From owner-freebsd-security@FreeBSD.ORG Tue Sep 26 03:41:00 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D215C16A403 for ; Tue, 26 Sep 2006 03:41:00 +0000 (UTC) (envelope-from cfp@ruxcon.org.au) Received: from mail.ruxcon.org.au (ruxcon.org.au [202.60.75.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7FBB43D49 for ; Tue, 26 Sep 2006 03:40:59 +0000 (GMT) (envelope-from cfp@ruxcon.org.au) Received: from ns1.myserver.com (localhost.localdomain [127.0.0.1]) by mail.ruxcon.org.au (Postfix) with ESMTP id 0E17F8629F for ; Tue, 26 Sep 2006 13:41:39 +1000 (EST) Received: (from cfp@localhost) by ns1.myserver.com (8.13.6/8.13.6/Submit) id k8Q3fbYn016067 for freebsd-security@freebsd.org; Tue, 26 Sep 2006 13:41:37 +1000 Date: Tue, 26 Sep 2006 13:41:37 +1000 From: cfp@ruxcon.org.au Message-Id: <200609260341.k8Q3fbYn016067@ns1.myserver.com> X-Authentication-Warning: ns1.myserver.com: cfp set sender to cfp@ruxcon.org.au using -f To: freebsd-security@freebsd.org Subject: Ruxcon 2006 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2006 03:41:00 -0000 Hi, RUXCON 2006 will be held this weekend over the 30th of September to the 1st of October at the University of Technology, Sydney. Doors will open at 8:30am and the first presentation commences at 9:30am. Our presentation list is complete. RUXCON 2006 Presentations [1]: 1. Java Class Deobfuscation - Chris Mitchell 2. Mechanics of the Objective-C Trifecta - Reversing, Runtime Antics, & Exploit Development - Neil Archibald 3. Exploiting OpenBSD - Ben Hawkes 4. Anti-Forensic Rootkits - Darren Bilby 5. Access over Ethernet: Insecurites in AoE - Morgan Marquis-Boire 6. Attacks Against RFID - Josh Perrymon 7. Unusual Bugs - Ilja van Sprundel 8. A Quantitive Time Series Analysis of Malware and Vulnerability Trends - Craig Wright 9. IPv6: Under the Hood - Mark Dowd 10. Software Vulnerabilities - Daniel Hodson 11. PE Packers Used in Malicious Software - Paul Craig 12. Web Services: Teaching a New Dog Old Tricks - Daniel Grzelak, Colin Wong 13. Bypassing Corporate Email Filtering - Simon Howard 14. Hit By A Bus: Physical Access Attacks with Firewire - Adam Boileau 15. Metafuzz: Building Boring Fuzzers Faster, Using Metadata - Ben Nagy 16. Dynamic Port Scanning - AR, HK 17. The Common Vulnerability Scoring System (CVSS) - Christian Heinrich 18. Ajax Security - Andrew van der Stock As in previous years, there will be activities and competitions, which allow attendees to have fun, win prizes, and socialise, all while enjoying a cold beer on an Australian summers day. Some activities which will be held during the conference include: * Capture the flag competition * Exploit development competition * Chilli eatoff competition This will be the fourth year in a row in which we've brought a quality conference to the Australian computer security community. Hope to see you there, Regards, RUXCON Staff http://www.ruxcon.org.au [1] http://www.ruxcon.org.au/presentations.shtml From owner-freebsd-security@FreeBSD.ORG Tue Sep 26 09:36:58 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B73116A403 for ; Tue, 26 Sep 2006 09:36:58 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA67343D53 for ; Tue, 26 Sep 2006 09:36:57 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id D5B66487F4; Tue, 26 Sep 2006 11:36:55 +0200 (CEST) Received: from localhost (unknown [62.129.252.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 43F9645B26; Tue, 26 Sep 2006 11:36:43 +0200 (CEST) Date: Tue, 26 Sep 2006 11:36:11 +0200 From: Pawel Jakub Dawidek To: Network Security Message-ID: <20060926093611.GA5493@garage.freebsd.pl> References: <20060906210021.C2428B82C@shodan.nognu.de> <20060906151041.N37483@3jane.math.ualberta.ca> <1262165672.20060906152236@hush.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline In-Reply-To: <1262165672.20060906152236@hush.com> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org Subject: Re: GELI - FreeBSD Full Disk Encryption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2006 09:36:58 -0000 --AqsLC8rIMeq19msA Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 06, 2006 at 03:22:36PM -0700, Network Security wrote: > GELI even properly installed has some security problems, [...] Very strong words, care to elaborate? --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFFGPSLForvXbEpPzQRAmqrAKDOvMn0k0GDWKvQe2ybyniyjv+mFQCfRPQd kcS2bPic/AmIlqdIe0ZDrOs= =qsyx -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA-- From owner-freebsd-security@FreeBSD.ORG Thu Sep 28 13:13:55 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A05416A416; Thu, 28 Sep 2006 13:13:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 386FA43D49; Thu, 28 Sep 2006 13:13:54 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8SDDsie040089; Thu, 28 Sep 2006 13:13:54 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8SDDsxS040087; Thu, 28 Sep 2006 13:13:54 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 28 Sep 2006 13:13:54 GMT Message-Id: <200609281313.k8SDDsxS040087@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:23.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2006 13:13:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:23.openssl Security Advisory The FreeBSD Project Topic: Multiple problems in crypto(3) Category: contrib Module: openssl Announced: 2006-09-28 Credits: Dr S N Henson, Tavis Ormandy, Will Drewry Affects: All FreeBSD releases. Corrected: 2006-09-28 13:02:37 UTC (RELENG_6, 6.1-PRERELEASE) 2006-09-28 13:03:14 UTC (RELENG_6_1, 6.1-RELEASE-p8) 2006-09-28 13:03:41 UTC (RELENG_6_0, 6.0-RELEASE-p13) 2006-09-28 13:03:57 UTC (RELENG_5, 5.5-STABLE) 2006-09-28 13:04:16 UTC (RELENG_5_5, 5.5-RELEASE-p6) 2006-09-28 13:04:47 UTC (RELENG_5_4, 5.4-RELEASE-p20) 2006-09-28 13:05:08 UTC (RELENG_5_3, 5.3-RELEASE-p35) 2006-09-28 13:05:59 UTC (RELENG_4, 4.11-STABLE) 2006-09-28 13:06:23 UTC (RELENG_4_11, 4.11-RELEASE-p23) CVE Name: CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description Several problems have been found in OpenSSL: 1. During the parsing of certain invalid ASN1 structures an error condition is mishandled, possibly resulting in an infinite loop. [CVE-2006-2937] 2. A buffer overflow exists in the SSL_get_shared_ciphers function. [CVE-2006-3738] 3. A NULL pointer may be dereferenced in the SSL version 2 client code. [CVE-2006-4343] In addition, many applications using OpenSSL do not perform any validation of the lengths of public keys being used. [CVE-2006-2940] III. Impact Servers which parse ASN1 data from untrusted sources may be vulnerable to a denial of service attack. [CVE-2006-2937] An attacker accessing a server which uses SSL version 2 may be able to execute arbitrary code with the privileges of that server. [CVE-2006-3738] A malicious SSL server can cause clients connecting using SSL version 2 to crash. [CVE-2006-4343] Applications which perform public key operations using untrusted keys may be vulnerable to a denial of service attack. [CVE-2006-2940] IV. Workaround No workaround is available, but not all of the vulnerabilities mentioned affect all applications. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, RELENG_5_3, or RELENG_4_11 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.11, 5.3, 5.4, 5.5, 6.0, and 6.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-06:23/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-06:23/openssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system as described in and reboot the system. NOTE: Any third-party applications, including those installed from the FreeBSD ports collection, which are statically linked to libcrypto(3) should be recompiled in order to use the corrected code. NOTE ALSO: The above patch reduces the functionality of libcrypto(3) by prohibiting the use of exceptionally large public keys. It is believed that no existing applications legitimately use such key lengths as would be affected by this change. