FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:06.opensslSecurity Advisory The FreeBSD Project Topic: Multiple OpenSSL vulnerabilities Category: contrib Module: openssl Announced: 2015-03-19; Last revised on 2015-03-20. Affects:All supported versions of FreeBSD. Corrected: 2015-03-20 07:11:20 UTC (stable/10, 10.1-STABLE) 2015-03-20 07:12:02 UTC (releng/10.1, 10.1-RELEASE-p8) 2015-03-20 07:11:20 UTC (stable/9, 9.3-STABLE) 2015-03-20 07:12:02 UTC (releng/9.3, 9.3-RELEASE-p12) 2015-03-20 07:11:20 UTC (stable/8, 8.4-STABLE) 2015-03-20 07:12:02 UTC (releng/8.4, 8.4-RELEASE-p26) CVE Name: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0293 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2015-03-19 Initial release. v1.1 2015-03-20 Reverted a portion of change that should not belong to the advisory and did not end up in the final OpenSSL release. The patch is also revised to include fixes for CVE-2015-0209 and CVE-2015-0288. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Abstract Syntax Notation One (ASN.1) is a standard and notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking, which enables representation of objects that are independent of machine-specific encoding technique. II. Problem Description A malformed elliptic curve private key file could cause a use-after-free condition in the d2i_ECPrivateKey function. [CVE-2015-0209] An attempt to compare ASN.1 boolean types will cause the ASN1_TYPE_cmp function to crash with an invalid read. [CVE-2015-0286] Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. [CVE-2015-0287] The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. [CVE-2015-0288] The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. [CVE-2015-0289] A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. [CVE-2015-0293] III. Impact A malformed elliptic curve private key file can cause server daemons using OpenSSL to crash, resulting in a Denial of Service. [CVE-2015-0209] A remote attacker who is able to send specifically crafted certificates may be able to crash an OpenSSL client or server. [CVE-2015-0286] An attacker who can cause invalid writes with applications that parse structures containing CHOICE or ANY DEFINED BY components and reusing the structures may be able to cause them to crash. Such reuse is believed to be rare. OpenSSL clients and servers are not affected. [CVE-2015-0287] An attacker may be able to crash applications that create a new certificate request with subject name the same as in an existing, specifically crafted certificate. This usage is rare in practice. [CVE-2015-0288] An attacker may be able to crash applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures with specifically crafted certificates. [CVE-2015-0289] A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a carefully crafted SSLv2 CLIENT-MASTER-KEY message, resulting in a Denial of Service. [CVE-2015-0293] Note that two issues in the original OpenSSL advisory, CVE-2015-0204 and CVE-2015-0292, were already addressed by FreeBSD-SA-15:01.openssl and FreeBSD-EN-15:02.openssl. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to app
Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED]
On Fri, 20-Mar-2015 at 07:29:44 +, FreeBSD Security Advisories wrote: > = > FreeBSD-SA-15:06.opensslSecurity Advisory > The FreeBSD Project > ... > > # fetch > https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8-errata.patch Page not found, see attachment. Regards, -Andre ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Failure on 10.0? Re: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED]
# sudo freebsd-update fetch Looking up update.FreeBSD.org mirrors... 5 mirrors found. Fetching metadata signature for 10.0-RELEASE from update6.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. The following files will be added as part of updating to 10.0-RELEASE-p18: /usr/src/contrib/tzdata/zone1970.tab /usr/src/crypto/openssl/crypto/constant_time_locl.h /usr/src/crypto/openssl/crypto/constant_time_test.c /usr/src/crypto/openssl/doc/apps/c_rehash.pod /usr/src/crypto/openssl/doc/crypto/CMS_add1_signer.pod /usr/src/crypto/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod /usr/src/crypto/openssl/ssl/heartbeat_test.c /usr/src/crypto/openssl/ssl/ssl_utst.c /usr/src/crypto/openssl/util/mkbuildinf.pl /usr/src/secure/lib/libcrypto/man/CMS_add1_signer.3 /usr/src/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 /usr/src/secure/usr.bin/openssl/man/c_rehash.1 WARNING: FreeBSD 10.0-RELEASE-p18 HAS PASSED ITS END-OF-LIFE DATE. Any security issues discovered after Sat Feb 28 19:00:00 EST 2015 will not have been corrected. # sudo freebsd-update install Installing updates...install: ///usr/src/contrib/tzdata/zone1970.tab: No such file or directory install: ///usr/src/crypto/openssl/crypto/constant_time_locl.h: No such file or directory install: ///usr/src/crypto/openssl/crypto/constant_time_test.c: No such file or directory install: ///usr/src/crypto/openssl/doc/apps/c_rehash.pod: No such file or directory install: ///usr/src/crypto/openssl/doc/crypto/CMS_add1_signer.pod: No such file