Add SA-14:14.openssl.

svn path=/head/; revision=45011
2014-06-05 13:03:07 +00:00 · 2014-06-05 13:03:07 +00:00 · 05be27dd8f · 2020-12-08 03:00:23 +00:00
commit 05be27dd8f
parent 7832d2830b
6 changed files with 493 additions and 0 deletions
--- a/share/security/advisories/FreeBSD-SA-14:14.openssl.asc
+++ b/share/security/advisories/FreeBSD-SA-14:14.openssl.asc
@ -0,0 +1,170 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:14.openssl                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          OpenSSL multiple vulnerabilities
+
+Category:       contrib
+Module:         openssl
+Announced:      2014-06-05
+Affects:        All supported versions of FreeBSD.
+Corrected:      2014-06-05 12:32:38 UTC (stable/10, 10.0-STABLE)
+                2014-06-05 12:33:23 UTC (releng/10.0, 10.0-RELEASE-p5)
+                2014-06-05 12:53:06 UTC (stable/9, 9.3-BETA1)
+                2014-06-05 12:53:06 UTC (stable/9, 9.3-BETA1-p2)
+                2014-06-05 12:33:23 UTC (releng/9.2, 9.2-RELEASE-p8)
+                2014-06-05 12:33:23 UTC (releng/9.1, 9.1-RELEASE-p15)
+                2014-06-05 12:32:38 UTC (stable/8, 8.4-STABLE)
+                2014-06-05 12:33:23 UTC (releng/8.4, 8.4-RELEASE-p12)
+CVE Name:       CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is
+a collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
+and Transport Layer Security (TLS v1) protocols as well as a full-strength
+general purpose cryptography library.
+
+II.  Problem Description
+
+Receipt of an invalid DTLS fragment on an OpenSSL DTLS client or server can
+lead to a buffer overrun. [CVE-2014-0195]
+
+Receipt of an invalid DTLS handshake on an OpenSSL DTLS client can lead the
+code to unnecessary recurse.  [CVE-2014-0221]
+
+Carefully crafted handshake can force the use of weak keying material in
+OpenSSL SSL/TLS clients and servers. [CVE-2014-0224]
+
+Carefully crafted packets can lead to a NULL pointer deference in OpenSSL
+TLS client code if anonymous ECDH ciphersuites are enabled. [CVE-2014-3470]
+
+III. Impact
+
+A remote attacker may be able to run arbitrary code on a vulnerable client
+or server by sending invalid DTLS fragments to an OpenSSL DTLS client or
+server. [CVE-2014-0195]
+
+A remote attacker who can send an invalid DTLS handshake to an OpenSSL DTLS
+client can crash the remote OpenSSL DTLS client. [CVE-2014-0221]
+
+A remote attacker who can send a carefully crafted handshake can force the
+use of weak keying material between a vulnerable client and a vulnerable
+server and decrypt and/or modify traffic from the attacked client and
+server in a man-in-the-middle (MITM) attack. [CVE-2014-0224]
+
+A remote attacker who can send carefully crafted packets can cause OpenSSL
+TLS client to crash.  [CVE-2014-3470]
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.0]
+# fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-10.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-10.patch.asc
+# gpg --verify openssl-10.patch.asc
+
+[FreeBSD 9.x and 8.x]
+# fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-9.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-9.patch.asc
+# gpg --verify openssl-9.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r267103
+releng/8.4/                                                       r267104
+stable/9/                                                         r267106
+releng/9.1/                                                       r267104
+releng/9.2/                                                       r267104
+stable/10/                                                        r267103
+releng/10.0/                                                      r267104
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:www.openssl.org/news/secadv_20140605.txt>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:14.openssl.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (FreeBSD)
+
+iQIcBAEBCgAGBQJTkGnKAAoJEO1n7NZdz2rnlrgP/RkNkf0qryF34plltoTsy2P9
+uxC1fWAwpPcCCmC6hwGMFOCyNPsxgXNTGk8HDJYwEoNyrgyf5l26P/1KZisNaGWf
+JFyjR2Fd5N78AxXdkldp6O3hgMSF6HZtYDxMywVC6q9+hEJsFzgd2B/8fihoP9SO
+2f1othqvCAxnMZ9Ts0xQxfl+mcj5Zg0XmApakziPQiEbejOj1k5k9wBHo1O3GFF4
+kWaFEsArqv+UNSTRZ0m/8oRYgElKwCyVGTPr9mPxG1kIYh9WS44remGYc3kkO77Z
+gbzOSMHwEtf/PvIySl90EAkW8XlUWyd+2gTuVSAdm5WlDWArQaauJVHiUwysiOe
+nNEhsdSSQcIKHIyOMu486HzSyHP401AQ7jTlJmMHg4IXtsiM0O8lUigk6nCq/zUr
+ywYKm1/PHffAlHx2y1c5vP9F8Bun8wMUxYnHFI7FD++jklEZQ1EGEloqLd5RvLDM
+6CP8LYg6+zwpmDVbrAs8MBhdug8m6Xd7lACzwO6P02vYXWZGZM3zAbQqTYGag1kp
+YTQl/ix4GFIFtuV4qjg8FOwQyqXBp2n9hHKwtXAv4okDRdk8GcxzOFENFSsxhj6Q
+8XuoMaX/9EwNi7jteYUsSLhKin0gE3mjTCvzO+d6DLiPS+o8uMXGrE9kt5ww6NHP
+XEFCK00JfXunW1wmkcN3
+=o4+e
+-----END PGP SIGNATURE-----