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.1.2.4 src/crypto/openssl/crypto/dh/dh.h 1.1.1.1.2.8 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.1.2.7 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.1.2.11 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.1.2.8 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.1.2.7 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.1.2.11 src/crypto/openssl/crypto/rsa/rsa.h 1.2.2.14 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.2.4.16 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.1.2.7 src/crypto/openssl/ssl/s2_clnt.c 1.2.2.14 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.20 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.1.2.14 RELENG_4_11 src/UPDATING 1.73.2.91.2.24 src/sys/conf/newvers.sh 1.44.2.39.2.27 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.1.2.2.6.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.1.2.4.8.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.1.2.3.8.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.1.2.7.6.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.1.2.4.8.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.1.2.3.8.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.1.2.7.6.1 src/crypto/openssl/crypto/rsa/rsa.h 1.2.2.8.4.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.2.4.8.4.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.1.2.3.8.1 src/crypto/openssl/ssl/s2_clnt.c 1.2.2.8.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.9.4.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.1.2.8.4.1 RELENG_5 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.4.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.6.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.4.6.2 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.8.4.2 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.6.6.2 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.6.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.7.4.2 src/crypto/openssl/crypto/rsa/rsa.h 1.10.4.2 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.12.4.2 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.6.1 src/crypto/openssl/ssl/s2_clnt.c 1.12.2.2 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.13.2.2 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.2 RELENG_5_5 src/UPDATING 1.342.2.35.2.6 src/sys/conf/newvers.sh 1.62.2.21.2.8 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.16.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.18.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.4.6.1.4.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.8.4.1.4.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.6.6.1.4.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.18.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.7.4.1.4.1 src/crypto/openssl/crypto/rsa/rsa.h 1.10.4.1.4.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.12.4.1.4.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.18.1 src/crypto/openssl/ssl/s2_clnt.c 1.12.2.1.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.13.2.1.4.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.1.4.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.29 src/sys/conf/newvers.sh 1.62.2.18.2.25 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.8.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.10.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.4.6.1.2.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.8.4.1.2.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.6.6.1.2.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.10.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.7.4.1.2.1 src/crypto/openssl/crypto/rsa/rsa.h 1.10.4.1.2.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.12.4.1.2.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.10.1 src/crypto/openssl/ssl/s2_clnt.c 1.12.2.1.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.13.2.1.2.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.1.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.38 src/sys/conf/newvers.sh 1.62.2.15.2.40 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.6.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.8.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.4.8.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.8.6.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.6.8.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.8.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.7.6.1 src/crypto/openssl/crypto/rsa/rsa.h 1.10.6.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.12.6.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.8.1 src/crypto/openssl/ssl/s2_clnt.c 1.12.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.13.4.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.4.1 RELENG_6 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.10.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.12.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.5.2.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.9.2.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.7.2.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.12.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.8.2.1 src/crypto/openssl/crypto/rsa/rsa.h 1.11.2.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.13.2.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.12.1 src/crypto/openssl/ssl/s2_clnt.c 1.13.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.2.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.10 src/sys/conf/newvers.sh 1.69.2.11.2.10 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.14.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.16.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.5.6.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.9.6.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.7.6.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.16.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.8.6.1 src/crypto/openssl/crypto/rsa/rsa.h 1.11.6.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.13.6.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.16.1 src/crypto/openssl/ssl/s2_clnt.c 1.13.6.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.6.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.6.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.18 src/sys/conf/newvers.sh 1.69.2.8.2.14 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.12.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.14.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.5.4.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.9.4.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.7.4.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.14.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.8.4.1 src/crypto/openssl/crypto/rsa/rsa.h 1.11.4.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.13.4.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.14.1 src/crypto/openssl/ssl/s2_clnt.c 1.13.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.4.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:23.openssl.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFFG8l8FdaIBMps37IRAn0pAKCRuDXjFm2w7YtoZ9C6oVgM9UK0GgCdHdYu 7owfMI1ZVr22prZNmPTeM7k= =DguL -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Sep 28 13:34:51 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D8C416A403 for ; Thu, 28 Sep 2006 13:34:51 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd4mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1366643D49 for ; Thu, 28 Sep 2006 13:34:29 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr7so.prod.shaw.ca (pd3mr7so-qfe3.prod.shaw.ca [10.0.141.23]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J6B0019A1NJ5DC0@l-daemon> for freebsd-security@freebsd.org; Thu, 28 Sep 2006 07:33:19 -0600 (MDT) Received: from pn2ml10so.prod.shaw.ca ([10.0.121.80]) by pd3mr7so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J6B00DEK1NJJLI0@pd3mr7so.prod.shaw.ca> for freebsd-security@freebsd.org; Thu, 28 Sep 2006 07:33:19 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J6B004DG1NIZDZ0@l-daemon> for freebsd-security@freebsd.org; Thu, 28 Sep 2006 07:33:19 -0600 (MDT) Received: (qmail 91356 invoked from network); Thu, 28 Sep 2006 13:33:18 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Thu, 28 Sep 2006 13:33:18 +0000 Date: Thu, 28 Sep 2006 06:33:18 -0700 From: Colin Percival In-reply-to: <20060928092437.4a4923a7.wmoran@potentialtech.com> To: Bill Moran Message-id: <451BCF1E.2070609@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <20060928092437.4a4923a7.wmoran@potentialtech.com> User-Agent: Thunderbird 1.5 (X11/20060416) Cc: freebsd security , questions@freebsd.org Subject: Re: Fw: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:23.