Sun Aug 31 15:05:36 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 47C8F8F for ; Sun, 31 Aug 2014 15:05:36 +0000 (UTC) Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 25EB21016 for ; Sun, 31 Aug 2014 15:05:35 +0000 (UTC) Received: from plantcutter.riseup.net (plantcutter-pn.riseup.net [10.0.1.121]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 62C9E53665; Sun, 31 Aug 2014 08:05:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1409497534; bh=yLe0PE4NMAoMm1v3/PQ+jb8j2CMYvSrt7H6dCXJpoWQ=; h=In-Reply-To:References:Subject:From:Date:To:From; b=YceOuu8Bvn+NfTps7kJJ3nXrx0Hk8GoouEQ0Oi2eUiICNHpshbY0LNRQZfHv8NzjC mZDvgE3rXbeb6SdFblsBy2DtRYBQTTA/snagrZ9QKkI1dUY0mtOe7TkNZe/T2C/Lu4 4qthJ9IIIRHm7+A7Ifk+vzloQNWjC6U0UOSqROBY= Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: pkubaj) with ESMTPSA id BBDE921F27 User-Agent: K-9 Mail for Android In-Reply-To: References: <54021C36.6070709@riseup.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Subject: Re: OpenSSL SA From: Piotr Kubaj Date: Sun, 31 Aug 2014 17:05:23 +0200 To: Brandon Vincent ,freebsd-security@freebsd.org Message-ID: <7e908bef-461c-4daf-a1c7-865e37be538c@email.android.com> X-Virus-Scanned: clamav-milter 0.98.4 at mx1 X-Virus-Status: Clean X-Mailman-Approved-At: Sun, 31 Aug 2014 15:22:48 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Aug 2014 15:05:36 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Yes, I wrote in the original mail that there have been updates to stable/{8,9,10}. What I meant by the lack of SA is that there were no updates to releng/. On 31 sierpnia 2014 17:02:12 CEST, Brandon Vincent wrote: >On Sat, Aug 30, 2014 at 11:47 AM, Piotr Kubaj >wrote: >> Hello. According to https://www.openssl.org/news/secadv_20140806.txt >> there's been a known SA in OpenSSL for 24 days. Since then >> security/openssl has been updated and there have been updates to head >> and stable{8,9,10} but there hasn't been any FreeBSD SA. Is it that >so@ >> has somehow forgotten about it, or the vulnerable features are off in >base? > >It looks like OpenSSL 1.0.1i (which fixes all the issues in the SA >from upstream) was merged into stable on August 7th. The announcement >from FreeBSD was probably accidentally not published. > >Brandon Vincent - -- Wysłane za pomocą K-9 Mail. -----BEGIN PGP SIGNATURE----- Version: APG v1.1.1 iQI8BAEBCgAmBQJUAzmzHxxQaW90ciBLdWJhaiA8cGt1YmFqQGdtYWlsLmNvbT4A CgkQL2cq6RGx9j6yRhAAlVtQn7Ohi1dPe41uyfjwtL9fpp6xY8uHvWRWLoWY2QYm yB7V2vJaLsb0Ysa2MxLf8gTlFZy2l5vfQIWDz36DPytNzEcyrnIjJK2NOmxF8SNu oRs2TnxO3sMgyDz+A50sEquZLINlbJxJWCtccOG/5jYjeP7mON4zw2brNajZmvJF mOqc8KSFNLUmCPHTdd+YvAB1PTFJfrjotd//k6MPPrqr0WU85g3GzxGHSpALFJII TT8sBO4a2PNzLMTxf5JVCpaHmA2v6dUTBTBwstHim2Q1MSEa83gNgBDSk8qfwyy/ FjVcLeDsrLF8M/WVHsSLwATmVp0Y5G3ML9337pLnlBZn1vHJfaS2n12zEAarVYLQ v9+i5ufzu74N+IqnbdUthXv7ZyEM8q7RUdOm+6XN/FzImbnEwPBNIcG00GU+rD1C KGXd3HnEDO2nneA5ijdrC7Hd/q9SJVx0e+X9ZtyDdUvWLnXqQtBVwp9pLLm1ePlH 2SsxTYwYRIH59aK1YG0B4cyHKfd97vd4ezJLq1hGVEKh9RxcO1Mge34FrZuBYMnS KWwwiVnScmPTyPM54cXXmrnhWNUW9kO0DmrYb3sZT97aWqpQPDap+EEGES0ePysF itBjIQyjoNXnwKrDuBhSvn8CHkbTpVMla75UDoU9b+4vexLuxIfB+z418+EdEjs= =hZsB -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sun Aug 31 19:35:21 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9CFC89E1 for ; Sun, 31 Aug 2014 19:35:21 +0000 (UTC) Received: from mail-qc0-f171.google.com (mail-qc0-f171.google.com [209.85.216.