Add advisory and patches for SA-15:01.openssl.

svn path=/head/; revision=46203

share/security/advisories/FreeBSD-SA-15:01.openssl.asc

@@ -0,0 +1,211 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:01.openssl                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          OpenSSL multiple vulnerabilities
+
+Category:       contrib
+Module:         openssl
+Announced:      2015-01-14
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-01-09 00:58:20 UTC (stable/10, 10.1-STABLE)
+                2015-01-14 21:27:46 UTC (releng/10.1, 10.1-RELEASE-p4)
+                2015-01-14 21:27:46 UTC (releng/10.0, 10.0-RELEASE-p16)
+                2015-01-09 01:11:43 UTC (stable/9, 9.3-STABLE)
+                2015-01-14 21:27:46 UTC (releng/9.3, 9.3-RELEASE-p8)
+                2015-01-09 01:11:43 UTC (stable/8, 8.4-STABLE)
+                2015-01-14 21:27:46 UTC (releng/8.4, 8.4-RELEASE-p22)
+CVE Name:       CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572
+                CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is
+a collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
+and Transport Layer Security (TLS v1) protocols as well as a full-strength
+general purpose cryptography library.
+
+II.  Problem Description
+
+A carefully crafted DTLS message can cause a segmentation fault in OpenSSL
+due to a NULL pointer dereference. [CVE-2014-3571]
+
+A memory leak can occur in the dtls1_buffer_record function under certain
+conditions. [CVE-2015-0206]
+
+When OpenSSL is built with the no-ssl3 option and a SSL v3 ClientHello is
+received the ssl method would be set to NULL which could later result in
+a NULL pointer dereference.  [CVE-2014-3569] This does not affect
+FreeBSD's default build.
+
+An OpenSSL client will accept a handshake using an ephemeral ECDH
+ciphersuite using an ECDSA certificate if the server key exchange message
+is omitted. [CVE-2014-3572]
+
+An OpenSSL client will accept the use of an RSA temporary key in a non-export
+RSA key exchange ciphersuite. [CVE-2015-0204]
+
+An OpenSSL server will accept a DH certificate for client authentication
+without the certificate verify message. [CVE-2015-0205]
+
+OpenSSL accepts several non-DER-variations of certificate signature
+algorithm and signature encodings.  OpenSSL also does not enforce a
+match between the signature algorithm between the signed and unsigned
+portions of the certificate. [CVE-2014-8275]
+
+Bignum squaring (BN_sqr) may produce incorrect results on some
+platforms, including x86_64. [CVE-2014-3570]
+
+III. Impact
+
+An attacker who can send a carefully crafted DTLS message can cause server
+daemons that uses OpenSSL to crash, resulting a Denial of Service.
+[CVE-2014-3571]
+
+An attacker who can send repeated DTLS records with the same sequence number
+but for the next epoch can exhaust the server's memory and result in a Denial of
+Service. [CVE-2015-0206]
+
+A server can remove forward secrecy from the ciphersuite.  [CVE-2014-3572]
+
+A server could present a weak temporary key and downgrade the security of
+the session. [CVE-2015-0204]
+
+A client could authenticate without the use of a private key.  This only
+affects servers which trust a client certificate authority which issues
+certificates containing DH keys, which is extremely rare.  [CVE-2015-0205]
+
+By modifying the contents of the signature algorithm or the encoding of
+the signature, it is possible to change the certificate's fingerprint.
+
+This does not allow an attacker to forge certificates, and does not
+affect certificate verification or OpenSSL servers/clients in any
+other way. It also does not affect common revocation mechanisms.  Only
+custom applications that rely on the uniqueness of the fingerprint
+(e.g. certificate blacklists) may be affected.  [CVE-2014-8275]
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 8.4 and FreeBSD 9.3]
+# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch.asc
+# gpg --verify openssl-9.3.patch.asc
+
+[FreeBSD 10.0]
+# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch.asc
+# gpg --verify openssl-10.0.patch.asc
+
+[FreeBSD 10.1]
+# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch.asc
+# gpg --verify openssl-10.1.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r276865
+releng/8.4/                                                       r277195
+stable/9/                                                         r276865
+releng/9.3/                                                       r277195
+stable/10/                                                        r276864
+releng/10.0/                                                      r277195
+releng/10.1/                                                      r277195
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://www.openssl.org/news/secadv_20150108.txt>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:01.openssl.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAEBCgAGBQJUtuEaAAoJEO1n7NZdz2rnQCcP/A19v5HUUhjz5nMbUumRwAmB
+QCxNKEy6SbAuxtIwGNYJyyxKIK3R9vTHwlgyQZVb4q8FgMHcu4yABeRfov10mO5Q
+U7RkLOJyca6eqEngkrh+AFfbhqfxtccIMUQkDdegsQcqZd2Ya0VeNfjA8H0XIDoL
+JSEoCifmxjv6v8ZcpugahsUOBmEWx+vyHJUSPVSv/AsLubzV3hqi4iLpzLky3/dR
+4LHGzPny07NkGPVqOBU7mjTs76SzCTS2c4NIVfvbphx8UojMvREbZ8ogCMEVGBXY
+fIWesi7Y6lhqbSgWj1EXyZF9NTo/Z4nr7Oh1ER5VSAfmhZAdyhEEEGQrg4Jq0VL3
+DJ1Y35Up79xXmVjB14COxodI5UO+55wWnXb8r/zy/eh+wv0sHwlTz56wxo7SxAOa
+xOrQj0VJ7zghLhBO7azacbVYIKpfQkJafb7XRUOqu4wt2y3/jeL+0UkWJnNMROrq
+aQUB6SdGUVDwQsmodgF0rsGcQYXhaQBPu4KQo8yG8+rpqc2zewi537BJr/PWJvH0
+sJ6yYcD7VGyIleVRDpxsg7uBWelnGn+AqHignbyUcic4j/N9lYlF00AVgka2TdOp
+i5eZtp7m95v53S4fEX2HGwWpOv+AfCrSKQZGpvdNx+9JyD3LyOvFBxs4k0oZWa6J
+6FLFZ38YkLcUIzW6I6Kc
+=ztFk
+-----END PGP SIGNATURE-----