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2006 13:34:51 -0000 Bill Moran wrote: > Can anyone define "exceptionally large" as noted in this statement?: > > "NOTE ALSO: The above patch reduces the functionality of libcrypto(3) by > prohibiting the use of exceptionally large public keys. It is believed > that no existing applications legitimately use such key lengths as would > be affected by this change." > > It would be nice if "exceptionally large" were replaced with "keys in > excess of x bits in size" or something. I don't expect that this will > affect me, but ambiguous statements like that make me uncomfortable. DH and DSA are limited to 10000 bits. RSA is limited to 16400 or 4112 bits depending upon whether the public exponent is less or more than 72 bits. I wouldn't have allowed this change into the security branches if I was not very very confident that no applications would be affected by this. Colin Percival From owner-freebsd-security@FreeBSD.ORG Thu Sep 28 18:24:47 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A7B716A4C9 for ; Thu, 28 Sep 2006 18:24:47 +0000 (UTC) (envelope-from jllewellyn@twelvehorses.com) Received: from gozer.thtoolbox.com (gozer.thtoolbox.com [208.39.234.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CAA643D78 for ; Thu, 28 Sep 2006 18:24:35 +0000 (GMT) (envelope-from jllewellyn@twelvehorses.com) Received: from jrlcompaq ([192.168.0.184]) by gozer.thtoolbox.com (8.13.1/8.13.1) with ESMTP id k8SIOOf2000650 for ; Thu, 28 Sep 2006 12:24:24 -0600 From: "John Llewellyn" To: Date: Thu, 28 Sep 2006 12:24:02 -0600 Message-ID: <004c01c6e32b$46227500$b800a8c0@jrlcompaq> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcbjASOy6sBPVvpxR2GRmF71X4POrgAKPc+A X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 In-reply-to: <200609281313.k8SDDsxS040087@freefall.freebsd.org> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (gozer.thtoolbox.com [192.168.0.140]); Thu, 28 Sep 2006 12:24:24 -0600 (MDT) X-Virus-Scanned: ClamAV 0.88.4/1948/Wed Sep 27 10:03:03 2006 on gozer.thtoolbox.com X-Virus-Status: Clean X-Spam-Status: No, score=-1.3 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.1.5 X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on gozer.thtoolbox.com Subject: RE: FreeBSD Security Advisory FreeBSD-SA-06:23.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2006 18:24:47 -0000 Hi, In the openssl advisory, you mention that: > An attacker accessing a server which uses SSL version 2 may be able to execute arbitrary > code with the privileges of that server. [CVE-2006-3738] The description of CVE-2006-3738 in the advisory from openssl.org (http://www.openssl.org/news/secadv_20060928.txt) does not mention SSLv2. Can you confirm whether this flaw only affects servers with SSLv2 enabled? Thanks in advance, John Llewellyn -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of FreeBSD Security Advisories Sent: Thursday, September 28, 2006 7:14 AM To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-06:23.openssl -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================ = FreeBSD-SA-06:23.openssl Security Advisory The FreeBSD Project Topic: Multiple problems in crypto(3) Category: contrib Module: openssl Announced: 2006-09-28 Credits: Dr S N Henson, Tavis Ormandy, Will Drewry Affects: All FreeBSD releases. Corrected: 2006-09-28 13:02:37 UTC (RELENG_6, 6.1-PRERELEASE) 2006-09-28 13:03:14 UTC (RELENG_6_1, 6.1-RELEASE-p8) 2006-09-28 13:03:41 UTC (RELENG_6_0, 6.0-RELEASE-p13) 2006-09-28 13:03:57 UTC (RELENG_5, 5.5-STABLE) 2006-09-28 13:04:16 UTC (RELENG_5_5, 5.5-RELEASE-p6) 2006-09-28 13:04:47 UTC (RELENG_5_4, 5.4-RELEASE-p20) 2006-09-28 13:05:08 UTC (RELENG_5_3, 5.3-RELEASE-p35) 2006-09-28 13:05:59 UTC (RELENG_4, 4.11-STABLE) 2006-09-28 13:06:23 UTC (RELENG_4_11, 4.11-RELEASE-p23) CVE Name: CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description Several problems have been found in OpenSSL: 1. During the parsing of certain invalid ASN1 structures an error condition is mishandled, possibly resulting in an infinite loop. [CVE-2006-2937] 2. A buffer overflow exists in the SSL_get_shared_ciphers function. [CVE-2006-3738] 3. A NULL pointer may be dereferenced in the SSL version 2 client code. [CVE-2006-4343] In addition, many applications using OpenSSL do not perform any validation of the lengths of public keys being used. [CVE-2006-2940] III. Impact Servers which parse ASN1 data from untrusted sources may be vulnerable to a denial of service attack. [CVE-2006-2937] An attacker accessing a server which uses SSL version 2 may be able to execute arbitrary code with the privileges of that server. [CVE-2006-3738] A malicious SSL server can cause clients connecting using SSL version 2 to crash. [CVE-2006-4343] Applications which perform public key operations using untrusted keys may be vulnerable to a denial of service attack. [CVE-2006-2940] IV. Workaround No workaround is available, but not all of the vulnerabilities mentioned affect all applications. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, RELENG_5_3, or RELENG_4_11 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.11, 5.3, 5.4, 5.5, 6.0, and 6.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-06:23/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-06:23/openssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system as described in and reboot the system. NOTE: Any third-party applications, including those installed from the FreeBSD ports collection, which are statically linked to libcrypto(3) should be recompiled in order to use the corrected code. NOTE ALSO: The above patch reduces the functionality of libcrypto(3) by prohibiting the use of exceptionally large public keys. It is believed that no existing applications legitimately use such key lengths as would be affected by this change. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.1.2.4 src/crypto/openssl/crypto/dh/dh.h 1.1.1.1.2.8 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.1.2.7 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.1.2.11 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.1.2.8 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.1.2.7 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.1.2.11 src/crypto/openssl/crypto/rsa/rsa.h 1.2.2.14 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.2.4.16 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.1.2.7 src/crypto/openssl/ssl/s2_clnt.c 1.2.2.14 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.20 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.1.2.14 RELENG_4_11 src/UPDATING 1.73.2.91.2.24 src/sys/conf/newvers.sh 1.44.2.39.2.27 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.1.2.2.6.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.1.2.4.8.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.1.2.3.8.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.1.2.7.6.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.1.2.4.8.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.1.2.3.8.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.1.2.7.6.1 src/crypto/openssl/crypto/rsa/rsa.h 1.2.2.8.4.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.2.4.8.4.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.1.2.3.8.1 src/crypto/openssl/ssl/s2_clnt.c 1.2.2.8.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.9.4.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.1.2.8.4.1 RELENG_5 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.4.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.6.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.4.6.2 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.8.4.2 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.6.6.2 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.6.