Add advisory and patches for SA-15:01.openssl.
This commit is contained in:
parent
a4483d91c3
commit
6cdc0083a1
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=46203
8 changed files with 5579 additions and 0 deletions
211
share/security/advisories/FreeBSD-SA-15:01.openssl.asc
Normal file
211
share/security/advisories/FreeBSD-SA-15:01.openssl.asc
Normal file
|
@ -0,0 +1,211 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-15:01.openssl Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: OpenSSL multiple vulnerabilities
|
||||
|
||||
Category: contrib
|
||||
Module: openssl
|
||||
Announced: 2015-01-14
|
||||
Affects: All supported versions of FreeBSD.
|
||||
Corrected: 2015-01-09 00:58:20 UTC (stable/10, 10.1-STABLE)
|
||||
2015-01-14 21:27:46 UTC (releng/10.1, 10.1-RELEASE-p4)
|
||||
2015-01-14 21:27:46 UTC (releng/10.0, 10.0-RELEASE-p16)
|
||||
2015-01-09 01:11:43 UTC (stable/9, 9.3-STABLE)
|
||||
2015-01-14 21:27:46 UTC (releng/9.3, 9.3-RELEASE-p8)
|
||||
2015-01-09 01:11:43 UTC (stable/8, 8.4-STABLE)
|
||||
2015-01-14 21:27:46 UTC (releng/8.4, 8.4-RELEASE-p22)
|
||||
CVE Name: CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572
|
||||
CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
|
||||
a collaborative effort to develop a robust, commercial-grade, full-featured
|
||||
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
|
||||
and Transport Layer Security (TLS v1) protocols as well as a full-strength
|
||||
general purpose cryptography library.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
A carefully crafted DTLS message can cause a segmentation fault in OpenSSL
|
||||
due to a NULL pointer dereference. [CVE-2014-3571]
|
||||
|
||||
A memory leak can occur in the dtls1_buffer_record function under certain
|
||||
conditions. [CVE-2015-0206]
|
||||
|
||||
When OpenSSL is built with the no-ssl3 option and a SSL v3 ClientHello is
|
||||
received the ssl method would be set to NULL which could later result in
|
||||
a NULL pointer dereference. [CVE-2014-3569] This does not affect
|
||||
FreeBSD's default build.
|
||||
|
||||
An OpenSSL client will accept a handshake using an ephemeral ECDH
|
||||
ciphersuite using an ECDSA certificate if the server key exchange message
|
||||
is omitted. [CVE-2014-3572]
|
||||
|
||||
An OpenSSL client will accept the use of an RSA temporary key in a non-export
|
||||
RSA key exchange ciphersuite. [CVE-2015-0204]
|
||||
|
||||
An OpenSSL server will accept a DH certificate for client authentication
|
||||
without the certificate verify message. [CVE-2015-0205]
|
||||
|
||||
OpenSSL accepts several non-DER-variations of certificate signature
|
||||
algorithm and signature encodings. OpenSSL also does not enforce a
|
||||
match between the signature algorithm between the signed and unsigned
|
||||
portions of the certificate. [CVE-2014-8275]
|
||||
|
||||
Bignum squaring (BN_sqr) may produce incorrect results on some
|
||||
platforms, including x86_64. [CVE-2014-3570]
|
||||
|
||||
III. Impact
|
||||
|
||||
An attacker who can send a carefully crafted DTLS message can cause server
|
||||
daemons that uses OpenSSL to crash, resulting a Denial of Service.