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5E7071F41 for ; Sun, 31 Aug 2014 19:35:20 +0000 (UTC) Received: by mail-qc0-f171.google.com with SMTP id x3so4519646qcv.2 for ; Sun, 31 Aug 2014 12:35:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ljeFz1qGgt6litGW3MBJw2ygvHvFoKixaY4xpj7n5X8=; b=ZuYXvuuvmwFgb8+ii2iqku0gIt3whTxj1+jWyk2TKsELM53cYXV5U2JuUR6d0JR7iZ LBX+OPSFEm+JmAmUqS7DG8ZmpH8O4U2Zsth+n8jjwKg3/tcgtHNHT7h+YrRJBoqQ5h1q j+KJfSn09Dgroq6cHfbA1OXmPQfT5Te/WjN1PTQLMykNRbhG2x2hy0jtA8U9Hvo48uoS U8nub02a+H26etWXiDQwp+XjQYke1ggm4jTOF2nTVdqt6dYUtvwb+9YXkQ9zchXB4nTa v2hiMTvyWXOjTcB2yqE+5mxRqNuoR51Q1oXy7uc0V5K0JcQYCbwt/fleWJChCQnD/BzR zhFQ== X-Gm-Message-State: ALoCoQnqIV4L44x/G9FUaqRv1MZpSupiOLuMuWrDe80B072pwEMYTcDSEkrItJXSCRQ0VX1VIz4S MIME-Version: 1.0 X-Received: by 10.224.28.133 with SMTP id m5mr38504105qac.16.1409513719727; Sun, 31 Aug 2014 12:35:19 -0700 (PDT) Received: by 10.140.103.77 with HTTP; Sun, 31 Aug 2014 12:35:19 -0700 (PDT) In-Reply-To: <54037202.7040307@riseup.net> References: <54021C36.6070709@riseup.net> <54033A15.5080804@hyjazi.me> <54037202.7040307@riseup.net> Date: Sun, 31 Aug 2014 12:35:19 -0700 Message-ID: Subject: Re: OpenSSL SA From: Brandon Vincent To: Piotr Kubaj Content-Type: text/plain; charset=UTF-8 Cc: Hassane HYJAZI , freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Aug 2014 19:35:21 -0000 You should contact re@. Brandon Vincent From owner-freebsd-security@FreeBSD.ORG Sun Aug 31 19:48:27 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 53613F04; Sun, 31 Aug 2014 19:48:27 +0000 (UTC) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0690B10C3; Sun, 31 Aug 2014 19:48:26 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id C123D25D3815; Sun, 31 Aug 2014 19:48:23 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id DF166C770B1; Sun, 31 Aug 2014 19:48:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id w2fXN1fJlHVP; Sun, 31 Aug 2014 19:48:21 +0000 (UTC) Received: from [IPv6:fde9:577b:c1a9:4410:a55d:f413:a21:2e9] (unknown [IPv6:fde9:577b:c1a9:4410:a55d:f413:a21:2e9]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id CC9CEC770B0; Sun, 31 Aug 2014 19:48:20 +0000 (UTC) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: OpenSSL SA From: "Bjoern A. Zeeb" In-Reply-To: Date: Sun, 31 Aug 2014 19:48:06 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <6658AC70-0242-4B92-B5EB-3EEC44784884@FreeBSD.org> References: <54021C36.6070709@riseup.net> <54033A15.5080804@hyjazi.me> <54037202.7040307@riseup.net> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1878.6) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Aug 2014 19:48:27 -0000 On 31 Aug 2014, at 19:35 , Brandon Vincent = wrote: > You should contact re@. No, this is the job of the security team/officer. I am Bcc:ing them to = have a look at this thread (though they should see it anyway;-) =97=20 Bjoern A. Zeeb "Come on. Learn, goddamn it.", WarGames, 1983 From owner-freebsd-security@FreeBSD.ORG Sun Aug 31 19:05:49 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 120D51A5 for ; Sun, 31 Aug 2014 19:05:49 +0000 (UTC) Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DB48B1C81 for ; Sun, 31 Aug 2014 19:05:48 +0000 (UTC) Received: from berryeater.riseup.net (berryeater-pn.riseup.net [10.0.1.120]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4928D4FB1A; Sun, 31 Aug 2014 12:05:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1409511942; bh=JHa6C7EzdrOM01HwfS3PZs8A1oRddjsKx4MQ6/IFCrA=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=SpPXQqqBflJL+ntOuwVo+v4LfVkJZ+I2gO2JkyicRhsqlHtVpPYuzRvWEKSynDVW3 OgacMRWcQvNYFUsP3CM60lPSEPcTQJBTUGdssEiiihUMiJrUXyObQBQhyXt+/iSdXv 7IJXnIPfLgec1O7TMlb+vydaxuSZ5zFgMaOYa0Es= Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: pkubaj) with ESMTPSA id 6569042B76 Message-ID: <54037202.7040307@riseup.net> Date: Sun, 31 Aug 2014 21:05:38 +0200 From: Piotr Kubaj User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Hassane HYJAZI , Brandon Vincent Subject: Re: OpenSSL SA References: <54021C36.6070709@riseup.net> <54033A15.5080804@hyjazi.me> In-Reply-To: <54033A15.5080804@hyjazi.me> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="PK9R0UBlvdxF8GQ9gL4hM4rvxRT2xrGwf" X-Virus-Scanned: clamav-milter 0.98.4 at mx1 X-Virus-Status: Clean X-Mailman-Approved-At: Sun, 31 Aug 2014 20:26:04 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Aug 2014 19:05:49 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --PK9R0UBlvdxF8GQ9gL4hM4rvxRT2xrGwf Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 08/31/2014 17:07, Hassane HYJAZI wrote: > security/openssl version : 1.0.1_15 ~=3D 1.01i (+2patch) fixing all of= this. > check commit history at http://www.freshports.org/security/openssl >=20 >=20 >=20 > Le 30/08/2014 19:47, Piotr Kubaj a =C3=A9crit : >> Hello. According to https://www.openssl.org/news/secadv_20140806.txt >> there's been a known SA in OpenSSL for 24 days. Since then >> security/openssl has been updated and there have been updates to head >> and stable{8,9,10} but there hasn't been any FreeBSD SA. Is it that so= @ >> has somehow forgotten about it, or the vulnerable features are off in >> base? >> >=20 I know about security/openssl and have written about it in my first mail. What I was asking about was a patch to releng/. On 08/31/2014 17:11, Brandon Vincent wrote:> On Sun, Aug 31, 2014 at 8:05 AM, Piotr Kubaj wrote: >> Yes, I wrote in the original mail that there have been updates to stable/{8,9,10}. What I meant by the lack of SA is that there were no updates to releng/. > > releng/10.1 will not be created until October 3rd. releng/10.0 is froze= n. > > https://www.freebsd.org/releng/ > > https://www.freebsd.org/releases/10.1R/schedule.html > > Brandon Vincent > I know what releng/ is, I have been using FreeBSD for 5 years now for just about everything. Sure, some people here remember 3.x, but after 5 years I'm not a noob. I wasn't asking for a whole new version, although they were such updates to releng, see