freebsd security - Jul 2008 - OpenSSL warning from dns/bind95 build...?

Hi, all--

Apropos of this security issue with BIND, I just tried updating a  
FreeBSD-6.3-STABLE system with dns/bind95, and it loudly complains  
about the OpenSSL version which comes with the system:
> [ ... ]
> config.status: creating include/isc/platform.h
> config.status: creating config.h
> WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING  
> WARNING WARNING
> WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING  
> WARNING WARNING
> WARNING 
>                                                                   
> WARNING
> WARNING         Your OpenSSL crypto library may be vulnerable  
> to        WARNING
> WARNING         one or more of the the following known  
> security         WARNING
> WARNING          
> flaws:                                                  WARNING
> WARNING 
>                                                                   
> WARNING
> WARNING         CAN-2002-0659, CAN-2006-4339, CVE-2006-2937  
> and         WARNING
> WARNING          
> CVE-2006-2940.                                          WARNING
> WARNING 
>                                                                   
> WARNING
> WARNING         It is recommended that you upgrade to  
> OpenSSL           WARNING
> WARNING         version 0.9.8d/0.9.7l (or  
> greater).                     WARNING
> WARNING 
>                                                                   
> WARNING
> WARNING         You can disable this warning by  
> specifying:             WARNING
> WARNING 
>                                                                   
> WARNING
> WARNING               --disable-openssl-version-check           
> 	        WARNING
> WARNING 
>                                                                   
> WARNING
> WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING  
> WARNING WARNING
> WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING  
> WARNING WARNING
> ===>  Building for bind95-base-9.5.0.1
Is the version of OpenSSL now included with RELENG_6 (OpenSSL 0.9.7e- 
p1) OK, or is it at risk as reported?

Regards,
-- 
-Chuck

Chuck Swiger wrote:
> Hi, all--
> 
> Apropos of this security issue with BIND, I just tried updating a 
> FreeBSD-6.3-STABLE system with dns/bind95, and it loudly complains about 
> the OpenSSL version which comes with the system:
[snip]
> Is the version of OpenSSL now included with RELENG_6 (OpenSSL 0.9.7e-p1) 
> OK, or is it at risk as reported?
You're better off upgrading using the version in 
ports/security/openssl and adding WITH_OPENSSL_PORT to /etc/make.conf.

hth,

Doug

-- 

     This .signature sanitized for your protection

On 2008.07.11 13:14:09 -0700, Chuck Swiger wrote:

[quote edited to contain important part]
>> WARNING         Your OpenSSL crypto library may be vulnerable to
>> WARNING         one or more of the the following known security
>> WARNING         flaws:
>> WARNING
>> WARNING         CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and
>> WARNING         CVE-2006-2940.
>> WARNING
[...]
> Is the version of OpenSSL now included with RELENG_6 (OpenSSL 0.9.7e-p1)
> OK, or is it at risk as reported?
Just so there is no doubt - the base system OpenSSL isn't actually
vulnerable to those issues.  They were fixed in SA-02:33.openssl,
FreeBSD-SA-06:19.openssl, and FreeBSD-SA-06:23.openssl.

The BIND build system just has no way to see this since they were
patched instead of upgraded.

--
Simon L. Nielsen
Hats: Base system OpenSSL janitor and FreeBSD Security Team