|
||||
[CVE-2014-3571]
|
||||
|
||||
An attacker who can send repeated DTLS records with the same sequence number
|
||||
but for the next epoch can exhaust the server's memory and result in a Denial of
|
||||
Service. [CVE-2015-0206]
|
||||
|
||||
A server can remove forward secrecy from the ciphersuite. [CVE-2014-3572]
|
||||
|
||||
A server could present a weak temporary key and downgrade the security of
|
||||
the session. [CVE-2015-0204]
|
||||
|
||||
A client could authenticate without the use of a private key. This only
|
||||
affects servers which trust a client certificate authority which issues
|
||||
certificates containing DH keys, which is extremely rare. [CVE-2015-0205]
|
||||
|
||||
By modifying the contents of the signature algorithm or the encoding of
|
||||
the signature, it is possible to change the certificate's fingerprint.
|
||||
|
||||
This does not allow an attacker to forge certificates, and does not
|
||||
affect certificate verification or OpenSSL servers/clients in any
|
||||
other way. It also does not affect common revocation mechanisms. Only
|
||||
custom applications that rely on the uniqueness of the fingerprint
|
||||
(e.g. certificate blacklists) may be affected. [CVE-2014-8275]
|
||||
|
||||
IV. Workaround
|
||||
|
||||
No workaround is available.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
2) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
3) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
[FreeBSD 8.4 and FreeBSD 9.3]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch.asc
|
||||
# gpg --verify openssl-9.3.patch.asc
|
||||
|
||||
[FreeBSD 10.0]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch.asc
|
||||
# gpg --verify openssl-10.0.patch.asc
|
||||
|
||||
[FreeBSD 10.1]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch.asc
|
||||
# gpg --verify openssl-10.1.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile the operating system using buildworld and installworld as
|
||||
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
||||
|
||||
Restart all deamons using the library, or reboot the system.
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/8/ r276865
|
||||
releng/8.4/ r277195
|
||||
stable/9/ r276865
|
||||
releng/9.3/ r277195
|
||||
stable/10/ r276864
|
||||
releng/10.0/ r277195
|
||||
releng/10.1/ r277195
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:https://www.openssl.org/news/secadv_20150108.txt>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:01.openssl.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.1 (FreeBSD)