share/security/patches/SA-15:01/openssl-10.0.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAABCgAGBQJUtuBQAAoJEO1n7NZdz2rnVsEP/3rKxcVxtP3DeRhMUwxLE3vK
+VulM4jE8yMiR6ipSWNuUyRPMMLtnkTkBUygIDr0J5Ivnqgeo0EtrQtYs8xGqkJYU
+a9jS0BKJdsLUX8zapixVdOEbu8ySL3F+ZRQPKLSg+LUfosuk8OT1z2h14CHdsdBJ
+23tSCMgk9KkRA4N1NDf/CHjYAPF5zyIh02DBF2m11CC2roaqUXxeGYqmTrzQONoY
+eMyGpvqdjrpy8oafw0mGDV5RxtWImhfeHnm0t/NRn9TMnPUWtNE+4KiO5DJprkiC
+9vbEt4uU/OUtxgZ6+0BhNs4piv1y7Bm42YprS3nrGWeDjO624rS1E7X25VxP0N70
+ALcMKQDr4OcqMUkn7RV09Vj7yfQRdgYMueVD5LHSZ8dOrf2fmTmX38DLkG0pTIJT
+FCdYERwur/79ErVF2dAUnWYhVOBytoTrQhpCoS5MFRkTa3YH/e1sywEnxDSLcrF4
+/QDFhTIuzoN6bYA95TYt6O4Quch6fG9yE0yutTU+pLiz4SVJ+XXOG6KLK+WosyG9
+uHpHoE4z/Ib2v32PVGRyOifg+7DwyWEvuVwEYD2ByKEZRrodxExwbdmYzZqdyCVF
+vp7+lYAfsiGewlSB210169wu9jE7OZZgUv8tmuZ+B2H4cdGpMZfWGhxTDKzFGNWA
+CpAEGl9qaZD+5GfHxt0Y
+=N0l/
+-----END PGP SIGNATURE-----