http://svnweb.freebsd.org/base?limit_changes=3D0&view=3Drevision&revision= =3D249029 =2E I was asking for just a simple patch like in http://svnweb.freebsd.org/base?view=3Drevision&revision=3D267104 . Such patches used to be committed, when publishing SA's, but I guess something (?) has changed for worse. --PK9R0UBlvdxF8GQ9gL4hM4rvxRT2xrGwf Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUA3ICAAoJEC9nKukRsfY+CgwP/2pE7655vfoGYknt76EXOAMr cwJN7IT1+LO2z1oDsWqKxa67FqEvte8q0rBbSIKa6xIGijhX2kiUBZjhW0LxDJLE 2ib0HZ4UfKTXMtpEtMCebrbXk50XbcV7Ha7i5JJ9NCAMiYbjzGscIrofp2aBCo6s yUR7mxavWHu/LGkeGb0KkjaqPj6ycYDTObtLb4OlcxIWYejBtTWvjBMtz5eToqmf qxLA59bpYTqdjpdfKEhQePWeVOpn4H07P0uIxTrztVxh6Wmks91Vruc7D29EZbeL UYkc9c9gTAQPYkVRaHuupZl8GJA3RBlbCxrazUtM0DuFtyniaxzEGt8mnYOS3nA4 huU2sfhCn+aDhMVmM1xgc2cheT6d5QhP3YbV9rmV/gR5zMKME7viLTx8zvnNj9zx 0b0EZJcCTlaSpourEYU7ArcDNRLP3zvzLCtX7gQ5W9+1IRkqoBUS9cfftSVDoIH5 i4lPhAK+UrvnQuSqq9h7QTEjGrHar0TsZC/deR8ruMOFcaPeRKxS/3rlX/c5Y2lC pUdyuw8MjzfLasqlRZFs7A6fR4ugFmWKAXtSchQ91N0kcY5Kj6QeZK3o+fRIrgZu TiY8/QvQ9GmpdnYOWdG9wYv2ZPkYzzQ9HyL10jTeJwTMAtj07Q0Yn4VxGc2cowG3 qyF8kAqJusOn0xSm/5mi =Lte5 -----END PGP SIGNATURE----- --PK9R0UBlvdxF8GQ9gL4hM4rvxRT2xrGwf-- From owner-freebsd-security@FreeBSD.ORG Sun Aug 31 20:44:41 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 06D72653; Sun, 31 Aug 2014 20:44:41 +0000 (UTC) Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D876F1879; Sun, 31 Aug 2014 20:44:40 +0000 (UTC) Received: from plantcutter.riseup.net (plantcutter-pn.riseup.net [10.0.1.121]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 83FB3539EA; Sun, 31 Aug 2014 13:44:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1409517879; bh=oebX80QJ8oabzkSdgxqopTzQTLXbqXfe3A+0IIGoDrg=; h=Date:From:To:CC:Subject:From; b=myf1FIRxv8D/Qx/EoJN04kLRnrWWplo91zSZhpJLR0RzPUBkq+d9DJ+iaG8MLu5XI Z0XhLlxfUoYrh0wix0Y7/QaU3lM32XbqyDeGJ5FITArRFCjs+A373jBDTxFhWO33hM hAOraUdj+6DsXD5vYc0z+PxIIFEcOz9S9x0qI1CE= Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: pkubaj) with ESMTPSA id CF1F422763 Message-ID: <54038934.3050607@riseup.net> Date: Sun, 31 Aug 2014 22:44:36 +0200 From: Piotr Kubaj User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: OpenSSL SA Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="x2O6IdBrT6b489Nvrat0gDfSO6RQkc8PO" X-Virus-Scanned: clamav-milter 0.98.4 at mx1 X-Virus-Status: Clean X-Mailman-Approved-At: Sun, 31 Aug 2014 22:05:01 +0000 Cc: bz@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Aug 2014 20:44:41 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --x2O6IdBrT6b489Nvrat0gDfSO6RQkc8PO Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable That wasn't necessary, as I already mailed both re@ and so@ :) --x2O6IdBrT6b489Nvrat0gDfSO6RQkc8PO Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUA4k0AAoJEC9nKukRsfY+CkUQAJjksN/7m9cwB+zNxETyPm0F RZKq+tLP62nBPBHZDqXx3gJKgIGcYM50Q/CdCICwqC0FmLoDEObEh6Fuy6GBPUDy HQ/hNw7rhl/IqQMEVXZYWujD6TsS81RXr2i+E82o6pIijzA9yy/kz9C0cRvxMQ8T N2T7BpuWBL2Tkrgg8XuCzUzOscJMHmyrVF/nnIkLrv8mEZOCFeVAX0ohN0wYXZsd cwBAzAS3U57HWCRJcTCr8EkBdT+hYr8Xpgvilw7DV6YQa0Fq8cu18l49OjjFr+AL 0RvmeeirqSxUVoiDC/uVXfNQSDUXTtBmmTVTuCkirHeLYBUUjXqSppuSxIIVdgmC