or directory install: ///usr/src/crypto/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod: No such file or directory install: ///usr/src/crypto/openssl/ssl/heartbeat_test.c: No such file or directory install: ///usr/src/crypto/openssl/ssl/ssl_utst.c: No such file or directory install: ///usr/src/crypto/openssl/util/mkbuildinf.pl: No such file or directory install: ///usr/src/secure/lib/libcrypto/man/CMS_add1_signer.3: No such file or directory install: ///usr/src/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3: No such file or directory install: ///usr/src/secure/usr.bin/openssl/man/c_rehash.1: No such file or directory done. It doesn't look like OpenSSL got updated, and it looks like a bunch of the attempted updates failed. Was this advisory tested on 10.0? --Paul Hoffman signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Failure on 10.0? Re: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED]
On Fri 2015-03-20 (08:21), Paul Hoffman wrote: > It doesn't look like OpenSSL got updated, and it looks like a bunch of the > attempted updates failed. Was this advisory tested on 10.0? I'm guessing this is pertinent: WARNING: FreeBSD 10.0-RELEASE-p18 HAS PASSED ITS END-OF-LIFE DATE. Need to run: freebsd-update -r 10.1-RELEASE upgrade ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Failure on 10.0? Re: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED]
On Fri, Mar 20, 2015 at 5:21 PM, Paul Hoffman wrote: > # sudo freebsd-update fetch > Looking up update.FreeBSD.org mirrors... 5 mirrors found. > Fetching metadata signature for 10.0-RELEASE from update6.freebsd.org... done. > Fetching metadata index... done. > Inspecting system... done. > Preparing to download files... done. > > The following files will be added as part of updating to 10.0-RELEASE-p18: > /usr/src/contrib/tzdata/zone1970.tab > /usr/src/crypto/openssl/crypto/constant_time_locl.h > /usr/src/crypto/openssl/crypto/constant_time_test.c > /usr/src/crypto/openssl/doc/apps/c_rehash.pod > /usr/src/crypto/openssl/doc/crypto/CMS_add1_signer.pod > /usr/src/crypto/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod > /usr/src/crypto/openssl/ssl/heartbeat_test.c > /usr/src/crypto/openssl/ssl/ssl_utst.c > /usr/src/crypto/openssl/util/mkbuildinf.pl > /usr/src/secure/lib/libcrypto/man/CMS_add1_signer.3 > /usr/src/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 > /usr/src/secure/usr.bin/openssl/man/c_rehash.1 > > WARNING: FreeBSD 10.0-RELEASE-p18 HAS PASSED ITS END-OF-LIFE DATE. > Any security issues discovered after Sat Feb 28 19:00:00 EST 2015 > will not have been corrected. > > # sudo freebsd-update install > Installing updates...install: ///usr/src/contrib/tzdata/zone1970.tab: No such > file or directory > install: ///usr/src/crypto/openssl/crypto/constant_time_locl.h: No such file > or directory > install: ///usr/src/crypto/openssl/crypto/constant_time_test.c: No such file > or directory > install: ///usr/src/crypto/openssl/doc/apps/c_rehash.pod: No such file or > directory > install: ///usr/src/crypto/openssl/doc/crypto/CMS_add1_signer.pod: No such > file or directory > install: > ///usr/src/crypto/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod: No > such file or directory > install: ///usr/src/crypto/openssl/ssl/heartbeat_test.c: No such file or > directory > install: ///usr/src/crypto/openssl/ssl/ssl_utst.c: No such file or directory > install: ///usr/src/crypto/openssl/util/mkbuildinf.pl: No such file or > directory > install: ///usr/src/secure/lib/libcrypto/man/CMS_add1_signer.3: No such file > or directory > install: ///usr/src/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3: > No such file or directory > install: ///usr/src/secure/usr.bin/openssl/man/c_rehash.1: No such file or > directory > done. > > It doesn't look like OpenSSL got updated, and it looks like a bunch of the > attempted updates failed. Was this advisory tested on 10.0? > > --Paul Hoffman 10.0-RELEASE is not a supported release anymore, upgrade to 10.1. "WARNING: FreeBSD 10.0-RELEASE-p18 HAS PASSED ITS END-OF-LIFE DATE. Any security issues discovered after Sat Feb 28 19:00:00 EST 2015 will not have been corrected." https://www.freebsd.org/security/unsupported.html -Kimmo ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Failure on 10.0? Re: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED]
On 03/20/15 19:14, Gareth de Vaux wrote: > On Fri 2015-03-20 (08:21), Paul Hoffman wrote: >> It doesn't look like OpenSSL got updated, and it looks like a >> bunch of the attempted updates failed. Was this advisory tested >> on 10.0? > > I'm guessing this is pertinent: > > WARNING: FreeBSD 10.0-RELEASE-p18 HAS PASSED ITS END-OF-LIFE DATE. > > Need to run: > > freebsd-update -r 10.1-RELEASE upgrade > ___ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security To > unsubscribe, send any mail to > "freebsd-security-unsubscr...@freebsd.org" > Where is the problem to upgrade? type as root "freebsd-update -r 10.1-RELEASE upgrade" to get to 10.1. I'm not sure where the problem is. Greeting ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
