help
2014-04-08 20:00 GMT+08:00 <freebsd-security-request at freebsd.org>:
> Send freebsd-security mailing list submissions to
> freebsd-security at freebsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> or, via email, send a message with subject or body 'help' to
> freebsd-security-request at freebsd.org
>
> You can reach the person managing the list at
> freebsd-security-owner at freebsd.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of freebsd-security digest..."
>
>
> Today's Topics:
>
> 1. http://heartbleed.com/ (Thomas Steen Rasmussen)
> 2. Re: http://heartbleed.com/ (Xin Li)
> 3. Re: http://heartbleed.com/ (Mike Tancsa)
> 4. Re: http://heartbleed.com/ (Xin Li)
> 5. Re: http://heartbleed.com/ (Bryan Drewery)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 07 Apr 2014 22:49:54 +0200
> From: Thomas Steen Rasmussen <thomas at gibfest.dk>
> To: freebsd-security at freebsd.org
> Subject: http://heartbleed.com/
> Message-ID: <53430F72.1040307 at gibfest.dk>
> Content-Type: text/plain; charset=ISO-8859-1
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> http://heartbleed.com/ describes an openssl vulnerability published
> today. We are going to need an advisory for the openssl in base in
> FreeBSD 10 and we are also going to need an updated port.
>
> The implications of this vulnerability are pretty massive,
> certificates will need to be replaced and so on. I don't want to
> repeat the page, so go read that.
>
> Best regards,
>
>
> /Thomas Steen Rasmussen
>
> ps. there is a bit on the openssl site too:
> https://www.openssl.org/news/secadv_20140407.txt
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJTQw9yAAoJEHcv938JcvpYcFgP/iH3j6n7PgkCwSsN3qG9F37c
> A6TOGbKudIeJdO76YXiU2T+FjbMThB86KuSan2iTM4h5wTLENVLvafJmBJtIKRH8
> bMZUqsUONYBSd4HpZKxbg9s8Yfy2gU0dTbs10OZ/dZw6qEr5Pd0WK6BDZ5h0ggTj
> 0gF4r+FHWAe/8GgxOnfVEcmyMa+VUB46ZMmpwlCC3SG0wMAs/LJHORyl283OqyT5
> fwNfeDjInsPAgZORdR2+PZTgshwL0ogOINyGSKrLV1psQg2hEMgRT4GvO37IlhHS
> qstYleB0yLiq9ayRFyj3mg2/OMq7/26ft09fHeF19VjnysClxT7lwZEaPDkbxH7j
> qC1rpo1yeGuBPPdFnjbZVP5rxLR1jnQZFgTwOafjjock8ZW1ktUXOg1Upe276sv9
> NrPmNzDUkuMp7tlYEuDC2MsxQNSjeCo86FdMGCH+/c+DbRqBidELFH8SYEgzK2kj
> TiT8tmBjdLC8PL+1SvBV4hLgapFJp2nvXsxyuJc2teRntKdgjFObQPEzb+iM/zFA
> mSOjuGUh28qABlqQ32B04VDBOQRUs6zWDe0cssspajqfx7T7wVaE1FGBDUUt0QkN
> B45cs2ql0OG5XB03GLsJv0tSdymzwohlBmoqmA08mKVWILFdkL/zzSY8Mw0oTfUa
> GWD5kOI/wytuF5svXFnP
> =gj4I
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 07 Apr 2014 14:02:45 -0700
> From: Xin Li <delphij at delphij.net>
> To: Thomas Steen Rasmussen <thomas at gibfest.dk>,
> freebsd-security at freebsd.org
> Subject: Re: http://heartbleed.com/
> Message-ID: <53431275.4080906 at delphij.net>
> Content-Type: text/plain; charset="iso-8859-1"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi, Thomas,
>
> On 04/07/14 13:49, Thomas Steen Rasmussen wrote:
> > Hello,
> >
> > http://heartbleed.com/ describes an openssl vulnerability
> > published today. We are going to need an advisory for the openssl
> > in base in FreeBSD 10 and we are also going to need an updated
> > port.
> >
> > The implications of this vulnerability are pretty massive,
> > certificates will need to be replaced and so on. I don't want to
> > repeat the page, so go read that.
>
> We are already working on this but building, reviewing, etc. would
> take some time.
>
> Attached is the minimal fix (extracted from upstream git repository)
> we are intending to use in the advisory for those who want to apply a
> fix now, please DO NOT use any new certificates before applying fixes.