yQXLnR7qQEaZh+4j7u6eBigKj/P7yoNTCYHgfPB14BWHH4bohv39JBx+8SW9Qw+M CP5tHtFAkoWsazEnycm+jqe/f5o/5BNevJ5shTOyYFjHGjgX3PHk50EOw3caUvr1 YUvNOPsarTd41Ajw04IzLv8Tvod4TILcSvgN4ZFJFtIKdNfRPmN+CU62mp3aL2Lj p0VEQ3GpcCoZ2xE1ugNl+efSCwVINnlsFER7wraMy7fw6gczWHPBQS29KIJGYL0o D4l4nSRFcbF2sGiPu01z3CzAyRxqmo6PLh5M8/V+LGVTls0euFiMRkAa/szfwrPs n7OUX1wSz+nJqMOFcGyf =5KaK -----END PGP SIGNATURE----- --x2O6IdBrT6b489Nvrat0gDfSO6RQkc8PO-- From owner-freebsd-security@FreeBSD.ORG Fri Sep 5 08:18:02 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1FE66E58 for ; Fri, 5 Sep 2014 08:18:02 +0000 (UTC) Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AF0671C5A for ; Fri, 5 Sep 2014 08:18:01 +0000 (UTC) Received: by mail-we0-f173.google.com with SMTP id t60so11395501wes.32 for ; Fri, 05 Sep 2014 01:17:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=IsSBKBBkgnVGyLJdvzkGThQfq5wZ6dyoUp0rL4aipgY=; b=Xsu6FijFIE/pa4nQHpCflqOCMCQn4KFCB0UUCOH8W4juM2XqkXuYRxrBeBfHMe+Tgy GmnUh3Etd/Sr2IZChr4gs77dfN2NJIKTjS2cTkrE4Og+KpSn2mmcR34dOO/l6I7mXPh0 AtYKuu+lGk9hNwqrhmVVH2hUKl6lbaTuQ8nYgvZkc2wqzOxoICTgAvEP0GZR3AsDBy1x o0rOe9RZdQ4NVH5XaENQrDk7PpPWjfwzbiq/gnk8k7Nj8mztYMIuFWffoVpWE+5b72Iu 2eJLhXCaV0ksJfHYkFpg9cFRt6OwgNfd97MTT0PfKnkr/NuerkdCH9ZSHeY5Z6Jpt7pQ gslw== MIME-Version: 1.0 X-Received: by 10.180.20.196 with SMTP id p4mr1760788wie.56.1409905079799; Fri, 05 Sep 2014 01:17:59 -0700 (PDT) Received: by 10.217.173.196 with HTTP; Fri, 5 Sep 2014 01:17:59 -0700 (PDT) Date: Fri, 5 Sep 2014 04:17:59 -0400 Message-ID: Subject: New ASLR Patch From: Shawn Webb To: FreeBSD-current X-Mailman-Approved-At: Fri, 05 Sep 2014 11:33:18 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: Alan Cox , dev@hardenedbsd.org, Bryan Drewery , Robert Watson , PaX Team , =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2014 08:18:02 -0000 Hey All, I've submitted a new revision of our ASLR patch to Phabric. It can be applied to 11-CURRENT. The main changes include removal of the MAP_32BIT hack for amd64, a couple bug fixes, and stylistic changes requested by a few people. I'm looking for commentary and volunteers for testing. The link to Phabric is below and you can download the raw patch from there. https://reviews.freebsd.org/D473 Thanks, Shawn From owner-freebsd-security@FreeBSD.ORG Fri Sep 5 22:26:01 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6EC0C263 for ; Fri, 5 Sep 2014 22:26:01 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4953B1844 for ; Fri, 5 Sep 2014 22:26:00 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s85MPxME024615 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Sep 2014 15:25:59 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s85MPxIC024614 for freebsd-security@FreeBSD.org; Fri, 5 Sep 2014 15:25:59 -0700 (PDT) (envelope-from jmg) Date: Fri, 5 Sep 2014 15:25:59 -0700 From: John-Mark Gurney To: freebsd-security@FreeBSD.org Subject: deprecating old ciphers from OpenCrypto... Message-ID: <20140905222559.GO82175@funkthat.com> Mail-Followup-To: freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Fri, 05 Sep 2014 15:26:00 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2014 