On 9/4/2024 9:27 AM, Wall, Stephen wrote:
Possible denial of service in X.509 name checks (CVE-2024-6119)
Is this something we need to concern ourselves with?
Since no one else is chiming in, I'll provide my feeble thoughts. As I read
it, it primarily affects outgoing TLS connections. I.e., curl, wget, et al,
and possibly (and more importantly IMO) apache/nginx proxying to another
server. Speculating here: this could affect high volume web services where
security is enough of a concern that the operators have enabled certificate
name checks.
As a commercial user of FreeBSD with security conscious customers, I would
certainly like to see it fixed in a FreeBSD patch release, but in all honesty
we could easily enough apply the openssl patches to our FreeBSD source tree
ourselves.
It seems to be worked on. The fix is already in the tree as of
yesterday.
https://cgit.freebsd.org/src/commit/?id=fbd465f263400d3bc6c1a5c30857a76738c64396
I imagine there will be a SA in the near future.
---Mike