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.7.4.2 src/crypto/openssl/crypto/rsa/rsa.h 1.10.4.2 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.12.4.2 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.6.1 src/crypto/openssl/ssl/s2_clnt.c 1.12.2.2 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.13.2.2 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.2 RELENG_5_5 src/UPDATING 1.342.2.35.2.6 src/sys/conf/newvers.sh 1.62.2.21.2.8 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.16.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.18.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.4.6.1.4.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.8.4.1.4.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.6.6.1.4.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.18.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.7.4.1.4.1 src/crypto/openssl/crypto/rsa/rsa.h 1.10.4.1.4.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.12.4.1.4.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.18.1 src/crypto/openssl/ssl/s2_clnt.c 1.12.2.1.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.13.2.1.4.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.1.4.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.29 src/sys/conf/newvers.sh 1.62.2.18.2.25 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.8.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.10.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.4.6.1.2.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.8.4.1.2.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.6.6.1.2.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.10.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.7.4.1.2.1 src/crypto/openssl/crypto/rsa/rsa.h 1.10.4.1.2.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.12.4.1.2.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.10.1 src/crypto/openssl/ssl/s2_clnt.c 1.12.2.1.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.13.2.1.2.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.1.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.38 src/sys/conf/newvers.sh 1.62.2.15.2.40 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.6.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.8.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.4.8.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.8.6.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.6.8.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.8.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.7.6.1 src/crypto/openssl/crypto/rsa/rsa.h 1.10.6.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.12.6.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.8.1 src/crypto/openssl/ssl/s2_clnt.c 1.12.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.13.4.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.4.1 RELENG_6 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.10.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.12.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.5.2.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.9.2.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.7.2.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.12.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.8.2.1 src/crypto/openssl/crypto/rsa/rsa.h 1.11.2.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.13.2.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.12.1 src/crypto/openssl/ssl/s2_clnt.c 1.13.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.2.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.10 src/sys/conf/newvers.sh 1.69.2.11.2.10 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.14.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.16.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.5.6.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.9.6.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.7.6.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.16.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.8.6.1 src/crypto/openssl/crypto/rsa/rsa.h 1.11.6.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.13.6.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.16.1 src/crypto/openssl/ssl/s2_clnt.c 1.13.6.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.6.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.6.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.18 src/sys/conf/newvers.sh 1.69.2.8.2.14 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.12.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.14.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.5.4.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.9.4.1 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.7.4.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.14.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.8.4.1 src/crypto/openssl/crypto/rsa/rsa.h 1.11.4.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.13.4.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.14.1 src/crypto/openssl/ssl/s2_clnt.c 1.13.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.4.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:23.openssl.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFFG8l8FdaIBMps37IRAn0pAKCRuDXjFm2w7YtoZ9C6oVgM9UK0GgCdHdYu 7owfMI1ZVr22prZNmPTeM7k= =DguL -----END PGP SIGNATURE----- _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Sep 28 13:46:28 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A80B16A40F; Thu, 28 Sep 2006 13:46:28 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from internet.potentialtech.com (internet.potentialtech.com [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id E69FE43D6B; Thu, 28 Sep 2006 13:46:27 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from vanquish.pgh.priv.collaborativefusion.com (pr40.pitbpa0.pub.collaborativefusion.com [206.210.89.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by internet.potentialtech.com (Postfix) with ESMTP id 1F13B69A22; Thu, 28 Sep 2006 09:46:27 -0400 (EDT) Date: Thu, 28 Sep 2006 09:46:26 -0400 From: Bill Moran To: Colin Percival Message-Id: <20060928094626.012b930c.wmoran@potentialtech.com> In-Reply-To: <451BCF1E.2070609@freebsd.org> References: <20060928092437.4a4923a7.wmoran@potentialtech.com> <451BCF1E.2070609@freebsd.org> X-Mailer: Sylpheed version 2.2.7 (GTK+ 2.8.20; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 28 Sep 2006 20:16:12 +0000 Cc: freebsd security , questions@freebsd.org Subject: Re: Fw: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:23.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2006 13:46:28 -0000 In response to Colin Percival : > Bill Moran wrote: > > Can anyone define "exceptionally large" as noted in this statement?: > > > > "NOTE ALSO: The above patch reduces the functionality of libcrypto(3) by > > prohibiting the use of exceptionally large public keys. It is believed > > that no existing applications legitimately use such key lengths as would > > be affected by this change." > > > > It would be nice if "exceptionally large" were replaced with "keys in > > excess of x bits in size" or something. I don't expect that this will > > affect me, but ambiguous statements like that make me uncomfortable. > > DH and DSA are limited to 10000 bits. RSA is limited to 16400 or 4112 bits > depending upon whether the public exponent is less or more than 72 bits. > > I wouldn't have allowed this change into the security branches if I was not > very very confident that no applications would be affected by this. > > Colin Percival I'm not questioning your ability to make these decisions, Colin. Far, far from it. I'm the type that is made uncomfortable by any statement that reads _anything_ like "don't worry, we've taken care of it." Take that email as two separate statements: 1) I'm curious as to exactly how big "exceptionally large" is. 2) I think this security advisory could be improved by including the answer to #1. Thanks for the quick response, and all the work you do. -- Bill Moran Collaborative Fusion Inc. From owner-freebsd-security@FreeBSD.ORG Thu Sep 28 23:10:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7281016A492 for ; Thu, 28 Sep 2006 23:10:07 +0000 (UTC) (envelope-from mike@sentex.net) Received: from ssl3.sentex.ca (vinyl2.sentex.ca [199.212.134.