help 2014-04-08 20:00 GMT+08:00 <[email protected]>: > Send freebsd-security mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. http://heartbleed.com/ (Thomas Steen Rasmussen) > 2. Re: http://heartbleed.com/ (Xin Li) > 3. Re: http://heartbleed.com/ (Mike Tancsa) > 4. Re: http://heartbleed.com/ (Xin Li) > 5. Re: http://heartbleed.com/ (Bryan Drewery) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 07 Apr 2014 22:49:54 +0200 > From: Thomas Steen Rasmussen <[email protected]> > To: [email protected] > Subject: http://heartbleed.com/ > Message-ID: <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > http://heartbleed.com/ describes an openssl vulnerability published > today. We are going to need an advisory for the openssl in base in > FreeBSD 10 and we are also going to need an updated port. > > The implications of this vulnerability are pretty massive, > certificates will need to be replaced and so on. I don't want to > repeat the page, so go read that. > > Best regards, > > > /Thomas Steen Rasmussen > > ps. there is a bit on the openssl site too: > https://www.openssl.org/news/secadv_20140407.txt > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (MingW32) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJTQw9yAAoJEHcv938JcvpYcFgP/iH3j6n7PgkCwSsN3qG9F37c > A6TOGbKudIeJdO76YXiU2T+FjbMThB86KuSan2iTM4h5wTLENVLvafJmBJtIKRH8 > bMZUqsUONYBSd4HpZKxbg9s8Yfy2gU0dTbs10OZ/dZw6qEr5Pd0WK6BDZ5h0ggTj > 0gF4r+FHWAe/8GgxOnfVEcmyMa+VUB46ZMmpwlCC3SG0wMAs/LJHORyl283OqyT5 > fwNfeDjInsPAgZORdR2+PZTgshwL0ogOINyGSKrLV1psQg2hEMgRT4GvO37IlhHS > qstYleB0yLiq9ayRFyj3mg2/OMq7/26ft09fHeF19VjnysClxT7lwZEaPDkbxH7j > qC1rpo1yeGuBPPdFnjbZVP5rxLR1jnQZFgTwOafjjock8ZW1ktUXOg1Upe276sv9 > NrPmNzDUkuMp7tlYEuDC2MsxQNSjeCo86FdMGCH+/c+DbRqBidELFH8SYEgzK2kj > TiT8tmBjdLC8PL+1SvBV4hLgapFJp2nvXsxyuJc2teRntKdgjFObQPEzb+iM/zFA > mSOjuGUh28qABlqQ32B04VDBOQRUs6zWDe0cssspajqfx7T7wVaE1FGBDUUt0QkN > B45cs2ql0OG5XB03GLsJv0tSdymzwohlBmoqmA08mKVWILFdkL/zzSY8Mw0oTfUa > GWD5kOI/wytuF5svXFnP > =gj4I > -----END PGP SIGNATURE----- > > > ------------------------------ > > Message: 2 > Date: Mon, 07 Apr 2014 14:02:45 -0700 > From: Xin Li <[email protected]> > To: Thomas Steen Rasmussen <[email protected]>, > [email protected] > Subject: Re: http://heartbleed.com/ > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, Thomas, > > On 04/07/14 13:49, Thomas Steen Rasmussen wrote: > > Hello, > > > > http://heartbleed.com/ describes an openssl vulnerability > > published today. We are going to need an advisory for the openssl > > in base in FreeBSD 10 and we are also going to need an updated > > port. > > > > The implications of this vulnerability are pretty massive, > > certificates will need to be replaced and so on. I don't want to > > repeat the page, so go read that. > > We are already working on this but building, reviewing, etc. would > take some time. > > Attached is the minimal fix (extracted from upstream git repository) > we are intending to use in the advisory for those who want to apply a > fix now, please DO NOT use any new certificates before applying fixes. > > Cheers, > - -- > Xin LI <[email protected]> https://www.delphij.net/ > FreeBSD - The Power to Serve! Live free or die > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (FreeBSD) > > iQIcBAEBCgAGBQJTQxJ1AAoJEJW2GBstM+nsz6AP/2m28eIzuF/JFhyZB7rkLAZR > vP9P0Tu1Vupwd6FN5X9m1O4t5ORhMfn5Y8SuxemHPg8NncaEptg43rs+TED4ucGd > ulyFLJsAZtCDlTTVRAuhp3PfvNllBcoG6a+sWg0qjDqxnzWpPZShCP8ay9g/3q4W > ceYJigXyi7KtKuNlc2YXlC5CA5NpKV9zsc0KhZj/PIq9qLiv+JYUriz1BRE8J+5P > CusO3usNgwHFx0XppMQRXxg/iSYnqs/YM6btENgsOBlRsCJkfSPbxE1z6Vmp0h27 > mOWiBLIOOR97WfYHCUHUHg+1bpJKz6VXUDHbNjjoaaLWg2D4HCkqgm45mgKZBHwh > 6SZUR90WthBbbFwJ3vY+wdARBO1V3RBg64ACZfYEIimqtGKZ5VaJgmYFLZc33RQr > O6Gpt7KeiwxaPYe/18zIiBULKeGBtQXettKpw4KOrkKSfnZePNxQIiqQmzLmfzXW > VwgRYlAAhjmv/ROCdnQJiKQKnloo9xUEPtk1ngmw6ThJJuDGS+Mcm1pWwbvMPF5/ > cWXprDXW4/Hws8GCXbZxYRrC0xQ0zDL+K589H/3pTWV5ijnI/CpM1gzvd0NH/H4+ > LQNILNJ+p2Uhp3D7yoz1bQC8gV2XeXROeNGEuY3VRyNbnv3z65mjWry/4QZo+kp6 > NcKVrUpKLG4odhL7BXBF > =7rU5 > -----END PGP SIGNATURE----- > -------------- next part -------------- > Index: crypto/openssl/ssl/d1_both.c > =================================================================== > --- crypto/openssl/ssl/d1_both.c (revision 264059) > +++ crypto/openssl/ssl/d1_both.c (working copy) > @@ -1458,26 +1458,36 @@ dtls1_process_heartbeat(SSL *s) > unsigned int payload; > unsigned int padding = 16; /* Use minimum padding */ > > + if (s->msg_callback) > + s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, > + &s->s3->rrec.data[0], s->s3->rrec.length, > + s, s->msg_callback_arg); > + > /* Read type and payload length first */ > + if (1 + 2 + 16 > s->s3->rrec.length) > + return 0; /* silently discard */ > hbtype = *p++; > n2s(p, payload); > + if (1 + 2 + payload + 16 > s->s3->rrec.length) > + return 0; /* silently discard per RFC 6520 sec. 4 */ > pl = p; > > - if (s->msg_callback) > - s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, > - &s->s3->rrec.data[0], s->s3->rrec.length, > - s, s->msg_callback_arg); > - > if (hbtype == TLS1_HB_REQUEST) > { > unsigned char *buffer, *bp; > + unsigned int write_length = 1 /* heartbeat type */ + > + 2 /* heartbeat length */ + > + payload + padding; > int r; > > + if (write_length > SSL3_RT_MAX_PLAIN_LENGTH) > + return 0; > + > /* Allocate memory for the response, size is 1 byte > * message type, plus 2 bytes payload length, plus > * payload, plus padding > */ > - buffer = OPENSSL_malloc(1 + 2 + payload + padding); > + buffer = OPENSSL_malloc(write_length); > bp = buffer; > > /* Enter response type, length and copy payload */ > @@ -1488,11 +1498,11 @@ dtls1_process_heartbeat(SSL *s) > /* Random padding */ > RAND_pseudo_bytes(bp, padding); > > - r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + > payload + padding); > + r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, > write_length); > > if (r >= 0 && s->msg_callback) > s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, > - buffer, 3 + payload + padding, > + buffer, write_length, > s, s->msg_callback_arg); > > OPENSSL_free(buffer); > Index: crypto/openssl/ssl/t1_lib.c > =================================================================== > --- crypto/openssl/ssl/t1_lib.c (revision 264059) > +++ crypto/openssl/ssl/t1_lib.c (working copy) > @@ -2486,16 +2486,20 @@ tls1_process_heartbeat(SSL *s) > unsigned int payload; > unsigned int padding = 16; /* Use minimum padding */ > > + if (s->msg_callback) > + s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, > + &s->s3->rrec.data[0], s->s3->rrec.length, > + s, s->msg_callback_arg); > + > /* Read type and payload length first */ > + if (1 + 2 + 16 > s->s3->rrec.length) > + return 0; /* silently discard */ > hbtype = *p++; > n2s(p, payload); > + if (1 + 2 + payload + 16 > s->s3->rrec.length) > + return 0; /* silently discard per RFC 6520 sec. 4 */ > pl = p; > > - if (s->msg_callback) > - s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, > - &s->s3->rrec.data[0], s->s3->rrec.length, > - s, s->msg_callback_arg); > - > if (hbtype == TLS1_HB_REQUEST) > { > unsigned char *buffer, *bp; > > ------------------------------ > > Message: 3 > Date: Mon, 07 Apr 2014 22:27:09 -0400 > From: Mike Tancsa <[email protected]> > To: [email protected], [email protected] > Subject: Re: http://heartbleed.com/ > Message-ID: <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 4/7/2014 5:02 PM, Xin Li wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > Hi, Thomas, > > > > On 04/07/14 13:49, Thomas Steen Rasmussen wrote: > >> Hello, > >> > >> http://heartbleed.com/ describes an openssl vulnerability > >> published today. We are going to need an advisory for the openssl > >> in base in FreeBSD 10 and we are also going to need an updated > >> port. > >> > >> The implications of this vulnerability are pretty massive, > >> certificates will need to be replaced and so on. I don't want to > >> repeat the page, so go read that. > > > > We are already working