22:26:01 -0000 As I've been working on OpenCrypto, I've noticed that we have some ciphers that OpenBSD does not... As we haven't had a maintainer for the code, no one has been evaluating which ciphers should be included... I would like to document the following ciphers as depcreated in 11, and remove them for 12: Skipjack: already removed by OpenBSD and recommend not for use by NIST after 2010, key size is 80 bits CAST: key size is 40 to 128 bits As you can see, both of these ciphers weak and we should not encourage their use. Their removal from OpenCrypto will practically only remove them from their use w/ IPSec. Most other systems are userland and will use OpenSSL which is different. It would be possible for parties that need support to make them a module, but right now, if you compile in crypto into your kernel, you get all of these ciphers... Comments? Thanks. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@FreeBSD.ORG Sat Sep 6 07:28:44 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B99D6F30 for ; Sat, 6 Sep 2014 07:28:44 +0000 (UTC) Received: from mail.carlostrub.ch (319.ch [88.198.108.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7824D1F15 for ; Sat, 6 Sep 2014 07:28:43 +0000 (UTC) Received: from c-st.net (localhost [127.0.0.1]) (Authenticated sender: cs@carlostrub.ch) by mail.carlostrub.ch (Postfix) with ESMTPA id 6069A1B508E; Sat, 6 Sep 2014 09:28:34 +0200 (CEST) Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: deprecating old ciphers from OpenCrypto... X-Powered-BY: OTRS - Open Ticket Request System (http://otrs.org/) X-Mailer: OTRS Mail Service (3.3.7) Date: Sat, 6 Sep 2014 09:28:33 +0200 Message-ID: <1409988513.269561.213256043.136342.2@c-st.net> To: jmg@funkthat.com Organization: Carlo Strub From: Carlo Strub In-Reply-To: <20140905222559.GO82175@funkthat.com> References: <20140905222559.GO82175@funkthat.com> Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Sep 2014 07:28:44 -0000 06/09/2014 00:26 - John-Mark Gurney wrote: > As I've been working on OpenCrypto, I've noticed that we have some > ciphers that OpenBSD does not... As we haven't had a maintainer for > the code, no one has been evaluating which ciphers should be included... >=20 > I would like to document the following ciphers as depcreated in 11, and > remove them for 12: > Skipjack: already removed by OpenBSD and recommend not for use by NIST > after 2010, key size is 80 bits > CAST: key size is 40 to 128 bits >=20 > As you can see, both of these ciphers weak and we should not encourage > their use. Their removal from OpenCrypto will practically only remove > them from their use w/ IPSec. Most other systems are userland and will > use OpenSSL which is different. >=20 > It would be possible for parties that need support to make them a > module, but right now, if you compile in crypto into your kernel, you > get all of these ciphers... >=20 > Comments? >=20 > Thanks. >=20 > --=20 > John-Mark Gurney Voice: +1 415 225 5579 >=20 > "All that I will do, has been done, All that I have, has not." > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" >=20 Sounds reasonable.=