>
> Cheers,
> - --
> Xin LI <delphij at delphij.net> https://www.delphij.net/
> FreeBSD - The Power to Serve! Live free or die
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (FreeBSD)
>
> iQIcBAEBCgAGBQJTQxJ1AAoJEJW2GBstM+nsz6AP/2m28eIzuF/JFhyZB7rkLAZR
> vP9P0Tu1Vupwd6FN5X9m1O4t5ORhMfn5Y8SuxemHPg8NncaEptg43rs+TED4ucGd
> ulyFLJsAZtCDlTTVRAuhp3PfvNllBcoG6a+sWg0qjDqxnzWpPZShCP8ay9g/3q4W
> ceYJigXyi7KtKuNlc2YXlC5CA5NpKV9zsc0KhZj/PIq9qLiv+JYUriz1BRE8J+5P
> CusO3usNgwHFx0XppMQRXxg/iSYnqs/YM6btENgsOBlRsCJkfSPbxE1z6Vmp0h27
> mOWiBLIOOR97WfYHCUHUHg+1bpJKz6VXUDHbNjjoaaLWg2D4HCkqgm45mgKZBHwh
> 6SZUR90WthBbbFwJ3vY+wdARBO1V3RBg64ACZfYEIimqtGKZ5VaJgmYFLZc33RQr
> O6Gpt7KeiwxaPYe/18zIiBULKeGBtQXettKpw4KOrkKSfnZePNxQIiqQmzLmfzXW
> VwgRYlAAhjmv/ROCdnQJiKQKnloo9xUEPtk1ngmw6ThJJuDGS+Mcm1pWwbvMPF5/
> cWXprDXW4/Hws8GCXbZxYRrC0xQ0zDL+K589H/3pTWV5ijnI/CpM1gzvd0NH/H4+
> LQNILNJ+p2Uhp3D7yoz1bQC8gV2XeXROeNGEuY3VRyNbnv3z65mjWry/4QZo+kp6
> NcKVrUpKLG4odhL7BXBF
> =7rU5
> -----END PGP SIGNATURE-----
> -------------- next part --------------
> Index: crypto/openssl/ssl/d1_both.c
> ==================================================================> ---
crypto/openssl/ssl/d1_both.c (revision 264059)
> +++ crypto/openssl/ssl/d1_both.c (working copy)
> @@ -1458,26 +1458,36 @@ dtls1_process_heartbeat(SSL *s)
> unsigned int payload;
> unsigned int padding = 16; /* Use minimum padding */
>
> + if (s->msg_callback)
> + s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
> + &s->s3->rrec.data[0],
s->s3->rrec.length,
> + s, s->msg_callback_arg);
> +
> /* Read type and payload length first */
> + if (1 + 2 + 16 > s->s3->rrec.length)
> + return 0; /* silently discard */
> hbtype = *p++;
> n2s(p, payload);
> + if (1 + 2 + payload + 16 > s->s3->rrec.length)
> + return 0; /* silently discard per RFC 6520 sec. 4 */
> pl = p;
>
> - if (s->msg_callback)
> - s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
> - &s->s3->rrec.data[0],
s->s3->rrec.length,
> - s, s->msg_callback_arg);
> -
> if (hbtype == TLS1_HB_REQUEST)
> {
> unsigned char *buffer, *bp;
> + unsigned int write_length = 1 /* heartbeat type */ +
> + 2 /* heartbeat length */ +
> + payload + padding;
> int r;
>
> + if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
> + return 0;
> +
> /* Allocate memory for the response, size is 1 byte
> * message type, plus 2 bytes payload length, plus
> * payload, plus padding
> */
> - buffer = OPENSSL_malloc(1 + 2 + payload + padding);
> + buffer = OPENSSL_malloc(write_length);
> bp = buffer;
>
> /* Enter response type, length and copy payload */
> @@ -1488,11 +1498,11 @@ dtls1_process_heartbeat(SSL *s)
> /* Random padding */
> RAND_pseudo_bytes(bp, padding);
>
> - r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 +
> payload + padding);
> + r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
> write_length);
>
> if (r >= 0 && s->msg_callback)
> s->msg_callback(1, s->version,
TLS1_RT_HEARTBEAT,
> - buffer, 3 + payload + padding,
> + buffer, write_length,
> s, s->msg_callback_arg);
>
> OPENSSL_free(buffer);
> Index: crypto/openssl/ssl/t1_lib.c
> ==================================================================> ---
crypto/openssl/ssl/t1_lib.c (revision 264059)
> +++ crypto/openssl/ssl/t1_lib.c (working copy)
> @@ -2486,16 +2486,20 @@ tls1_process_heartbeat(SSL *s)
> unsigned int payload;
> unsigned int padding = 16; /* Use minimum padding */
>
> + if (s->msg_callback)
> + s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
> + &s->s3->rrec.data[0],
s->s3->rrec.length,
> + s, s->msg_callback_arg);
> +
> /* Read type and payload length first */
> + if (1 + 2 + 16 > s->s3->rrec.length)
> + return 0; /* silently discard */
> hbtype = *p++;
> n2s(p, payload);
> + if (1 + 2 + payload + 16 > s->s3->rrec.length)
> + return 0; /* silently discard per RFC 6520 sec. 4 */
> pl = p;
>
> - if (s->msg_callback)
> - s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
> - &s->s3->rrec.data[0],
s->s3->rrec.length,
> - s, s->msg_callback_arg);
> -
> if (hbtype == TLS1_HB_REQUEST)
> {
> unsigned char *buffer, *bp;
>
> ------------------------------
>
> Message: 3
> Date: Mon, 07 Apr 2014 22:27:09 -0400
> From: Mike Tancsa <mike at sentex.net>
> To: d at delphij.net, freebsd-security at freebsd.org
> Subject: Re: http://heartbleed.com/
> Message-ID: <53435E7D.5000801 at sentex.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 4/7/2014 5:02 PM, Xin Li wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > Hi, Thomas,
> >
> > On 04/07/14 13:49, Thomas Steen Rasmussen wrote:
> >> Hello,
> >>
> >> http://heartbleed.com/ describes an openssl vulnerability
> >> published today. We are going to need an advisory for the openssl
> >> in base in FreeBSD 10 and we are also going to need an updated
> >> port.
