Date: Wed, 14 May 2014 12:43:04 +0200 (CEST) From: Mohacsi Janos <mohacsi@niif.hu> To: freebsd-security@freebsd.org Subject: freebsd-update on Re: FreeBSD Security Advisory FreeBSD-SA-14:10.openssl Message-ID: <alpine.DEB.2.00.1405141238260.27781@strudel.ki.iif.hu> In-Reply-To: <201405140000.s4E0023k029906@freefall.freebsd.org> References: <201405140000.s4E0023k029906@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear All, The freebsd-update a bit suspicious: " root@skye:/usr/home/mohacsi # freebsd-update fetch Looking up update.FreeBSD.org mirrors... 5 mirrors found. Fetching metadata signature for 10.0-RELEASE from update3.freebsd.org... done. Fetching metadata index... done. Fetching 2 metadata patches.. done. Applying metadata patches... done. Inspecting system... done. Preparing to download files... done. Fetching 11 patches.....10 done. Applying patches... done. The following files will be updated as part of updating to 10.0-RELEASE-p3: /bin/freebsd-version /boot/kernel/ciss.ko /boot/kernel/ciss.ko.symbols /boot/kernel/kernel /boot/kernel/kernel.symbols /usr/lib/libssl.a /usr/lib/libssl.so.7 /usr/lib/libssl_p.a /usr/lib32/libssl.a /usr/lib32/libssl.so.7 /usr/lib32/libssl_p.a " It seems to me the ciss(4) also updated. Is it intentional? Is it harmless? Regards, Janos Mohacsi Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 On Wed, 14 May 2014, FreeBSD Security Advisories wrote: > ----- Topal: Output generated on Wed May 14 12:38:26 CEST 2014 > ----- Topal: GPG output starts ----- > gpg: Signature made Wed May 14 01:44:08 2014 CEST using RSA key ID 5DCF6AE7 > gpg: Can't check signature: public key not found > ----- Topal: GPG output ends ----- > ----- Topal: Original message starts ----- > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-14:10.openssl Security Advisory > The FreeBSD Project > > Topic: OpenSSL NULL pointer deference vulnerability > > Category: contrib > Module: openssl > Announced: 2014-05-13 > Affects: FreeBSD 10.x. > Corrected: 2014-05-13 23:19:16 UTC (stable/10, 10.0-STABLE) > 2014-05-13 23:22:28 UTC (releng/10.0, 10.0-RELEASE-p3) > CVE Name: CVE-2014-0198 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:http://security.FreeBSD.org/>. > > I. Background > > FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is > a collaborative effort to develop a robust, commercial-grade, full-featured > Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) > and Transport Layer Security (TLS v1) protocols as well as a full-strength > general purpose cryptography library. > > The TLS protocol supports an alert protocol which can be used to signal the > other party with certain failures in the protocol context that may require > immediate termination of the connection. > > II. Problem Description > > An attacker can trigger generation of an SSL alert which could cause a null > pointer deference. > > III. Impact > > An attacker may be able to cause a service process that uses OpenSSL to crash, > which can be used in a denial-of-service attack. > > IV. Workaround > > No workaround is available, but systems that do not use OpenSSL to implement > the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) > protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process > to handle multiple SSL connections, are not vulnerable. > > The FreeBSD base system service daemons and utilities do not use the > SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this > mode to reduce their memory footprint and may therefore be affected by this > issue. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch > # fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch.asc > # gpg --verify openssl.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > Recompile the operating system using buildworld and installworld as > described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. > > Restart all deamons using the library, or reboot the system. > > 3) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/10/ r265986 > releng/10.0/ r265987 > - ------------------------------------------------------------------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; > > VII. References > > <URL:http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig>; > > <URL:https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321>; > > <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198>; > > The latest revision of this advisory is available at > <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:10.openssl.asc>; > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (FreeBSD) > > iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnNb4QAODp1Pxk3GlTwlptWQkC+DJb > bwd2RRtkvkz677JIbdtyM7b5POgUih/NtAF9Yyy/pg8IJcSRiv0f7F5L+maV9nee > KGb27zizWOgIqor6HhRAv2OniVN271OfoyCkt0xRmigBR6dQ80iBVuCk6McvxvjL > 5Yfw8wtfF8zAo5p1d4V3EEPOIVPwgJ31YnB/sVv+SyV6Ldl5DS0Gp1Cm9KjvaJUI > CUIljIaH6AFuzs671V4DpuFPtFPIsvGUhEdpf6+ypVJN1J/D+BNRvoIX1zxou4Kf > 34qB6cs/LlyBKCPctK/qLU7UScNsuUItpWrw5ESHFHdgsTr8XA9POxU72wlCRCoQ > T2A6zIqPQRgCWfrPnmJNwLN9riMQGc2oFBXd19iITyc8/7OcXAFnzIy+zu++jZp6 > rMwGIUCg5UKkSGVWnoYyS/1SQRYqi4MzUqC/AwpQHKoE5CqUzVCJ7zGTFcsie0o4 > wfWoFlkgbNl0Attn4HLuXncjvGVCMeWqUERKBU7xIxC1D5PKXF5QmCUqlZrddBaw > ATIFsPEopu2bX/+sbgcGKSF5WAWwdT92vIgarjW3UkKDYihRNKusrOwp3sue7Iw+ > QIweOaJLqpSnfQ3me62I3fWYjRwceeASeTx7dYdxrK1Dx5DnlN8gGwwhl/7cvoWe > Xm6DqYXeQRsIxZ7Ng/PO > =4EYM > -----END PGP SIGNATURE----- > ----- Topal: Original message ends ----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.DEB.2.00.1405141238260.27781>