|
||||
|
||||
iQIcBAEBCgAGBQJUtuEaAAoJEO1n7NZdz2rnQCcP/A19v5HUUhjz5nMbUumRwAmB
|
||||
QCxNKEy6SbAuxtIwGNYJyyxKIK3R9vTHwlgyQZVb4q8FgMHcu4yABeRfov10mO5Q
|
||||
U7RkLOJyca6eqEngkrh+AFfbhqfxtccIMUQkDdegsQcqZd2Ya0VeNfjA8H0XIDoL
|
||||
JSEoCifmxjv6v8ZcpugahsUOBmEWx+vyHJUSPVSv/AsLubzV3hqi4iLpzLky3/dR
|
||||
4LHGzPny07NkGPVqOBU7mjTs76SzCTS2c4NIVfvbphx8UojMvREbZ8ogCMEVGBXY
|
||||
fIWesi7Y6lhqbSgWj1EXyZF9NTo/Z4nr7Oh1ER5VSAfmhZAdyhEEEGQrg4Jq0VL3
|
||||
DJ1Y35Up79xXmVjB14COxodI5UO+55wWnXb8r/zy/eh+wv0sHwlTz56wxo7SxAOa
|
||||
xOrQj0VJ7zghLhBO7azacbVYIKpfQkJafb7XRUOqu4wt2y3/jeL+0UkWJnNMROrq
|
||||
aQUB6SdGUVDwQsmodgF0rsGcQYXhaQBPu4KQo8yG8+rpqc2zewi537BJr/PWJvH0
|
||||
sJ6yYcD7VGyIleVRDpxsg7uBWelnGn+AqHignbyUcic4j/N9lYlF00AVgka2TdOp
|
||||
i5eZtp7m95v53S4fEX2HGwWpOv+AfCrSKQZGpvdNx+9JyD3LyOvFBxs4k0oZWa6J
|
||||
6FLFZ38YkLcUIzW6I6Kc
|
||||
=ztFk
|
||||
-----END PGP SIGNATURE-----
|
2083
share/security/patches/SA-15:01/openssl-10.0.patch
Normal file
2083
share/security/patches/SA-15:01/openssl-10.0.patch
Normal file
File diff suppressed because it is too large
Load diff
17
share/security/patches/SA-15:01/openssl-10.0.patch.asc
Normal file
17
share/security/patches/SA-15:01/openssl-10.0.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.1 (FreeBSD)
|
||||
|
||||
iQIcBAABCgAGBQJUtuBQAAoJEO1n7NZdz2rnVsEP/3rKxcVxtP3DeRhMUwxLE3vK
|
||||
VulM4jE8yMiR6ipSWNuUyRPMMLtnkTkBUygIDr0J5Ivnqgeo0EtrQtYs8xGqkJYU
|
||||
a9jS0BKJdsLUX8zapixVdOEbu8ySL3F+ZRQPKLSg+LUfosuk8OT1z2h14CHdsdBJ
|
||||
23tSCMgk9KkRA4N1NDf/CHjYAPF5zyIh02DBF2m11CC2roaqUXxeGYqmTrzQONoY
|
||||
eMyGpvqdjrpy8oafw0mGDV5RxtWImhfeHnm0t/NRn9TMnPUWtNE+4KiO5DJprkiC
|
||||
9vbEt4uU/OUtxgZ6+0BhNs4piv1y7Bm42YprS3nrGWeDjO624rS1E7X25VxP0N70
|
||||
ALcMKQDr4OcqMUkn7RV09Vj7yfQRdgYMueVD5LHSZ8dOrf2fmTmX38DLkG0pTIJT
|
||||
FCdYERwur/79ErVF2dAUnWYhVOBytoTrQhpCoS5MFRkTa3YH/e1sywEnxDSLcrF4
|
||||
/QDFhTIuzoN6bYA95TYt6O4Quch6fG9yE0yutTU+pLiz4SVJ+XXOG6KLK+WosyG9
|
||||
uHpHoE4z/Ib2v32PVGRyOifg+7DwyWEvuVwEYD2ByKEZRrodxExwbdmYzZqdyCVF
|
||||
vp7+lYAfsiGewlSB210169wu9jE7OZZgUv8tmuZ+B2H4cdGpMZfWGhxTDKzFGNWA
|
||||
CpAEGl9qaZD+5GfHxt0Y
|
||||
=N0l/
|
||||
-----END PGP SIGNATURE-----
|
1636
share/security/patches/SA-15:01/openssl-10.1.patch
Normal file
1636
share/security/patches/SA-15:01/openssl-10.1.patch
Normal file
File diff suppressed because it is too large
Load diff
17
share/security/patches/SA-15:01/openssl-10.1.patch.asc
Normal file
17
share/security/patches/SA-15:01/openssl-10.1.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.1 (FreeBSD)
|
||||
|