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEECC43D49 for ; Thu, 28 Sep 2006 23:10:06 +0000 (GMT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by ssl3.sentex.ca (8.13.6/8.13.6) with ESMTP id k8SNA5Il058977 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 28 Sep 2006 19:10:05 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <7.0.1.0.0.20060928190249.17650ab8@sentex.net> X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0 Date: Thu, 28 Sep 2006 19:08:06 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: OpenSSH DoS issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2006 23:10:07 -0000 Is the version in FreeBSD vulnerable ? http://www.openssh.com/txt/release-4.4 I know version 1 is disabled by default, but if its not, does it impact the daemon ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Fri Sep 29 03:45:03 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EF7516A403 for ; Fri, 29 Sep 2006 03:45:03 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd5mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C641C43D45 for ; Fri, 29 Sep 2006 03:45:02 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr4so.prod.shaw.ca (pd4mr4so-qfe3.prod.shaw.ca [10.0.141.215]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J6C00E9R51SYW20@l-daemon> for freebsd-security@freebsd.org; Thu, 28 Sep 2006 21:44:16 -0600 (MDT) Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148]) by pd4mr4so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J6C009U951SRO90@pd4mr4so.prod.shaw.ca> for freebsd-security@freebsd.org; Thu, 28 Sep 2006 21:44:16 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J6C0082F51SFGE0@l-daemon> for freebsd-security@freebsd.org; Thu, 28 Sep 2006 21:44:16 -0600 (MDT) Received: (qmail 96144 invoked from network); Fri, 29 Sep 2006 03:44:15 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Fri, 29 Sep 2006 03:44:15 +0000 Date: Thu, 28 Sep 2006 20:44:15 -0700 From: Colin Percival In-reply-to: <7.0.1.0.0.20060928190249.17650ab8@sentex.net> To: Mike Tancsa Message-id: <451C968F.6060204@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <7.0.1.0.0.20060928190249.17650ab8@sentex.net> User-Agent: Thunderbird 1.5 (X11/20060416) Cc: freebsd-security@freebsd.org Subject: Re: OpenSSH DoS issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 03:45:03 -0000 Mike Tancsa wrote: > Is the version in FreeBSD vulnerable ? > > http://www.openssh.com/txt/release-4.4 > > I know version 1 is disabled by default, but if its not, does it impact > the daemon ? Yes. This will be addressed in FreeBSD-SA-06:22.openssh (originally planned for today, but delayed because of some last-minute problems.) Colin Percival From owner-freebsd-security@FreeBSD.ORG Fri Sep 29 09:02:32 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7939E16A40F for ; Fri, 29 Sep 2006 09:02:32 +0000 (UTC) (envelope-from past@ebs.gr) Received: from fly.ebs.gr (fly.ebs.gr [83.171.239.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8DC243D46 for ; Fri, 29 Sep 2006 09:02:31 +0000 (GMT) (envelope-from past@ebs.gr) Received: from ebs.gr (root@hal.ebs.gr [10.1.1.2]) by fly.ebs.gr (8.12.9p1/8.12.9) with ESMTP id k8T92U1T016822 for ; Fri, 29 Sep 2006 12:02:30 +0300 (EEST) (envelope-from past@ebs.gr) Received: from [10.1.1.157] (pc157.ebs.gr [10.1.1.157]) by ebs.gr (8.13.6/8.13.6) with ESMTP id k8T92Uq9067965 for ; Fri, 29 Sep 2006 12:02:30 +0300 (EEST) (envelope-from past@ebs.gr) Received: from 127.0.0.1 (AVG SMTP 7.1.407 [268.12.9/458]); Fri, 29 Sep 2006 12:02:29 +0300 Message-ID: <451CE125.8010207@ebs.gr> Date: Fri, 29 Sep 2006 12:02:29 +0300 From: Panagiotis Astithas Organization: EBS Ltd. User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Binary updates for SA-06:23? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 09:02:32 -0000 Is it just me, or freebsd-update isn't yet shipping the openssl updates? I'm trying (on an SMP machine) to fetch them, but there seem to be none available. I'd like to confirm that sleep deprivation isn't the culprit here, so I've checked in /usr/local/freebsd-update/work/ and the subdirectory with the highest number contains the SA-06:21 files. Anyone seen that clue bat please? Thanks, Panagiotis From owner-freebsd-security@FreeBSD.ORG Fri Sep 29 09:33:14 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5F7616A40F for ; Fri, 29 Sep 2006 09:33:14 +0000 (UTC) (envelope-from matthijs@groov.nl) Received: from stack.groov.nl (stack.groov.nl [84.16.252.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 586B543D49 for ; Fri, 29 Sep 2006 09:33:14 +0000 (GMT) (envelope-from matthijs@groov.nl) Received: from localhost (stack.groov.nl [84.16.252.210]) by stack.groov.nl (Postfix) with ESMTP id F29E711467; Fri, 29 Sep 2006 11:33:09 +0200 (CEST) MIME-Version: 1.0 Date: Fri, 29 Sep 2006 11:33:09 +0200 From: Matthijs Breemans To: Panagiotis Astithas , freebsd-security@freebsd.org In-Reply-To: <451CE125.8010207@ebs.gr> References: <451CE125.8010207@ebs.gr> Message-ID: X-Sender: matthijs@groov.nl User-Agent: RoundCube Webmail/0.1b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Cc: Subject: Re: Binary updates for SA-06:23? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 09:33:14 -0000 They published the updates yesterday, i think. On Fri, 29 Sep 2006 12:02:29 +0300, Panagiotis Astithas wrote: > Is it just me, or freebsd-update isn't yet shipping the openssl updates? > I'm trying (on an SMP machine) to fetch them, but there seem to be none > available. I'd like to confirm that sleep deprivation isn't the culprit > here, so I've checked in /usr/local/freebsd-update/work/ and the > subdirectory with the highest number contains the SA-06:21 files. > > Anyone seen that clue bat please? > > Thanks, > > Panagiotis > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" -- Regards, Matthijs Breemans From owner-freebsd-security@FreeBSD.ORG Fri Sep 29 12:41:53 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73BAF16A407 for ; Fri, 29 Sep 2006 12:41:53 +0000 (UTC) (envelope-from past@ebs.gr) Received: from fly.ebs.gr (fly.ebs.gr [83.171.239.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3F3743D5F for ; Fri, 29 Sep 2006 12:41:51 +0000 (GMT) (envelope-from past@ebs.gr) Received: from ebs.gr (root@hal.ebs.gr [10.1.1.2]) by fly.ebs.gr (8.12.9p1/8.12.9) with ESMTP id k8TCfn1T017374; Fri, 29 Sep 2006 15:41:49 +0300 (EEST) (envelope-from past@ebs.gr) Received: from [10.1.1.157] (pc157.ebs.gr [10.1.1.157]) by ebs.gr (8.13.6/8.13.6) with ESMTP id k8TCfkNL029314; Fri, 29 Sep 2006 15:41:48 +0300 (EEST) (envelope-from past@ebs.gr) Received: from 127.0.0.1 (AVG SMTP 7.1.407 [268.12.9/458]); Fri, 29 Sep 2006 15:41:45 +0300 Message-ID: <451D1489.4040307@ebs.gr> Date: Fri, 29 Sep 2006 15:41:45 +0300 From: Panagiotis Astithas Organization: EBS Ltd. User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: Matthijs Breemans References: <451CE125.8010207@ebs.gr> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Binary updates for SA-06:23? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 12:41:53 -0000 Matthijs Breemans wrote: > On Fri, 29 Sep 2006 12:02:29 +0300, Panagiotis Astithas wrote: >> Is it just me, or freebsd-update isn't yet shipping the openssl updates? >> I'm trying (on an SMP machine) to fetch them, but there seem to be none >> available. I'd like to confirm that sleep deprivation isn't the culprit >> here, so I've checked in /usr/local/freebsd-update/work/ and the >> subdirectory with the highest number contains the SA-06:21 files. >> >> Anyone seen that clue bat please? >> > They published the updates yesterday, i think. That's weird then. # pwd /usr/local/freebsd-update/work # find . -type f -name libcrypto\* ./35/install/lib/libcrypto.so.4 ./35/install/usr/lib/libcrypto_p.a ./35/install/usr/lib/libcrypto.a ./35/rollback/lib/libcrypto.so.4 ./35/rollback/usr/lib/libcrypto.a ./35/rollback/usr/lib/libcrypto_p.a # ls -l 35/updates -rw-r--r-- 1 root wheel 1379 Sep 7 10:26 35/updates This would indicate that update #35 is from SA-06:19. Yet, I get no more updates: # freebsd-update fetch Fetching updates signature... Fetching hash list signature... Examining local system... No updates available In case it matters, this is on 6.1-SECURITY/SMP with freebsd-update from ports. Thanks, Panagiotis From owner-freebsd-security@FreeBSD.ORG Fri Sep 29 12:51:06 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 