168 lines
6.5 KiB
Text
168 lines
6.5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-15:26.openssl Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Multiple OpenSSL vulnerabilities
|
|
|
|
Category: contrib
|
|
Module: openssl
|
|
Announced: 2015-12-05
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2015-12-03 21:18:48 UTC (stable/10, 10.2-STABLE)
|
|
2015-12-05 09:53:58 UTC (releng/10.2, 10.2-RELEASE-p8)
|
|
2015-12-05 09:53:58 UTC (releng/10.1, 10.1-RELEASE-p25)
|
|
2015-12-03 21:24:40 UTC (stable/9, 9.3-STABLE)
|
|
2015-12-05 09:53:58 UTC (releng/9.3, 9.3-RELEASE-p31)
|
|
CVE Name: CVE-2015-3194, CVE-2015-3195, CVE-2015-3196
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
|
|
a collaborative effort to develop a robust, commercial-grade, full-featured
|
|
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
|
|
and Transport Layer Security (TLS v1) protocols as well as a full-strength
|
|
general purpose cryptography library.
|
|
|
|
II. Problem Description
|
|
|
|
The signature verification routines will crash with a NULL pointer dereference
|
|
if presented with an ASN.1 signature using the RSA PSS algorithm and absent
|
|
mask generation function parameter. [CVE-2015-3194]
|
|
|
|
When presented with a malformed X509_ATTRIBUTE structure, OpenSSL will leak
|
|
memory. [CVE-2015-3195]
|
|
|
|
If PSK identity hints are received by a multi-threaded client then the values
|
|
are incorrectly updated in the parent SSL_CTX structure. [CVE-2015-3196]
|
|
|
|
III. Impact
|
|
|
|
A remote attacker who can present a specifically crafted certificate may
|
|
cause a OpenSSL client or server application that performs certificate
|
|
signature verification to crash with a NULL pointer dereference, resulting
|
|
in a Denial of Service. [CVE-2015-3194] This affects FreeBSD 10.x only.
|
|
|
|
An attacker who is able to feed specifically crafted PKCS#7/CMS data to an
|
|
OpenSSL application can cause memory leak which may eventually result in a
|
|
Denial of Service. [CVE-2015-3195]
|
|
|
|
A remote attacker who can send PSK identity hints to a multi-thread client
|
|
may trigger a double fault of hint data, which may lead to crash the client
|
|
application. [CVE-2015-3196]. This affects FreeBSD 10.1 only.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
Reboot is optional but recommended.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Reboot is optional but recommended.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 9.3]
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:26/openssl-9.3.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:26/openssl-9.3.patch.asc
|
|
# gpg --verify openssl-9.3.patch.asc
|
|
|
|
[FreeBSD 10.1]
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:26/openssl-10.1.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:26/openssl-10.1.patch.asc
|
|
# gpg --verify openssl-10.1.patch.asc
|
|
|
|
[FreeBSD 10.2]
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:26/openssl-10.2.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:26/openssl-10.2.patch.asc
|
|
# gpg --verify openssl-10.2.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart all deamons using the library, or reboot the system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/9/ r291722
|
|
releng/9.3/ r291854
|
|
stable/10/ r291721
|
|
releng/10.1/ r291854
|
|
releng/10.2/ r291854
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://www.openssl.org/news/secadv/20151203.txt>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3196>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:26.openssl.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.1.8 (FreeBSD)
|
|
|
|
iQIcBAEBCgAGBQJWYrWXAAoJEO1n7NZdz2rnLS8QAJvvKkFk/l4lvh34dmy9rGU5
|
|
pEoeR47Mw9KGirjARBwuOerqykBO+2vUPAnOFUMcQTuG4V23s9u2v9T8dO70feu8
|
|
o6eTtYrOyliECEywoGmuKmTVjtpGnXTg5BeAuG6i/C2XphEB+6Qq7eCz64n8TZQN
|
|
NB9emfqE6p0/ndxf3oyrcgw6gLgawmfBH4cWGa07Vd9X2XVc6sPjODDoXmXS8uj3
|
|
xtPNFy7L48YfMAhd6l55hO9qxqTY5Pq8EkvZVWPlCYSET+4FBwIIU6Nwpzgpr8bd
|
|
viTHhwk/pf5wk1rMZzQVbrriQ7vAW4TG6oVsbTHLLC/prNzmTvW2KPqXyWWscRHS
|
|
2HWQ1at/b0brA+0rnzEVMQk/nH2031AuXy8o1gizNJoLItuS9Lp7P6xOPaogqss5
|
|
J1wmaEkWRSItCGlCIJAxiw1dqbk5tH8Isy1Axno7doTKloeLFanhdPoJP5BexLuo
|
|
Vbl7A92xQVJLJKLoklVy3QaiKmcbJ/tdgSeI7e3gP8MDkblvSd6UIvHQfUigrA5B
|
|
JXYQWQgsHpc3tIGaDsbnrkV27O0yUXNipnj8PAEgaknXX5n6Zpyz9Z9Vitfnj1tC
|
|
1LAGo/kW8+L1hAX3W5XgsIOe9jWxae19uTGOoaM8tnVtH5bQpjjdWFE2zunzzfJe
|
|
bCPjBJfZw5z5rvQAkBuY
|
|
=p0x+
|
|
-----END PGP SIGNATURE-----
|