Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 25 Mar 2021 16:05:20 -0600
From:      The Doctor <doctor@doctor.nl2k.ab.ca>
To:        Matthew Seaman <matthew@freebsd.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: [matt@openssl.org: [openssl] OpenSSL_1_1_1k create]
Message-ID:  <YF0JIDFtjlTRI5T/@doctor.nl2k.ab.ca>
In-Reply-To: <71cce945-dc94-0fdf-eb3f-718bc0cce195@FreeBSD.org>
References:  <YFyW/cgImoTNzUtt@doctor.nl2k.ab.ca> <71cce945-dc94-0fdf-eb3f-718bc0cce195@FreeBSD.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Thu, Mar 25, 2021 at 03:38:54PM +0000, Matthew Seaman wrote:
> On 25/03/2021 13:58, The Doctor via freebsd-questions wrote:
> > Will the FreeBSD kernel need updating from 10 to 14 ?
> > 
> 
> Given that FreeBSD 10 is well out of support, then yes, if these OpenSSL 
> problems are important for your use case, then you should upgrade.  It 
> might be obvious, but "out of support" means "no more security fixes" -- 
> not everyone seems to get that.
> 
> You don't necessarily have to upgrade all the way to 14 (which isn't 
> even a released version yet) -- there will be fixes for all of the 
> security problems publicised in this OpenSSL release, even if that 
> doesn't go as far as importing OpenSSL 1.1.1k on all branches.
>

Here is the full details

NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
=====================================================================
        
	Severity: High

	An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
	ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits
	the signature_algorithms extension (where it was present in the initial
	ClientHello), but includes a signature_algorithms_cert extension then a NULL
	pointer dereference will result, leading to a crash and a denial of service
	attack.

	A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which
	is the default configuration). OpenSSL TLS clients are not impacted by this
	issue.

	All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions
	should upgrade to OpenSSL 1.1.1k.

	OpenSSL 1.0.2 is not impacted by this issue.

	This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was
	developed by Peter K??stle and Samuel Sapalski from Nokia.

	Note
	====

	OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
	support is available for premium support customers:
	https://www.openssl.org/support/contracts.html

	OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
	The impact of these issues on OpenSSL 1.1.0 has not been analysed.

	Users of these versions should upgrade to OpenSSL 1.1.1.

	References
	==========

	URL for this Security Advisory:
	https://www.openssl.org/news/secadv/20210325.txt

	Note: the online version of the advisory may be updated with additional details
	over time.

	For details of OpenSSL severity classifications please see:
	https://www.openssl.org/policies/secpolicy.html
	-----BEGIN PGP SIGNATURE-----

> 	Cheers,
> 
> 	Matthew
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b  
The more polluted the mind, the more it thinks it knows good judgement.-unknown



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?YF0JIDFtjlTRI5T/>