776B516A40F for ; Fri, 29 Sep 2006 12:51:06 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd5mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1557343D53 for ; Fri, 29 Sep 2006 12:51:06 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr2so.prod.shaw.ca (pd4mr2so-qfe3.prod.shaw.ca [10.0.141.213]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J6C002CNUD5TSD0@l-daemon> for freebsd-security@freebsd.org; Fri, 29 Sep 2006 06:51:05 -0600 (MDT) Received: from pn2ml5so.prod.shaw.ca ([10.0.121.149]) by pd4mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J6C002UEUD5S6H0@pd4mr2so.prod.shaw.ca> for freebsd-security@freebsd.org; Fri, 29 Sep 2006 06:51:05 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J6C0006PUD4I5G0@l-daemon> for freebsd-security@freebsd.org; Fri, 29 Sep 2006 06:51:05 -0600 (MDT) Received: (qmail 98717 invoked from network); Fri, 29 Sep 2006 12:51:04 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Fri, 29 Sep 2006 12:51:04 +0000 Date: Fri, 29 Sep 2006 05:51:04 -0700 From: Colin Percival In-reply-to: <451D1489.4040307@ebs.gr> To: Panagiotis Astithas Message-id: <451D16B8.4090202@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <451CE125.8010207@ebs.gr> <451D1489.4040307@ebs.gr> User-Agent: Thunderbird 1.5 (X11/20060416) Cc: freebsd-security@freebsd.org Subject: Re: Binary updates for SA-06:23? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 12:51:06 -0000 Panagiotis Astithas wrote: > This would indicate that update #35 is from SA-06:19. Yet, I get no more > updates: > > # freebsd-update fetch > Fetching updates signature... > Fetching hash list signature... > Examining local system... > No updates available > > In case it matters, this is on 6.1-SECURITY/SMP with freebsd-update from > ports. Please send me the output of # ls -l /lib/libcrypto.so.4 # strings /lib/libcrypto.so.4 | grep 2006 # md5 /lib/libcrypto.so.4 Colin Percival From owner-freebsd-security@FreeBSD.ORG Fri Sep 29 14:00:05 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6997116A412; Fri, 29 Sep 2006 14:00:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FF4343D6A; Fri, 29 Sep 2006 13:59:59 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8TDxxNY088895; Fri, 29 Sep 2006 13:59:59 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8TDxxvj088894; Fri, 29 Sep 2006 13:59:59 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 29 Sep 2006 13:59:59 GMT Message-Id: <200609291359.k8TDxxvj088894@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:23.openssl [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 14:00:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:23.openssl Security Advisory The FreeBSD Project Topic: Multiple problems in crypto(3) Category: contrib Module: openssl Announced: 2006-09-28 Credits: Dr S N Henson, Tavis Ormandy, Will Drewry Stephen Kiernan (Juniper SIRT) Affects: All FreeBSD releases. Corrected: 2006-09-29 13:44:03 UTC (RELENG_6, 6.2-PRERELEASE) 2006-09-29 13:44:31 UTC (RELENG_6_1, 6.1-RELEASE-p9) 2006-09-29 13:44:45 UTC (RELENG_6_0, 6.0-RELEASE-p14) 2006-09-29 13:45:01 UTC (RELENG_5, 5.5-STABLE) 2006-09-29 13:45:43 UTC (RELENG_5_5, 5.5-RELEASE-p7) 2006-09-29 13:45:59 UTC (RELENG_5_4, 5.4-RELEASE-p21) 2006-09-29 13:46:10 UTC (RELENG_5_3, 5.3-RELEASE-p36) 2006-09-29 13:46:23 UTC (RELENG_4, 4.11-STABLE) 2006-09-29 13:46:41 UTC (RELENG_4_11, 4.11-RELEASE-p24) CVE Name: CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2006-09-28 Initial release. v1.1 2006-09-29 Corrected patch. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description Several problems have been found in OpenSSL: 1. During the parsing of certain invalid ASN1 structures an error condition is mishandled, possibly resulting in an infinite loop. [CVE-2006-2937] 2. A buffer overflow exists in the SSL_get_shared_ciphers function. [CVE-2006-3738] 3. A NULL pointer may be dereferenced in the SSL version 2 client code. [CVE-2006-4343] In addition, many applications using OpenSSL do not perform any validation of the lengths of public keys being used. [CVE-2006-2940] III. Impact Servers which parse ASN1 data from untrusted sources may be vulnerable to a denial of service attack. [CVE-2006-2937] An attacker accessing a server which uses SSL version 2 may be able to execute arbitrary code with the privileges of that server. [CVE-2006-3738] A malicious SSL server can cause clients connecting using SSL version 2 to crash. [CVE-2006-4343] Applications which perform public key operations using untrusted keys may be vulnerable to a denial of service attack. [CVE-2006-2940] IV. Workaround No workaround is available, but not all of the vulnerabilities mentioned affect all applications. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, RELENG_5_3, or RELENG_4_11 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.11, 5.3, 5.4, 5.5, 6.0, and 6.1 systems. a) Download the patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-06:23/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-06:23/openssl.patch.asc NOTE: The patch distributed at the time of the original advisory was incorrect. Systems to which the original patch was applied should be patched with the following corrective patch, which contains only the changes between the original and updated patch: # fetch http://security.FreeBSD.org/patches/SA-06:23/openssl-correction.patch # fetch http://security.FreeBSD.org/patches/SA-06:23/openssl-correction.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system as described in and reboot the system. NOTE: Any third-party applications, including those installed from the FreeBSD ports collection, which are statically linked to libcrypto(3) should be recompiled in order to use the corrected code. NOTE ALSO: The above patch reduces the functionality of libcrypto(3) by prohibiting the use of exceptionally large public keys. It is believed that no existing applications legitimately use such key lengths as would be affected by this change. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.1.2.3 src/crypto/openssl/crypto/dh/dh.h 1.1.1.1.2.5 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.1.2.4 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.1.2.9 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.1.2.5 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.1.2.4 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.1.2.8 src/crypto/openssl/crypto/rsa/rsa.h 1.2.2.9 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.2.4.9 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.1.2.4 src/crypto/openssl/ssl/s2_clnt.c 1.2.2.9 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.10 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.1.2.9 RELENG_4_11 src/UPDATING 1.73.2.91.2.25 src/sys/conf/newvers.sh 1.44.2.39.2.28 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.1.2.2.6.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.1.2.4.8.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.1.2.3.8.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.1.2.7.6.2 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.1.2.4.8.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.1.2.3.8.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.1.2.7.6.1 src/crypto/openssl/crypto/rsa/rsa.h 1.2.2.8.4.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.2.4.8.4.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.1.2.3.8.1 src/crypto/openssl/ssl/s2_clnt.c 1.2.2.8.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.9.4.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.1.2.8.4.1 RELENG_5 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.4.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.6.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.4.6.2 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.8.4.3 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.6.6.2 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.6.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.7.4.2 src/crypto/openssl/crypto/rsa/rsa.h 1.10.4.2 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.12.4.2 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.6.1 src/crypto/openssl/ssl/s2_clnt.c 1.12.2.2 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.13.2.2 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.2 RELENG_5_5 src/UPDATING 1.342.2.35.2.7 src/sys/conf/newvers.sh 1.62.2.21.2.9 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.16.