From owner-freebsd-questions@freebsd.org Thu Mar 25 22:04:11 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BB63D57CF1D for ; Thu, 25 Mar 2021 22:04:11 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor.nl2k.ab.ca (doctor.nl2k.ab.ca [204.209.81.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F5zf351R7z4kS0; Thu, 25 Mar 2021 22:04:11 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.94 (FreeBSD)) (envelope-from ) id 1lPY6S-000BnN-5I; Thu, 25 Mar 2021 16:05:20 -0600 Date: Thu, 25 Mar 2021 16:05:20 -0600 From: The Doctor To: Matthew Seaman Cc: freebsd-questions@freebsd.org Subject: Re: [matt@openssl.org: [openssl] OpenSSL_1_1_1k create] Message-ID: References: <71cce945-dc94-0fdf-eb3f-718bc0cce195@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <71cce945-dc94-0fdf-eb3f-718bc0cce195@FreeBSD.org> X-Rspamd-Queue-Id: 4F5zf351R7z4kS0 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2021 22:04:11 -0000 On Thu, Mar 25, 2021 at 03:38:54PM +0000, Matthew Seaman wrote: > On 25/03/2021 13:58, The Doctor via freebsd-questions wrote: > > Will the FreeBSD kernel need updating from 10 to 14 ? > > > > Given that FreeBSD 10 is well out of support, then yes, if these OpenSSL > problems are important for your use case, then you should upgrade. It > might be obvious, but "out of support" means "no more security fixes" -- > not everyone seems to get that. > > You don't necessarily have to upgrade all the way to 14 (which isn't > even a released version yet) -- there will be fixes for all of the > security problems publicised in this OpenSSL release, even if that > doesn't go as far as importing OpenSSL 1.1.1k on all branches. > Here is the full details NULL pointer deref in signature_algorithms processing (CVE-2021-3449) ===================================================================== Severity: High An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was developed by Peter K??stle and Samuel Sapalski from Nokia. Note ==== OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of these issues on OpenSSL 1.1.0 has not been analysed. Users of these versions should upgrade to OpenSSL 1.1.1. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20210325.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -----BEGIN PGP SIGNATURE----- > Cheers, > > Matthew > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b The more polluted the mind, the more it thinks it knows good judgement.-unknown