on this but building, reviewing, etc. would > > take some time. > > > > Hi, > The webpage lists > > FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c) > > I take it this is only if you installed from the ports no ? > > ---Mike > > > > > -- > ------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, [email protected] > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/ > > > ------------------------------ > > Message: 4 > Date: Mon, 07 Apr 2014 19:29:18 -0700 > From: Xin Li <[email protected]> > To: Mike Tancsa <[email protected]>, [email protected], > [email protected] > Subject: Re: http://heartbleed.com/ > Message-ID: <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 4/7/14, 7:27 PM, Mike Tancsa wrote: > > On 4/7/2014 5:02 PM, Xin Li wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 > >> > >> Hi, Thomas, > >> > >> On 04/07/14 13:49, Thomas Steen Rasmussen wrote: > >>> Hello, > >>> > >>> http://heartbleed.com/ describes an openssl vulnerability > >>> published today. We are going to need an advisory for the > >>> openssl in base in FreeBSD 10 and we are also going to need an > >>> updated port. > >>> > >>> The implications of this vulnerability are pretty massive, > >>> certificates will need to be replaced and so on. I don't want > >>> to repeat the page, so go read that. > >> > >> We are already working on this but building, reviewing, etc. > >> would take some time. > >> > > > > Hi, The webpage lists > > > > FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c) > > > > I take it this is only if you installed from the ports no ? > > That's correct. OpenSSL shipped with the base system in these two > releases are not vulnerable because they don't support the extension. > > Cheers, > > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJTQ179AAoJEJW2GBstM+nsIa4P/RAXDidWzc01T2ghX4uNFtod > C2Wd2k2B6i24LcV3PPub6dQjRI9sMxh9Q/7bIqXctThJ41U9s44P7Zvf6T7Xh/LY > YM4FBAFKNiMC+WZsS78pGW6pYIULml66El7sb/G6DNOzjezWlD3MwnPo2S0nibQJ > BDJ0pU3BH0A2rvyDWmF7aAveJtEuFPCCovytadStHiFZk3nKMwdN0ariLVq8JFlU > s5uqf0rWRXuYIIJ2/Fv9XxUHWi0RrvyXojfdPVNIhEppmdswCzxyb+PLOBbWuZZp > 9ma/ELuo8VJmmsP2A0zX2PriejfFtTR7vXP8V3VwP8RvS2YRFH44Bmyllxn2eYYI > HbemABH2A5rCiMbEu32AGX7i1HikWScwKNIEJbK35BEIb9g3UGRFuxeRw9J6mTyd > 44hMRO1YeyHv/nuSQ+g+d+nzB1dBYSq7YbG5UAPs0v+5fbnoPTU/28olKx1br83H > BZdO+y8VUppNnRWL2wvnsbd1M8/nGABNBD9tco9ftlN0jUpFtSXkPEt20JWwZS/l > HiD328EnTJKgB5nllizsCDIgaTDUYMeH6Bf8QJ54t+Cfu6sS1YYCv2/ycu5tKfqv > yRU6ypV82kye/fRBkFj4JwCOXcPozm+9uPAG9bk1355w+EyKmMrba79BvwtQ+uUj > PXJpfmZifPnNDBTXrg2d > =FDDO > -----END PGP SIGNATURE----- > > > ------------------------------ > > Message: 5 > Date: Mon, 07 Apr 2014 21:41:25 -0500 > From: Bryan Drewery <[email protected]> > To: [email protected] > Subject: Re: http://heartbleed.com/ > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > On 4/7/2014 3:49 PM, Thomas Steen Rasmussen wrote: > > Hello, > > > > http://heartbleed.com/ describes an openssl vulnerability published > > today. We are going to need an advisory for the openssl in base in > > FreeBSD 10 and we are also going to need an updated port. > > > > The implications of this vulnerability are pretty massive, > > certificates will need to be replaced and so on. I don't want to > > repeat the page, so go read that. > > > > Best regards, > > > > > > /Thomas Steen Rasmussen > > > > ps. there is a bit on the openssl site too: > > https://www.openssl.org/news/secadv_20140407.txt > > The port has been updated. 1.0.1_10 has the fix. > > -- > Regards, > Bryan Drewery > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 553 bytes > Desc: OpenPGP digital signature > URL: < > http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140407/07e15f81/attachment-0001.sig > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "[email protected] > " > > ------------------------------ > > End of freebsd-security Digest, Vol 482, Issue 1 > ************************************************ > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"