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.18.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.4.6.1.4.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.8.4.1.4.2 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.6.6.1.4.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.18.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.7.4.1.4.1 src/crypto/openssl/crypto/rsa/rsa.h 1.10.4.1.4.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.12.4.1.4.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.18.1 src/crypto/openssl/ssl/s2_clnt.c 1.12.2.1.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.13.2.1.4.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.1.4.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.30 src/sys/conf/newvers.sh 1.62.2.18.2.26 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.8.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.10.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.4.6.1.2.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.8.4.1.2.2 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.6.6.1.2.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.10.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.7.4.1.2.1 src/crypto/openssl/crypto/rsa/rsa.h 1.10.4.1.2.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.12.4.1.2.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.10.1 src/crypto/openssl/ssl/s2_clnt.c 1.12.2.1.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.13.2.1.2.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.1.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.39 src/sys/conf/newvers.sh 1.62.2.15.2.41 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.6.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.8.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.4.8.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.8.6.2 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.6.8.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.8.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.7.6.1 src/crypto/openssl/crypto/rsa/rsa.h 1.10.6.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.12.6.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.8.1 src/crypto/openssl/ssl/s2_clnt.c 1.12.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.13.4.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.4.1 RELENG_6 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.10.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.12.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.5.2.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.9.2.2 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.7.2.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.12.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.8.2.1 src/crypto/openssl/crypto/rsa/rsa.h 1.11.2.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.13.2.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.12.1 src/crypto/openssl/ssl/s2_clnt.c 1.13.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.2.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.11 src/sys/conf/newvers.sh 1.69.2.11.2.11 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.14.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.16.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.5.6.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.9.6.2 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.7.6.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.16.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.8.6.1 src/crypto/openssl/crypto/rsa/rsa.h 1.11.6.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.13.6.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.16.1 src/crypto/openssl/ssl/s2_clnt.c 1.13.6.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.6.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.6.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.19 src/sys/conf/newvers.sh 1.69.2.8.2.15 src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.12.1 src/crypto/openssl/crypto/dh/dh.h 1.1.1.6.14.1 src/crypto/openssl/crypto/dh/dh_err.c 1.1.1.5.4.1 src/crypto/openssl/crypto/dh/dh_key.c 1.1.1.9.4.2 src/crypto/openssl/crypto/dsa/dsa.h 1.1.1.7.4.1 src/crypto/openssl/crypto/dsa/dsa_err.c 1.1.1.4.14.1 src/crypto/openssl/crypto/dsa/dsa_ossl.c 1.1.1.8.4.1 src/crypto/openssl/crypto/rsa/rsa.h 1.11.4.1 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.13.4.1 src/crypto/openssl/crypto/rsa/rsa_err.c 1.1.1.4.14.1 src/crypto/openssl/ssl/s2_clnt.c 1.13.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.4.1 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:23.openssl.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFFHSVwFdaIBMps37IRApTZAJ9YY6pldJ52FwtYHbMxsW5363NUgwCgl4tb 3jFuSkTKR6xVJ6ui4POBjkI= =Bn+e -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Sep 29 14:07:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 022E116A4AB for ; Fri, 29 Sep 2006 14:07:46 +0000 (UTC) (envelope-from past@ebs.gr) Received: from fly.ebs.gr (fly.ebs.gr [83.171.239.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A9FE43D62 for ; Fri, 29 Sep 2006 14:07:44 +0000 (GMT) (envelope-from past@ebs.gr) Received: from ebs.gr (root@hal.ebs.gr [10.1.1.2]) by fly.ebs.gr (8.12.9p1/8.12.9) with ESMTP id k8TE7h1T017634 for ; Fri, 29 Sep 2006 17:07:43 +0300 (EEST) (envelope-from past@ebs.gr) Received: from [10.1.1.157] (pc157.ebs.gr [10.1.1.157]) by ebs.gr (8.13.6/8.13.6) with ESMTP id k8TE7hbT032484 for ; Fri, 29 Sep 2006 17:07:43 +0300 (EEST) (envelope-from past@ebs.gr) Received: from 127.0.0.1 (AVG SMTP 7.1.407 [268.12.9/458]); Fri, 29 Sep 2006 17:07:42 +0300 Message-ID: <451D28AE.8090208@ebs.gr> Date: Fri, 29 Sep 2006 17:07:42 +0300 From: Panagiotis Astithas Organization: EBS Ltd. User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <451CE125.8010207@ebs.gr> <451D1489.4040307@ebs.gr> <451D16B8.4090202@freebsd.org> In-Reply-To: <451D16B8.4090202@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [SOLVED] Re: Binary updates for SA-06:23? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 14:07:46 -0000 Colin Percival wrote: > Panagiotis Astithas wrote: >> This would indicate that update #35 is from SA-06:19. Yet, I get no more >> updates: >> >> # freebsd-update fetch >> Fetching updates signature... >> Fetching hash list signature... >> Examining local system... >> No updates available >> >> In case it matters, this is on 6.1-SECURITY/SMP with freebsd-update from >> ports. > > Please send me the output of > > # ls -l /lib/libcrypto.so.4 > # strings /lib/libcrypto.so.4 | grep 2006 > # md5 /lib/libcrypto.so.4 Just for the archives, the problem was solved, thanks to Colin. It turned out to be a proxy issue. Cheers, Panagiotis From owner-freebsd-security@FreeBSD.ORG Sat Sep 30 20:24:48 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC21D16A417; Sat, 30 Sep 2006 20:24:48 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E068A43D55; Sat, 30 Sep 2006 20:24:45 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8UKOjB6073326; Sat, 30 Sep 2006 20:24:45 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8UKOjZN073324; Sat, 30 Sep 2006 20:24:45 GMT (envelope-from security-advisories@freebsd.org) Date: Sat, 30 Sep 2006 20:24:45 GMT Message-Id: <200609302024.k8UKOjZN073324@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:22.