From owner-freebsd-announce@FreeBSD.ORG Thu Jun 18 05:53:20 2015 Return-Path: Delivered-To: freebsd-announce@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3AEFD674; Thu, 18 Jun 2015 05:53:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 283BAC2F; Thu, 18 Jun 2015 05:53:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t5I5rKZm059971; Thu, 18 Jun 2015 05:53:20 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t5I5rKlO059969; Thu, 18 Jun 2015 05:53:20 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 18 Jun 2015 05:53:20 GMT Message-Id: <201506180553.t5I5rKlO059969@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2015 05:53:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-15:08.sendmail Errata Notice The FreeBSD Project Topic: sendmail TLS/DH Interoperability Improvement Category: contrib Module: sendmail Announced: 2015-06-18 Credits: Frank Seltzer, Gregory Shapiro Affects: All supported versions of FreeBSD. Corrected: 2015-06-17 02:39:10 UTC (stable/10, 10.1-STABLE) 2015-06-18 05:36:45 UTC (releng/10.1, 10.1-RELEASE-p13) 2015-06-17 03:11:25 UTC (stable/9, 9.3-STABLE) 2015-06-18 05:36:45 UTC (releng/9.3, 9.3-RELEASE-p17) 2015-06-17 03:22:18 UTC (stable/8, 8.4-STABLE) 2015-06-18 05:36:45 UTC (releng/8.4, 8.4-RELEASE-p31) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background sendmail supports STARTTLS encrypted connections using DHE_EXPORT ciphers. As part of that support, by default, sendmail employs 1024-bit DH parameters for server connections and 512-bit DH parameters for client connections. II. Problem Description In response to CVE-2015-4000 ("Logjam TLS vulnerability"), OpenSSL and other encryption packages have begun rejecting 512-bit and lower DH parameters during negotiation, thereby reducing interoperability. III. Impact In its default configuration, client connections from sendmail to other SMTP servers will not be able to negotiate a STARTTLS encrypted session with SMTP servers which reject 512-bit DH parameters. This may cause mail deliverability issues for outbound mail. IV. Workaround To work around this interoperability, sendmail can be configured to use a 1024 or 2048 bit DH parameter using these steps: 1. Edit /etc/mail/`hostname`.mc 2. If a setting for confDH_PARAMETERS does not exist or exists and is set to a string beginning with '5', replace it with '1' for 1024-bit or '2' for 2048-bit. 3. If a setting for confDH_PARAMETERS exists and is set to a file path, create a new file with: openssl dhparam -out /path/to/file 2048 for 2048-bit or: openssl dhparam -out /path/to/file 1024 for 1024-bit. 4. If you have modified your MSP submission configuration file to enable STARTTLS (not enabled by default), repeat the above steps for /etc/mail/`hostname`.submit.mc. 5. Rebuild the .cf file(s): cd /etc/mail/; make; make install 6. Restart sendmail: cd /etc/mail/; make restart Systems that do not use sendmail are not affected. V. Solution A change to the raise the default for sendmail client connections to 1024-bit DH parameters has been committed. Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your present system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your present system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch # fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch.asc # gpg --verify sendmail.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the sendmail daemon(s), or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r284491 releng/8.4/ r284536 stable/9/ r284488 releng/9.3/ r284536 stable/10/ r284485 releng/10.1/ r284536 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this Errata Notice is available at https://security.FreeBSD.org/advisories/FreeBSD-EN-15:08.sendmail.