Date: Thu, 9 Jul 2015 17:29:13 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r46942 - in head/share: security/advisories xml Message-ID: <201507091729.t69HTDw1072117@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Thu Jul 9 17:29:12 2015 New Revision: 46942 URL: https://svnweb.freebsd.org/changeset/doc/46942 Log: Add SA-15:12.openssl for today's OpenSSL advisory. Note that this affects -STABLE only so no patch is associated with it. Added: head/share/security/advisories/FreeBSD-SA-15:12.openssl.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-15:12.openssl.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:12.openssl.asc Thu Jul 9 17:29:12 2015 (r46942) @@ -0,0 +1,110 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:12.openssl Security Advisory + The FreeBSD Project + +Topic: OpenSSL alternate chains certificate forgery vulnerability + +Category: contrib +Module: openssl +Announced: 2015-07-09 +Credits: Adam Langley/David Benjamin (Google/BoringSSL), OpenSSL +Affects: FreeBSD 10.1-STABLE after 2015-06-11 and prior to the + correction date. +Corrected: 2015-07-09 17:17:22 UTC (stable/10, 10.2-PRERELEASE, + 10.2-BETA1) +CVE Name: CVE-2015-1793 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is +a collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) +and Transport Layer Security (TLS v1) protocols as well as a full-strength +general purpose cryptography library. + +II. Problem Description + +During certificate verification, OpenSSL will attempt to find an alternative +certificate chain if the first attempt to build such a chain fails, unless +the application explicitly specifies X509_V_FLAG_NO_ALT_CHAINS. + +An error in the implementation of this logic could erroneously mark +certificate as trusted when they should not. + +III. Impact + +An attacker could cause certain checks on untrusted certificates, such as the +CA (certificate authority) flag, to be bypassed, which would enable them to +use a valid leaf certificate to act as a CA and issue an invalid certificate. + +IV. Workaround + +No workaround is available. + +NOTE WELL: This issue does not affect earlier FreeBSD releases, including the +supported 8.4, 9.3 and 10.1-RELEASE because the alternative certificate chain +feature was not introduced in these releases. Only 10.1-STABLE after +2015-06-11 and prior to the correction date is affected. + +V. Solution + +Upgrade your vulnerable system to the latest supported FreeBSD stable/10 +branch dated after the correction date. + +Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all deamons using the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r285330 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://www.openssl.org/news/secadv_20150709.txt> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:12.openssl.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.6 (FreeBSD) + +iQIcBAEBCgAGBQJVnq6lAAoJEO1n7NZdz2rntOsP/A07ZJWDt2DpN5h2En0fE+tL +tIB2uSV0pcoUAZExLjft5IDMau/zbZd/JFXczR5RRollu0jaETcpWYzXzjtAQ4IG +ZEKwvjdThN0naKk0F0DOjAm84ukIds9zR4JZ2KpJmzZnChzZYoF21ZkGPBMMlVhZ +4T9GNTiphdz3HsWx57r2WSapMlys0U0f32xOfYr1iUMRVkNNJfnkFSSxA2MEwuBl +/HzVLYOpVEGn/V3I+USQ1KmwMhTtJ+JY6WQlv0k/UKgrQHjdsKjoDwMwWT7UJgPZ +j7bvYKftXMYl22KDTlyvZA1c0YZ8kyP9bd+dz6NogCgiNUcIux/wTgMmbnbauZXb +pV+MAAAXKfeUoU94qXRD0QHRDXYt34buSswTtPI3LuVeLkqVk/ZdQATZYqMmCcCZ +4XNtdefKN/HZIq9Lx5N1F1a4MQn3MgbNPUNRfDLtwDFp2w9nMA2XoP8j4oLHul3z +umFwrEDtO8yojjj6qFGaAjpKktwYfq7/+ISFTYFpWLO3pb2QUw+3S+rWmrclyyd9 +xMOt2+tMpq46ESydmDSBXkgEQ6yL5XWA4FY+6VvWJrhM49DiP+FzpxZMpAKDHFmf +55L1mjSttHxU3G6/b1VPkRnphgqG03j1+nmyL+fIjHGa1ojvInzxuGcDgAJvUWkc +kMEkVjlnca3CDs5zADOX +=iBF6 +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Wed Jul 8 21:01:40 2015 (r46941) +++ head/share/xml/advisories.xml Thu Jul 9 17:29:12 2015 (r46942) @@ -11,6 +11,14 @@ <name>7</name> <day> + <name>9</name> + + <advisory> + <name>FreeBSD-SA-15:12.openssl</name> + </advisory> + </day> + + <day> <name>7</name> <advisory>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507091729.t69HTDw1072117>