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Sep 2006 20:24:48 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:22.openssh Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSH Category: contrib Module: openssh Announced: 2006-09-30 Credits: Tavis Ormandy, Mark Dowd Affects: All FreeBSD releases. Corrected: 2006-09-30 19:50:57 UTC (RELENG_6, 6.2-PRERELEASE) 2006-09-30 19:51:56 UTC (RELENG_6_1, 6.1-RELEASE-p10) 2006-09-30 19:53:21 UTC (RELENG_6_0, 6.0-RELEASE-p15) 2006-09-30 19:54:03 UTC (RELENG_5, 5.5-STABLE) 2006-09-30 19:54:58 UTC (RELENG_5_5, 5.5-RELEASE-p8) 2006-09-30 19:55:52 UTC (RELENG_5_4, 5.4-RELEASE-p22) 2006-09-30 19:56:38 UTC (RELENG_5_3, 5.3-RELEASE-p37) 2006-09-30 19:57:15 UTC (RELENG_4, 4.11-STABLE) 2006-09-30 19:58:07 UTC (RELENG_4_11, 4.11-RELEASE-p25) CVE Name: CVE-2006-4924, CVE-2006-5051 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted, authenticated transport for a variety of services, including remote shell access. II. Problem Description The CRC compensation attack detector in the sshd(8) daemon, upon receipt of duplicate blocks, uses CPU time cubic in the number of duplicate blocks received. [CVE-2006-4924] A race condition exists in a signal handler used by the sshd(8) daemon to handle the LoginGraceTime option, which can potentially cause some cleanup routines to be executed multiple times. [CVE-2006-5051] III. Impact An attacker sending specially crafted packets to sshd(8) can cause a Denial of Service by using 100% of CPU time until a connection timeout occurs. Since this attack can be performed over multiple connections simultaneously, it is possible to cause up to MaxStartups (10 by default) sshd processes to use all the CPU time they can obtain. [CVE-2006-4924] The OpenSSH project believe that the race condition can lead to a Denial of Service or potentially remote code execution, but the FreeBSD Security Team has been unable to verify the exact impact. [CVE-2006-5051] IV. Workaround The attack against the CRC compensation attack detector can be avoided by disabling SSH Protocol version 1 support in sshd_config(5). There is no workaround for the second issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, RELENG_5_3, or RELENG_4_11 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.11, 5.3, 5.4, 5.5, 6.0, and 6.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.11] # fetch http://security.FreeBSD.org/patches/SA-06:22/openssh4x.patch # fetch http://security.FreeBSD.org/patches/SA-06:22/openssh4x.patch.asc [FreeBSD 5.x] # fetch http://security.FreeBSD.org/patches/SA-06:22/openssh5x.patch # fetch http://security.FreeBSD.org/patches/SA-06:22/openssh5x.patch.asc [FreeBSD 6.x] # fetch http://security.FreeBSD.org/patches/SA-06:22/openssh6x.patch # fetch http://security.FreeBSD.org/patches/SA-06:22/openssh6x.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/secure/lib/libssh # make obj && make depend && make && make install # cd /usr/src/secure/usr.sbin/sshd # make obj && make depend && make && make install c) Restart the SSH daemon. On FreeBSD 5.x and 6.x, this can be done via # /etc/rc.d/sshd restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/crypto/openssh/deattack.c 1.1.1.1.2.6 src/crypto/openssh/deattack.h 1.1.1.1.2.3 src/crypto/openssh/defines.h 1.1.1.2.2.3 src/crypto/openssh/log.c 1.1.1.1.2.6 src/crypto/openssh/log.h 1.1.1.1.2.4 src/crypto/openssh/packet.c 1.1.1.1.2.7 src/crypto/openssh/ssh_config 1.2.2.10 src/crypto/openssh/ssh_config.5 1.4.2.6 src/crypto/openssh/sshd.c 1.6.2.12 src/crypto/openssh/sshd_config 1.4.2.14 src/crypto/openssh/sshd_config.5 1.5.2.8 src/crypto/openssh/version.h 1.1.1.1.2.14 RELENG_4_11 src/UPDATING 1.73.2.91.2.26 src/sys/conf/newvers.sh 1.44.2.39.2.29 src/crypto/openssh/deattack.c 1.1.1.1.2.5.6.1 src/crypto/openssh/deattack.h 1.1.1.1.2.2.10.1 src/crypto/openssh/defines.h 1.1.1.2.2.2.8.1 src/crypto/openssh/log.c 1.1.1.1.2.5.8.1 src/crypto/openssh/log.h 1.1.1.1.2.3.8.1 src/crypto/openssh/packet.c 1.1.1.1.2.6.8.1 src/crypto/openssh/ssh_config 1.2.2.9.6.1 src/crypto/openssh/ssh_config.5 1.4.2.5.6.1 src/crypto/openssh/sshd.c 1.6.2.11.8.1 src/crypto/openssh/sshd_config 1.4.2.13.6.1 src/crypto/openssh/sshd_config.5 1.5.2.7.4.1 src/crypto/openssh/version.h 1.1.1.1.2.13.6.1 RELENG_5 src/crypto/openssh/auth.h 1.13.2.1 src/crypto/openssh/deattack.c 1.1.1.7.2.1 src/crypto/openssh/deattack.h 1.1.1.3.8.1 src/crypto/openssh/defines.h 1.1.1.7.2.1 src/crypto/openssh/log.c 1.1.1.10.2.1 src/crypto/openssh/log.h 1.5.2.1 src/crypto/openssh/packet.c 1.1.1.14.2.1 src/crypto/openssh/session.c 1.44.2.1 src/crypto/openssh/ssh_config 1.25.2.2 src/crypto/openssh/ssh_config.5 1.15.2.2 src/crypto/openssh/sshd.c 1.37.2.1 src/crypto/openssh/sshd_config 1.40.2.2 src/crypto/openssh/sshd_config.5 1.21.2.2 src/crypto/openssh/version.h 1.27.2.2 RELENG_5_5 src/UPDATING 1.342.2.35.2.8 src/sys/conf/newvers.sh 1.62.2.21.2.10 src/crypto/openssh/auth.h 1.13.8.1 src/crypto/openssh/deattack.c 1.1.1.7.14.1 src/crypto/openssh/deattack.h 1.1.1.3.20.1 src/crypto/openssh/defines.h 1.1.1.7.8.1 src/crypto/openssh/log.c 1.1.1.10.8.1 src/crypto/openssh/log.h 1.5.8.1 src/crypto/openssh/packet.c 1.1.1.14.8.1 src/crypto/openssh/session.c 1.44.8.1 src/crypto/openssh/ssh_config 1.25.2.1.2.1 src/crypto/openssh/ssh_config.5 1.15.2.1.2.1 src/crypto/openssh/sshd.c 1.37.8.1 src/crypto/openssh/sshd_config 1.40.2.1.2.1 src/crypto/openssh/sshd_config.5 1.21.2.1.2.1 src/crypto/openssh/version.h 1.27.2.1.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.31 src/sys/conf/newvers.sh 1.62.2.18.2.27 src/crypto/openssh/auth.h 1.13.6.1 src/crypto/openssh/deattack.c 1.1.1.7.6.1 src/crypto/openssh/deattack.h 1.1.1.3.12.1 src/crypto/openssh/defines.h 1.1.1.7.6.1 src/crypto/openssh/log.c 1.1.1.10.6.1 src/crypto/openssh/log.h 1.5.6.1 src/crypto/openssh/packet.c 1.1.1.14.6.1 src/crypto/openssh/session.c 1.44.6.1 src/crypto/openssh/ssh_config 1.25.6.2 src/crypto/openssh/ssh_config.5 1.15.6.2 src/crypto/openssh/sshd.c 1.37.6.1 src/crypto/openssh/sshd_config 1.40.6.2 src/crypto/openssh/sshd_config.5 1.21.6.2 src/crypto/openssh/version.h 1.27.6.2 RELENG_5_3 src/UPDATING 1.342.2.13.2.40 src/sys/conf/newvers.sh 1.62.2.15.2.42 src/crypto/openssh/auth.h 1.13.4.1 src/crypto/openssh/deattack.c 1.1.1.7.4.1 src/crypto/openssh/deattack.h 1.1.1.3.10.1 src/crypto/openssh/defines.h 1.1.1.7.4.1 src/crypto/openssh/log.c 1.1.1.10.4.1 src/crypto/openssh/log.h 1.5.4.1 src/crypto/openssh/packet.c 1.1.1.14.4.1 src/crypto/openssh/session.c 1.44.4.1 src/crypto/openssh/ssh_config 1.25.4.2 src/crypto/openssh/ssh_config.5 1.15.4.2 src/crypto/openssh/sshd.c 1.37.4.1 src/crypto/openssh/sshd_config 1.40.4.2 src/crypto/openssh/sshd_config.5 1.21.4.2 src/crypto/openssh/version.h 1.27.4.2 RELENG_6 src/crypto/openssh/auth.h 1.15.2.2 src/crypto/openssh/deattack.c 1.1.1.7.8.1 src/crypto/openssh/deattack.h 1.1.1.3.14.1 src/crypto/openssh/defines.h 1.1.1.9.2.2 src/crypto/openssh/log.c 1.1.1.13.2.1 src/crypto/openssh/log.h 1.6.2.1 src/crypto/openssh/packet.c 1.1.1.16.2.2 src/crypto/openssh/session.c 1.46.2.2 src/crypto/openssh/ssh_config 1.27.2.2 src/crypto/openssh/ssh_config.5 1.17.2.2 src/crypto/openssh/sshd.c 1.39.2.2 src/crypto/openssh/sshd_config 1.42.2.2 src/crypto/openssh/sshd_config.5 1.23.2.2 src/crypto/openssh/version.h 1.30.2.2 RELENG_6_1 src/UPDATING 1.416.2.22.2.12 src/sys/conf/newvers.sh 1.69.2.11.2.12 src/crypto/openssh/auth.h 1.15.2.1.4.1 src/crypto/openssh/deattack.c 1.1.1.7.12.1 src/crypto/openssh/deattack.h 1.1.1.3.18.1 src/crypto/openssh/defines.h 1.1.1.9.2.1.4.1 src/crypto/openssh/log.c 1.1.1.13.6.1 src/crypto/openssh/log.h 1.6.6.1 src/crypto/openssh/packet.c 1.1.1.16.2.1.4.1 src/crypto/openssh/session.c 1.46.2.1.4.1 src/crypto/openssh/ssh_config 1.27.2.1.4.1 src/crypto/openssh/ssh_config.5 1.17.2.1.4.1 src/crypto/openssh/sshd.c 1.39.2.1.4.1 src/crypto/openssh/sshd_config 1.42.2.1.4.1 src/crypto/openssh/sshd_config.5 1.23.2.1.4.1 src/crypto/openssh/version.h 1.30.2.1.4.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.20 src/sys/conf/newvers.sh 1.69.2.8.2.16 src/crypto/openssh/auth.h 1.15.2.1.2.1 src/crypto/openssh/deattack.c 1.1.1.7.10.1 src/crypto/openssh/deattack.h 1.1.1.3.16.1 src/crypto/openssh/defines.h 1.1.1.9.2.1.2.1 src/crypto/openssh/log.c 1.1.1.13.4.1 src/crypto/openssh/log.h 1.6.4.1 src/crypto/openssh/packet.c 1.1.1.16.2.1.2.1 src/crypto/openssh/session.c 1.46.2.1.2.1 src/crypto/openssh/ssh_config 1.27.2.1.2.1 src/crypto/openssh/ssh_config.5 1.17.2.1.2.1 src/crypto/openssh/sshd.c 1.39.2.1.2.1 src/crypto/openssh/sshd_config 1.42.2.1.2.1 src/crypto/openssh/sshd_config.5 1.23.2.1.2.1 src/crypto/openssh/version.h 1.30.2.1.2.1 - ------------------------------------------------------------------------- VII. References http://www.openssh.com/txt/release-4.4 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:22.openssh.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFHtD+FdaIBMps37IRAhw8AJ0dNrOCiYVEmqQqePByx/KUrdi+AACeNcB0 T5VfZGGXDv31Py3yxejjhlw= =f1ch -----END PGP SIGNATURE-----