||||
iQIcBAABCgAGBQJUtuBQAAoJEO1n7NZdz2rnQ8EP/2y6JS8OIAONv0dZbosjDfVL
|
||||
QA8/nV3Wla8RD9BceamC2lShwlhD4Zzf6DspQDyIHQ9jmSov7YPWkgSXBh2XwVu7
|
||||
0CURYvCllJa8u6ZM7bJMZSwDbvntcnl8oofOwnRCQgO2Jc36jJoASm8H2f1vvR0q
|
||||
8eC4488yXTrP+Q6QVW2QMWd8XMusk7pPDkx208h0C40PDEP7h+zgj4P+qrkfXfPo
|
||||
js2AL/QkgZtuNKUxruomoeABeFiIO6cFA3gYAdUaxHz++c9M+94fjgrvF6xZCpNj
|
||||
bYGe0beU5Sh7nIpH7ZaLOIB4rVNH/0cm+3RJRDeRv+QvF2dn/tL0xY5A8RTG0jff
|
||||
p9vvrjnOmVEIeDOkGT4fHUG5LOPRa53GxWGsuTMlq9nDV6nYAiDbeaRJY/UqrKId
|
||||
/cb6MQADKYCc1kN4UfZQuBfusVhHt0Dfn1L0QNBSvXvS27wakae+O765UNJ4Y3OB
|
||||
FRbvMJTJZyETQaW1fURQzKfVpjOImQ2yJxcxzhjvHU4v9nLCXHlk8aUZ+QWYMBgJ
|
||||
5PCM4j9vA2h13B4YrLceY5FFSGgu1UUVa4MLV1drxVzdbMtlbZbz1As7eVnWzMMG
|
||||
9cWqNZWMbsJBPQoc/c3RCwDDj74laj9RfvKZOctnC3JOslgd2ElulMqGVhMEBNrE
|
||||
2pI4TaI8z1hhlzn7svMN
|
||||
=X57u
|
||||
-----END PGP SIGNATURE-----
|
1582
share/security/patches/SA-15:01/openssl-9.3.patch
Normal file
1582
share/security/patches/SA-15:01/openssl-9.3.patch
Normal file
File diff suppressed because it is too large
Load diff
17
share/security/patches/SA-15:01/openssl-9.3.patch.asc
Normal file
17
share/security/patches/SA-15:01/openssl-9.3.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.1 (FreeBSD)
|
||||
|
||||
iQIcBAABCgAGBQJUtuBQAAoJEO1n7NZdz2rnafsQAJXvOF3kTb3JQqVlkxarVbDf
|
||||
bCOSx3VitagKVGgXGsdqNkf2ZzeoBB5DOvndJgKDuF9hgwPkOfVtAFiVPoOo4Njk
|
||||
/G38duk+ntkDjpBdjTHDkMzqniERsNPzo7kDFsHczzAGKX5KV9/C1Fyr3cHGIg1M
|
||||
f2Pl1UFhaOa16ZIGBw7xba2nEm0zsjmhWYFfQxPdihc0HXivn6Zyqt4Ys3zuieOC
|
||||
q4x1sFqAkYc4kCs0sNvFFfSE3nCd4bCo10rzGsv2AMKjadyA1q8np0W2uQ2PqjRM
|
||||
VSOiDSeIuNCKA3P01KLvV/K9oIv9YN3kE78wglshynC5OTHovqbdlrBglcPzt9tO
|
||||
NJ8xV8Mg8v8ivS5UIksd46w8zDcOLCxxdpILqzoZlv7aodErH1/nKvmAV1NEcUfy
|
||||
6o4ukL0YIghHr7fBqnMFKT1uDP5NQj+3z4FUOaBemWYExmTlAj3HqjoaAeaS3XUz
|
||||
v0uvpzgCY2G3xw6ne6wtwhM0VFF6YBxQfk/xnN56g3DWOdOhtrmxytN9DQUox9EE
|
||||
83pQN8IdDCX5Tb0E4cH1TZK1Kvd6DCUF6T6yvAhkvL2KaDBIQpDnbnLF019ELMOr
|
||||
IeJ/eKTBTyOBpardg21oWX01+ielRPSwVJB87z3lcdTaTHsmHDRvqnZ1kegrCcGz
|
||||
TQD7vmtNOOAdfp5gN6II
|
||||
=S4We
|
||||
-----END PGP SIGNATURE-----
|
|
@ -4,6 +4,22 @@
|
|||
$FreeBSD$
|
||||
</cvs:keyword>
|
||||
|
||||
<year>
|
||||
<name>2015</name>
|
||||
|
||||
<month>
|
||||
<name>1</name>
|
||||
|
||||
<day>
|
||||
<name>14</name>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-15:01.openssl</name>
|
||||
</advisory>
|
||||
</day>
|
||||
</month>
|
||||
</year>
|
||||
|
||||
<year>
|
||||
<name>2014</name>
|
||||
|
||||
|
|
Loading…
Reference in a new issue