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.5 (FreeBSD) iQIcBAEBCgAGBQJVgllYAAoJEO1n7NZdz2rnsY0QAIKcqNxRed97fvmxvL9kX1In CpdKO0Cso8EhCDOKJzmSYR49QZc6CNtPflbgbK2wktiHptmK87R+xODyIWBR1q8T peMoevr942gCUZzrA259cLaWJGC7MZer5G9SIsB7cnMJox/QcHmQysDONfu1PRjf T8T3/q24230PnBBJpR1SNDMOPAc1YLMetEZ3ue72ToG9pd6gAXN8I9N1ZUPY/6dd 9/urhdQnxlX5RB3JnqujueJvCrcstInZ8grtKOmTfPSUcWGL++dwu6YH34ORwKDh wiI8U+qyg1Lq5vGx6srDOkGAhiSbYi177PV1RCNTxY28yGVvhiiSnLSsIesZBcoB pVYcefBJeqcXNuQC5jsGKHEbti9X3bhHnThOaOBOvrooEGcc7/DuP02BZiNOWDvV 3axT+iFzJdZ1sZktdUQl65zqVBSDASTFz5uG/nTUFASj0W4+vVEghy6FAxlf3aBO eV9tqxeUozt0nSb/44n2u2GHRplWWS1KEE3N+skN5IT4RfZaNvTVtZ0s1fRv6Jum YNut6TGiVIyTACP0JjS2TkGC3kdPrqweZSQ6xnfrgOSCS+3w2nR1aqaGJ3aCIm/b 9ixFFIW03LhBH2fl4Y68+CbAlIgGd0zigbRds1IGxRSUxR8AKBngqC+KQUFCOSnY snl4x6f2t36abWYgneaP =mvxv -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Thu Jun 18 06:59:48 2015 Return-Path: Delivered-To: freebsd-announce@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 50D27F10 for ; Thu, 18 Jun 2015 06:59:48 +0000 (UTC) (envelope-from core-secretary@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D29EFD40 for ; Thu, 18 Jun 2015 06:59:47 +0000 (UTC) (envelope-from core-secretary@FreeBSD.org) Received: from liminal.local (liminal.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3636:3bff:fed4:b0d6]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.1/8.15.1) with ESMTPSA id t5I6xdtc060667 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 18 Jun 2015 07:59:40 +0100 (BST) (envelope-from core-secretary@FreeBSD.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk t5I6xdtc060667 Authentication-Results: smtp.infracaninophile.co.uk/t5I6xdtc060667; dkim=none reason="no signature"; dkim-adsp=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host liminal.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3636:3bff:fed4:b0d6] claimed to be liminal.local Message-ID: <55826C4D.9050004@FreeBSD.org> Date: Thu, 18 Jun 2015 07:59:25 +0100 From: FreeBSD Core Secretary User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: freebsd-announce@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Kb41eIdkVsaVHbV7ihJbilKCcp5gMmmdp" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-Mailman-Approved-At: Thu, 18 Jun 2015 11:04:27 +0000 Subject: [FreeBSD-Announce] Change of Security Officer X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2015 06:59:48 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Kb41eIdkVsaVHbV7ihJbilKCcp5gMmmdp Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Dear all, With immediate effect, the FreeBSD Core team has appointed Xin Li as the new Security Officer. Congratulations Xin! The previous Security Officer, Dag-Erling Sm=C3=B8rgrav has unfortunately= been unable to continue in the role due to his family circumstances. As is usual, he proposed his successor when he tendered his resignation to Core. Xin was formerly the Deputy Security Officer and Core was glad to confirm his appointment. Core wishes to thank Dag-Erling for his valuable contributions during his time as Security Officer and wishes him every future success. Traditionally the hand-over of the Security Officer role has been announced by the departing Security Officer. Unfortunately Dag-Erling has not been able to do that, so in this instance I have been requested to make the announcement in his stead. Matthew -- FreeBSD Core Team Secretary core-secretary@FreeBSD.org --Kb41eIdkVsaVHbV7ihJbilKCcp5gMmmdp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iQJ8BAEBCgBmBQJVgmxbXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDMDdCRjVFMzEwQUU2NEJGNjEyMEIwRjYz NkE3QzA1RkUxRUNGOUJCAAoJEDanwF/h7Pm7HpcQAKPA425htbRFfIQXxFVREA47 NjmRs9RaPv+eSB7Hf0wx5ijnhA0HwGmR/2dbCyrJBk2AIZ38+1PzWOnBvY/5wSrc vCZRAVaLX9TGamdyNhmcmaIVjh544Dw03+7hLTU+y/tojYmaJyZd1bpNT1xGY/Jt AeliAWfEPCmNGCKEEOQmilzIPQUMBDsjBjpVfgEcQz5eQ5f9M5uZCUPkWA+zVUWQ RLMpsReU278dmWb2k6n1YETinTUkIrcG8qZmD0KSwRqGPw1KWNhFxGphsXsGjvB6 s2YglMB/BqCp5wYJEvbw4XH+xA70D91DuzCKSmSWGek12wZKV+AH2VKZiiwggUDn pyfe+VNOr7TATrUQjexkFSaO9QWO1Yi5Ml5RQkfOeYekYD+kxPc2RnM/Z4tmsthC 36j4ZGawUYeeerhFMfNFKnvmM7qeiLUe09YHbd+Glo96re65VA9ZIOuKqyarRRQn GrcVSOZGVp6cpO80gX0KZyFZSZ1IaDcwMTXzzNFbme3vR/cXigu2h8Oc/3hfANSq nGwgouk4FiWORLAjgxPYGvTsZB11Twmav4CNkBR6scxmSQ1CbwIg4bJJZ8dziKao PcZEb1imtuxm/7YG/lfY2acLlm/9N/l4hugYRbGN5AJ+YyYNO2f8MH8h5JCMZtsR bgtLfCz6gM6VoWwBell9 =KBvJ -----END PGP SIGNATURE----- --Kb41eIdkVsaVHbV7ihJbilKCcp5gMmmdp--