Re: FreeBSD Security Advisory FreeBSD-SA-24:13.openssl

Roy J. Meyers III Wed, 04 Sep 2024 17:12:41 -0700
        

        
            Unsubscribe     - Roy    ---- On Wed, 04 Sep 2024 19:37:24 -0400  
FreeBSD Security Advisories<security-advisor...@freebsd.org> wrote ---- 
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512  
============================================================================= 
FreeBSD-SA-24:13.openssl                                    Security Advisory   
                                                        The FreeBSD Project  
Topic:          Possible DoS in X.509 name checks in OpenSSL  Category:       
contrib Module:         openssl Announced:      2024-09-03 Credits:        
David Benjamin (Google) Affects:        FreeBSD 14.x Corrected:      2024-09-03 
17:09:21 UTC (stable/14, 14.1-STABLE)                 2024-09-04 21:07:35 UTC 
(releng/14.1, 14.1-RELEASE-p4)                 2024-09-04 20:54:20 UTC 
(releng/14.0, 14.0-RELEASE-p10) CVE Name:       CVE-2024-6119  For general 
information regarding FreeBSD Security Advisories, including descriptions of 
the fields above, security branches, and the following sections, please visit 
<URL:https://security.FreeBSD.org/>.  I.   Background  FreeBSD includes 
software from the OpenSSL Project.  The OpenSSL Project is a collaborative 
effort to develop a robust, commercial-grade, full-featured Open Source toolkit 
for the Transport Layer Security (TLS) protocol.  It is also a general-purpose 
cryptography library.  II.  Problem Description  Applications performing 
certificate name checks (e.g., TLS clients checking server certificates) may 
attempt to read an invalid memory address when comparing the expected name with 
an otherName subject alternative name of an X.509 certificate.  Basic 
certificate chain validation is not affected. The issue only occurs when an 
application also specifies an expected DNS name, Email address or IP address.  
III. Impact  Applications affected by the problem may result in a termination, 
leading to a denial of service.  IV.  Workaround  No workaround is available.  
V.   Solution  Upgrade your vulnerable system to a supported FreeBSD stable or 
release / security branch (releng) dated after the correction date.  Perform 
one of the following:  1) To update your vulnerable system via a binary patch:  
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, 
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) 
utility:  # freebsd-update fetch # freebsd-update install  2) To update your 
vulnerable system via a source code patch:  The following patches have been 
verified to apply to the applicable FreeBSD release branches.  a) Download the 
relevant patch from the location below, and verify the detached PGP signature 
using your PGP utility.  # fetch 
https://security.FreeBSD.org/patches/SA-24:13/openssl.patch # fetch 
https://security.FreeBSD.org/patches/SA-24:13/openssl.patch.asc # gpg --verify 
openssl.patch.asc  b) Apply the patch.  Execute the following commands as root: 
 # cd /usr/src # patch < /path/to/patch  c) Recompile the operating system 
using buildworld and installworld as described in 
<URL:https://www.FreeBSD.org/handbook/makeworld.html>.  Restart all daemons 
that use the library, or reboot the system.  VI.  Correction details  This 
issue is corrected as of the corresponding Git commit hash in the following 
stable and release branches:  Branch/path                             Hash      
               Revision - 
------------------------------------------------------------------------- 
stable/14/                              5946b0c6cbc7    stable/14-n268645 
releng/14.1/                            9a5a7c90d5e5  releng/14.1-n267703 
releng/14.0/                            abd3a7939117  releng/14.0-n265440 - 
-------------------------------------------------------------------------  Run 
the following command to see which files were modified by a particular commit:  
# git show --stat <commit hash>  Or visit the following URL, replacing NNNNNN 
with the hash:  <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>  To 
determine the commit count in a working tree (for comparison against nNNNNNN in 
the table above), run:  # git rev-list --count --first-parent HEAD  VII. 
References  <URL:https://www.cve.org/CVERecord?id=CVE-2024-6119>  The latest 
revision of this advisory is available at 
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:13.openssl.asc> 
-----BEGIN PGP SIGNATURE-----  
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY55AACgkQbljekB8A 
Gu/qxQ/9H4Iaao+a5X4aXiV1iU+fT2KSli8fMZKeRw/OOIAztSOHZp7go0noAX65 
SVwsb0fShwqAfDpeZhSjzMjpMmfkwQUkRbMK1SD+zLznSmC1McKF/EIAWrMwr78z 
zDLv497wh26tY+3CUZJQPwkodTvkHnwU0jeUSTjHqC+lOQeOcQ9HwL0T4FsHw4HF 
BJEX/k6uabpXsQe4H9U8C3MbUlOxiKfwFZAxDBhei2zZN/kfAY63iQhVH6/Ls5BG 
ei7TcEF2e6ylhdaLcCxpArRrdql1VQ4SanAGVW4MQ/2s3YpxQYweKGMg4VSZvqXt 
07mBlNHcLepsHK1/qXhDqO/UMO5QsSsH1trwiohmZRQZJp4wXFsGhc102dezDbun 
TEJutKpNsojvWQ01IFcykCkvH2AAGXHJTB8H3jVXhBIU6DuqcmjVc8WXbrdN0vX8 
KcZgI7S5PyQ0WF+ESqR5MHGXx7Qr9uZPKSMvPq0/g2d+6G52/Yw4oZ3rZtqU34iO 
uLq+FApa0Ema3jzxhq89c9oybfADpBDmYsAfqfMqexS+nIuPjeUpcv9gCukr2Of3 
rJDxx2hF/1c/hd83Pp7MKBT/x/4E3vombPjeNeP/sBLhXFSKiVxUDYGYgm6yw3GA 
E7rv33ZJ09RaDGp9jbYaV5rOuEWAZpy42X/LsHjI9W3v0sGCJvU= =JDHd -----END PGP 
SIGNATURE-----
Re: FreeBSD Security Advisory FreeBSD-SA-24:13.openssl

Reply via email to
