FreeBSD Errata Notices
2015-Feb-25 06:29 UTC
[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:02.openssl
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================FreeBSD-EN-15:02.openssl Errata Notice The FreeBSD Project Topic: OpenSSL update Category: contrib Module: openssl Announced: 2015-02-25 Affects: All supported versions of FreeBSD. Corrected: 2015-01-23 19:14:36 UTC (stable/10, 10.1-STABLE) 2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6) 2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18) 2015-01-09 01:11:43 UTC (stable/9, 9.3-STABLE) 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) 2015-01-09 01:11:43 UTC (stable/8, 8.4-STABLE) 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.freebsd.org/>. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description The OpenSSL software bundled with the FreeBSD base system has been diverged due to various security advisories in the past and some reliability fixes were not merged. III. Impact Divergence in the cryptographic code makes it harder to review changes, and running unique code exposes users who run FreeBSD to possible unique bugs, if there is any. IV. Workaround No workaround is available, but systems that do not use base system OpenSSL for public facing services are not affected. V. Solution Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your present system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your present system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8.4] # fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-8.4.patch # fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-8.4.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-9.3.patch # fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-9.3.patch.asc [FreeBSD 10.0] # fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.0.patch # fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.0.patch.asc [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.1.patch # fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.1.patch.asc # gpg --verify XXXX.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart all deamons using the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r276865 releng/8.4/ r279265 stable/9/ r276865 releng/9.3/ r279265 stable/10/ r277597 releng/10.0/ r279264 releng/10.1/ r279264 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References The latest revision of this Errata Notice is available at https://security.FreeBSD.org/advisories/FreeBSD-EN-15:02.openssl.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.1 (FreeBSD) iQIcBAEBCgAGBQJU7WjCAAoJEO1n7NZdz2rnqScP/0nfy96IWKzt6GdHXIF7rgSl yNF9xCfsG0jYgL2B7eLOmLyqT4+P5kEgarTCncjtDh/YEtfx/xXTseCPCAbVGmre qhYQ/8J05bmw4vkFUxUtQAt0Kn2e911IfU1BM1J9/7sO39iBZkrbTf+mQ3zbuHP/ 0Iluz0vQY4N5qrStywr34Qy3UVzh06YmrNYGryxn+vw4FmGMp0eMeX7SGHO1saAI Rwe8Q2nArl1pIffMtbB84MU8GphIS9td5U3w7+wJ94r7s9bXULIvKwd91H8+A8sW njmldZLs4L192Ez7NoL25+uz0AdB0R2Flb9iDwTxDyvuudQeZR0qJAfXU/sbsa6r PFt41UCV1ZJA0d+N8GG1X2lHBkaw5LWcV5GNKAFwGj659ycYqRndpPhjviM1WLJs s/zlhM/0z3iFC5EZn0z1oNf8W0AhxGMrGG9EdFLGFE1w0U6BqPujqdZMBoey0y+Q 00O0APcQENNo4jr8xBg/ykzA7cbCao48nbPDOWiY2SLiB+HLdbafapPimndyF0nf JxOe973UzZVRg+mdni3I6MriK1uaTAjMzNYD5x0avoResocrJKwZVUswNOJV1ONs gvTvmAAYHGvDXeiV8YP1nb2+G8dusljawRkkY2Hg0yBH6PS+qKfMfCq+UEQ5ewdc L7YxxXDEwrBgtAkv5A5z =xouA -----END PGP SIGNATURE-----