Date: Mon, 20 Oct 2014 13:35:50 +0200 From: "Ronald Klop" <ronald-lists@klop.ws> To: freebsd-stable@freebsd.org Subject: Re: Fwd: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl Message-ID: <op.xn0050wxkndu52@ronaldradial.radialsg.local> In-Reply-To: <CAOgxTUh7p7Du9rngwnsk%2BGXq1NN9UqjBPoOrK=OH%2Bmah1sDyGQ@mail.gmail.com> References: <201409091104.s89B4uhi067535@freefall.freebsd.org> <CAOgxTUh7p7Du9rngwnsk%2BGXq1NN9UqjBPoOrK=OH%2Bmah1sDyGQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Install port security/ca_root_nss and use: fetch --ca-cert=/usr/local/share/certs/ca-root-nss.crt http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch That works. And still checks validity of the https server as long as you trust the ca_root_nss port. But I think it is kind of lame the default certificates from base don't work out of the box. Ronald. On Mon, 20 Oct 2014 12:22:32 +0200, tethys ocean <tethys.ocean@gmail.com> wrote: > I am using FreeBSD 10.0-STABLE on my servers. But according to this > mail > I tried > > [FreeBSD 10.0] > # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch > # fetch > http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch.asc > # gpg --verify openssl-10.0.patch.asc > > But my server say this below: > > fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch > Certificate verification failed for /C=US/ST=UT/L=Salt Lake City/O=The > USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware > 675119676:error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1180: > fetch: http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch: > Authentication error > > What should I do ? > > thanx > > > > ---------- Forwarded message ---------- > From: FreeBSD Security Advisories <security-advisories@freebsd.org> > Date: Tue, Sep 9, 2014 at 2:04 PM > Subject: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl > To: FreeBSD Security Advisories <security-advisories@freebsd.org> > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-14:18.openssl Security > Advisory > The FreeBSD > Project > > Topic: OpenSSL multiple vulnerabilities > > Category: contrib > Module: openssl > Announced: 2014-09-09 > Affects: All supported versions of FreeBSD. > Corrected: 2014-08-07 21:04:42 UTC (stable/10, 10.0-STABLE) > 2014-09-09 10:09:46 UTC (releng/10.0, 10.0-RELEASE-p8) > 2014-08-07 21:06:34 UTC (stable/9, 9.3-STABLE) > 2014-09-09 10:13:46 UTC (releng/9.3, 9.3-RELEASE-p1) > 2014-09-09 10:13:46 UTC (releng/9.2, 9.2-RELEASE-p11) > 2014-09-09 10:13:46 UTC (releng/9.1, 9.1-RELEASE-p18) > 2014-08-07 21:06:34 UTC (stable/8, 8.4-STABLE) > 2014-09-09 10:13:46 UTC (releng/8.4, 8.4-RELEASE-p15) > CVE Name: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, > CVE-2014-3510, > CVE-2014-3509, CVE-2014-3511, CVE-2014-3512, > CVE-2014-5139 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:http://security.FreeBSD.org/>. > > I. Background > > FreeBSD includes software from the OpenSSL Project. The OpenSSL Project > is > a collaborative effort to develop a robust, commercial-grade, > full-featured > Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) > and Transport Layer Security (TLS v1) protocols as well as a > full-strength > general purpose cryptography library. > > II. Problem Description > > The receipt of a specifically crafted DTLS handshake message may cause > OpenSSL > to consume large amounts of memory. [CVE-2014-3506] > > The receipt of a specifically crafted DTLS packet could cause OpenSSL to > leak > memory. [CVE-2014-3507] > > A flaw in OBJ_obj2txt may cause pretty printing functions such as > X509_name_oneline, X509_name_print_ex et al. to leak some information > from > the stack. [CVE-2014-3508] > > OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject > to > a denial of service attack. [CVE-2014-3510] > > The following problems affect FreeBSD 10.0-RELEASE and later: > > If a multithreaded client connects to a malicious server using a resumed > session and the server sends an ec point format extension it could write > up to 255 bytes to freed memory. [CVE-2014-3509] > > A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate > TLS 1.0 instead of higher protocol versions when the ClientHello message > is badly fragmented. [CVE-2014-3511] > > A malicious client or server can send invalid SRP parameters and overrun > an internal buffer. [CVE-2014-3512] > > A malicious server can crash the client with a NULL pointer dereference > by > specifying a SRP ciphersuite even though it was not properly negotiated > with the client. [CVE-2014-5139] > > III. Impact > > A remote attacker may be able to cause a denial of service (application > crash, large memory consumption), obtain additional information, > cause protocol downgrade. Additionally, a remote attacker may be able > to run arbitrary code on a vulnerable system if the application has been > set up for SRP. > > IV. Workaround > > No workaround is available. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 10.0] > # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch > # fetch > http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch.asc > # gpg --verify openssl-10.0.patch.asc > > [FreeBSD 9.3] > # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch > # fetch > http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch.asc > # gpg --verify openssl-9.3.patch.asc > > [FreeBSD 9.2, 9.1, 8.4] > # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch > # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch.asc > # gpg --verify openssl-9.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. > > Restart all deamons using the library, or reboot the system. > > 3) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - > ------------------------------------------------------------------------- > stable/8/ r269687 > releng/8.4/ r271305 > stable/9/ r269687 > releng/9.1/ r271305 > releng/9.2/ r271305 > releng/9.3/ r271305 > stable/10/ r269686 > releng/10.0/ r271304 > - > ------------------------------------------------------------------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> > > VII. References > > <URL:https://www.openssl.org/news/secadv_20140806.txt> > > <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506> > > <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507> > > <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508> > > <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509> > > <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510> > > <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511> > > <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512> > > <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139> > > The latest revision of this advisory is available at > <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:18.openssl.asc> > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJUDtUBAAoJEO1n7NZdz2rnOUoP/jNoEEPVt1RoVPQoOQc6vno5 > 2HXcCDsu0ql3kCNIIZ7E6TddfduzV04EMzBrIgulg7eXft+Lnx6HlEgJOo7QLImc > aWLWxjcbyby6wrbYOc+FLK11yx9/uZJF0VCdSeyzhy0EFD3tOZPsDMXKZmG7FRkg > 6A7ENJU25Mx8V1myzHw/VfDwAHCtXHliFVVE0CUku55pYnlhMeetu/wuB6KYbmgV > 1WUamiHEGl4Dh4Up7nGHYYm32kqZLaE+cf1Ovc2VGT98ZyXmCgDB4+8kkA/HZxxp > DRgQlojeQhahee5MmzD+wMJXlq6dekoo+JVf22+Nb+oNmlKT6/UxtUhCwW11MLUV > rnOMr3u1JCNvBc+3KroSmtFeEtqh7jx3Ag4w8lS5mJO+wX1/lilbsFxSS/9G65fy > LqHUQSxkuDJ1bNzPfKreBPyUmQlG5t/3DonIDCF9r3sefDN+kxqe1+RwjdNRM0ov > V7OH/AW1NBQtV/F/h0tKCcskvcJo9Q+inAohheLPnWkFj7F2tLNt5TAxsGy7WvFZ > MuQSAXpZkdh7OkhAhBM3Xk+EOv7Qk7zZL5HJ1Lpm6kfJ8wSb4etoUV7oELaDMBz8 > +9r+Vr9GtjSsec2a4tjNIixZKV9bzEhgKP5gsWD/JewhAzF+0bYNa9snOWxzpAYb > j+eW9IT7pEAJK9DtIsDd > =f4To > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.xn0050wxkndu52>