Add updated text and patch for FreeBSD-SA-20:33.openssl

Approved by: so
2020-12-14 13:28:07 -08:00 · 2020-12-14 13:28:07 -08:00 · 925bca73c9
commit 925bca73c9
parent eb28fee24e
3 changed files with 254 additions and 21 deletions
--- a/share/security/advisories/FreeBSD-SA-20:33.openssl.asc
+++ b/share/security/advisories/FreeBSD-SA-20:33.openssl.asc
@ -14,22 +14,25 @@ Affects:        All supported versions of FreeBSD.
 Corrected:      2020-12-08 18:28:49 UTC (stable/12, 12.2-STABLE)
                2020-12-08 19:10:40 UTC (releng/12.2, 12.2-RELEASE-p2)
                2020-12-08 19:10:40 UTC (releng/12.1, 12.1-RELEASE-p12)
+                2020-12-10 23:43:29 UTC (stable/11, 11.4-STABLE)
+                2020-12-14 21:20:55 UTC (releng/11.4, 11.4-RELEASE-p6)
 CVE Name:       CVE-2020-1971

 Note: The OpenSSL project has published publicly available patches for
-versions included in FreeBSD 12.x.  This vulnerability is also known to
-affect OpenSSL versions included in FreeBSD 11.4.  However, the OpenSSL
-project is only giving patches for that version to premium support contract
-holders.  The FreeBSD project does not have access to these patches and
-recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage
-up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project
-may update this advisory to include FreeBSD 11.4 should patches become
-publicly available.
+versions included in FreeBSD 12.x.  FreeBSD 11.x includes an older OpenSSL
+version, and patches for that version from from the OpenSSL project are
+only available to premium support contract holders.  This advisory includes
+an independently-developed backport of the patch for FreeBSD 11.4.

 For general information regarding FreeBSD Security Advisories,
 including descriptions of the fields above, security branches, and the
 following sections, please visit <URL:https://security.FreeBSD.org/>.

+0.   Revision History
+
+v1.0 2020-12-08  Initial release.
+v1.1 2020-12-14  Added FreeBSD 11.4 patch.
+
 I.   Background

 FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is a
@ -80,10 +83,16 @@ FreeBSD release branches.
 a) Download the relevant patch from the location below, and verify the
 detached PGP signature using your PGP utility.

+[FreeBSD 12.2, FreeBSD 12.1]
 # fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.patch
 # fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.patch.asc
 # gpg --verify openssl.patch.asc

+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.11.patch.asc
+# gpg --verify openssl.11.patch.asc
+
 b) Apply the patch.  Execute the following commands as root:

 # cd /usr/src
@ -104,6 +113,8 @@ Branch/path                                                      Revision
 stable/12/                                                        r368459
 releng/12.2/                                                      r368463
 releng/12.1/                                                      r368463
+stable/11/                                                        r368530
+releng/11.4/                                                      r368643
 - -------------------------------------------------------------------------

 To see which files were modified by a particular revision, run the
@ -126,19 +137,19 @@ The latest revision of this advisory is available at
 <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc>
 -----BEGIN PGP SIGNATURE-----

-iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/P6+RfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/X2AhfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
 MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
-5cI4zQ//dy/tBaAq+kvGkWry74LzvqdZ5c0IIWH1UIrDab0wgmj8H5siP3Rpp7OB
-GKtpA+gDDmIgbe80fD+L6L5LR59wBU3sfyYPIcKIbPGl4ix2C5HK7reGns1qoX+O
-BFJd3gyPVeq4FD5/+btynyom8lcR//ta4dKKz2TERfd27iL8fM0AoLl+JI/axzJS
-d06Z2kA0gRo528DsVRsTbiZFINfhGm8wzeXYpAxwbpnedswOeukOxTsKXrdtSAy+
-BCq5BHdBxL/z4A2QLlrsYqpQH0Ty77ueGjqrq4QPFwq7dxSMDkfzz+YeGPKAvGsU
-lwyE2LlkP+531y4ueeGs5K6zRk8jDn7hJs+HfAtTy7y6d+VX9h7wRSssozC9DsV4
-87OWHkXOEj5LeDRDfrEKVLx+QBqRcOOY6mkT3mb5dB7o9bmqxtjf3CaQaA7eV7Y8
-a9QJvpO37m1ZpCC/kXACUPwmwbc5q8sjOsAcQiRAVeom6coFwDxs9u+yHX3uCLRJ
-zorgaLgce/c7yLUoQ/bA1/bfuOE7qIwxK7JosZSxv59CvavAhN/hBUcuL7CPCGrP
-u9LyYGPoYLXUj4CBKI7FmGkQVhNCLDhUYdvrVyRbTy3hihi1VtbFEZ8Dhipm4nL7
-Oko1LxjLb1dJiHEj9kHtNWRmhueuErxkgA+GWLlsJpjlGlC/YAU=
-=5e1s
+5cLRqQ/8DWGkrFkYn1mpbePFaWFkb2Gt9wexPjfa7oFVSPirHwEFFF1yr5p5hTNF
+lPyDeSmif5DsAa1fm5CqIVDc9R+kvs8QBfuvD6dRTDW0NSSjPILtBd+7DpnejGKY
+DGP9Q9aV8pniyJ029vduReF/U0VX/VtHuujYMZBBeXTcfWW1+/olMw0nkMno+3j/
+PFflN1d7Kj66b+RjqdIav72vuEmp0nzm8VlL4Sn53Im6TJuGg+24uCj2oCKmMfiR
+6mrS9D6H6/8VyAEI7aFfz52TN/Cuqx5U5HjonjRsnKCN/8tST6nxZ3MQ3F6eJRU6
+Tqzd9c1iYm9bWYWTpqtDx2dASiIICQeEj8f42RavU+BfpER9rKQi/pcJk/9ISu2L
+/EOmH735v1dWd5PVZiVQinx+v/Os5pCzAZEOxA4rI7prAFvnX2q7XsJI914p87FR
+SGwMy/cN7b23rJFLwNp29tpAJhaz9Ac/vAJwvUKEaoGqvcEC8zOPykMcOhcHXONq
+fXJWgkl/N8fkyKrSfFZkKF5r4aQGsuyaZje1YmrpWIOr/jzV9qL4CAvUhx116yJb
+XelP+aaXBD82kM3J0Ddivaz+/dP5ng/XUADJvAYzZ1g7N9fxYjLGF6nRJ3eXKuno
+NQfYPIYAc1TKYAU+k6pbxqQkVuYtTxHCSXdvUGMjh0scZArU8/s=
+=LaWf
 -----END PGP SIGNATURE-----