share/security/patches/SA-15:01/openssl-10.1.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAABCgAGBQJUtuBQAAoJEO1n7NZdz2rnQ8EP/2y6JS8OIAONv0dZbosjDfVL
+QA8/nV3Wla8RD9BceamC2lShwlhD4Zzf6DspQDyIHQ9jmSov7YPWkgSXBh2XwVu7
+0CURYvCllJa8u6ZM7bJMZSwDbvntcnl8oofOwnRCQgO2Jc36jJoASm8H2f1vvR0q
+8eC4488yXTrP+Q6QVW2QMWd8XMusk7pPDkx208h0C40PDEP7h+zgj4P+qrkfXfPo
+js2AL/QkgZtuNKUxruomoeABeFiIO6cFA3gYAdUaxHz++c9M+94fjgrvF6xZCpNj
+bYGe0beU5Sh7nIpH7ZaLOIB4rVNH/0cm+3RJRDeRv+QvF2dn/tL0xY5A8RTG0jff
+p9vvrjnOmVEIeDOkGT4fHUG5LOPRa53GxWGsuTMlq9nDV6nYAiDbeaRJY/UqrKId
+/cb6MQADKYCc1kN4UfZQuBfusVhHt0Dfn1L0QNBSvXvS27wakae+O765UNJ4Y3OB
+FRbvMJTJZyETQaW1fURQzKfVpjOImQ2yJxcxzhjvHU4v9nLCXHlk8aUZ+QWYMBgJ
+5PCM4j9vA2h13B4YrLceY5FFSGgu1UUVa4MLV1drxVzdbMtlbZbz1As7eVnWzMMG
+9cWqNZWMbsJBPQoc/c3RCwDDj74laj9RfvKZOctnC3JOslgd2ElulMqGVhMEBNrE
+2pI4TaI8z1hhlzn7svMN
+=X57u
+-----END PGP SIGNATURE-----

share/security/patches/SA-15:01/openssl-9.3.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAABCgAGBQJUtuBQAAoJEO1n7NZdz2rnafsQAJXvOF3kTb3JQqVlkxarVbDf
+bCOSx3VitagKVGgXGsdqNkf2ZzeoBB5DOvndJgKDuF9hgwPkOfVtAFiVPoOo4Njk
+/G38duk+ntkDjpBdjTHDkMzqniERsNPzo7kDFsHczzAGKX5KV9/C1Fyr3cHGIg1M
+f2Pl1UFhaOa16ZIGBw7xba2nEm0zsjmhWYFfQxPdihc0HXivn6Zyqt4Ys3zuieOC
+q4x1sFqAkYc4kCs0sNvFFfSE3nCd4bCo10rzGsv2AMKjadyA1q8np0W2uQ2PqjRM
+VSOiDSeIuNCKA3P01KLvV/K9oIv9YN3kE78wglshynC5OTHovqbdlrBglcPzt9tO
+NJ8xV8Mg8v8ivS5UIksd46w8zDcOLCxxdpILqzoZlv7aodErH1/nKvmAV1NEcUfy
+6o4ukL0YIghHr7fBqnMFKT1uDP5NQj+3z4FUOaBemWYExmTlAj3HqjoaAeaS3XUz
+v0uvpzgCY2G3xw6ne6wtwhM0VFF6YBxQfk/xnN56g3DWOdOhtrmxytN9DQUox9EE
+83pQN8IdDCX5Tb0E4cH1TZK1Kvd6DCUF6T6yvAhkvL2KaDBIQpDnbnLF019ELMOr
+IeJ/eKTBTyOBpardg21oWX01+ielRPSwVJB87z3lcdTaTHsmHDRvqnZ1kegrCcGz
+TQD7vmtNOOAdfp5gN6II
+=S4We
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -4,6 +4,22 @@
       $FreeBSD$
     </cvs:keyword>
 
+  <year>
+    <name>2015</name>
+
+    <month>
+      <name>1</name>
+
+      <day>
+        <name>14</name>
+
+        <advisory>
+          <name>FreeBSD-SA-15:01.openssl</name>
+        </advisory>
+      </day>
+    </month>
+  </year>
+
   <year>
     <name>2014</name>