> >>
> >> The implications of this vulnerability are pretty massive,
> >> certificates will need to be replaced and so on. I don't want
to
> >> repeat the page, so go read that.
> >
> > We are already working on this but building, reviewing, etc. would
> > take some time.
> >
>
> Hi,
> The webpage lists
>
> FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c)
>
> I take it this is only if you installed from the ports no ?
>
> ---Mike
>
>
>
>
> --
> -------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike at sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada http://www.tancsa.com/
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 07 Apr 2014 19:29:18 -0700
> From: Xin Li <delphij at delphij.net>
> To: Mike Tancsa <mike at sentex.net>, d at delphij.net,
> freebsd-security at freebsd.org
> Subject: Re: http://heartbleed.com/
> Message-ID: <53435EFE.4010103 at delphij.net>
> Content-Type: text/plain; charset=ISO-8859-1
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 4/7/14, 7:27 PM, Mike Tancsa wrote:
> > On 4/7/2014 5:02 PM, Xin Li wrote:
> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
> >>
> >> Hi, Thomas,
> >>
> >> On 04/07/14 13:49, Thomas Steen Rasmussen wrote:
> >>> Hello,
> >>>
> >>> http://heartbleed.com/ describes an openssl vulnerability
> >>> published today. We are going to need an advisory for the
> >>> openssl in base in FreeBSD 10 and we are also going to need an
> >>> updated port.
> >>>
> >>> The implications of this vulnerability are pretty massive,
> >>> certificates will need to be replaced and so on. I don't
want
> >>> to repeat the page, so go read that.
> >>
> >> We are already working on this but building, reviewing, etc.
> >> would take some time.
> >>
> >
> > Hi, The webpage lists
> >
> > FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c)
> >
> > I take it this is only if you installed from the ports no ?
>
> That's correct. OpenSSL shipped with the base system in these two
> releases are not vulnerable because they don't support the extension.
>
> Cheers,
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJTQ179AAoJEJW2GBstM+nsIa4P/RAXDidWzc01T2ghX4uNFtod
> C2Wd2k2B6i24LcV3PPub6dQjRI9sMxh9Q/7bIqXctThJ41U9s44P7Zvf6T7Xh/LY
> YM4FBAFKNiMC+WZsS78pGW6pYIULml66El7sb/G6DNOzjezWlD3MwnPo2S0nibQJ
> BDJ0pU3BH0A2rvyDWmF7aAveJtEuFPCCovytadStHiFZk3nKMwdN0ariLVq8JFlU
> s5uqf0rWRXuYIIJ2/Fv9XxUHWi0RrvyXojfdPVNIhEppmdswCzxyb+PLOBbWuZZp
> 9ma/ELuo8VJmmsP2A0zX2PriejfFtTR7vXP8V3VwP8RvS2YRFH44Bmyllxn2eYYI
> HbemABH2A5rCiMbEu32AGX7i1HikWScwKNIEJbK35BEIb9g3UGRFuxeRw9J6mTyd
> 44hMRO1YeyHv/nuSQ+g+d+nzB1dBYSq7YbG5UAPs0v+5fbnoPTU/28olKx1br83H
> BZdO+y8VUppNnRWL2wvnsbd1M8/nGABNBD9tco9ftlN0jUpFtSXkPEt20JWwZS/l
> HiD328EnTJKgB5nllizsCDIgaTDUYMeH6Bf8QJ54t+Cfu6sS1YYCv2/ycu5tKfqv
> yRU6ypV82kye/fRBkFj4JwCOXcPozm+9uPAG9bk1355w+EyKmMrba79BvwtQ+uUj
> PXJpfmZifPnNDBTXrg2d
> =FDDO
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 07 Apr 2014 21:41:25 -0500
> From: Bryan Drewery <bdrewery at FreeBSD.org>
> To: freebsd-security at freebsd.org
> Subject: Re: http://heartbleed.com/
> Message-ID: <534361D5.6070109 at FreeBSD.org>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On 4/7/2014 3:49 PM, Thomas Steen Rasmussen wrote:
> > Hello,
> >
> > http://heartbleed.com/ describes an openssl vulnerability published
> > today. We are going to need an advisory for the openssl in base in
> > FreeBSD 10 and we are also going to need an updated port.
> >
> > The implications of this vulnerability are pretty massive,
> > certificates will need to be replaced and so on. I don't want to
> > repeat the page, so go read that.
> >
> > Best regards,
> >
> >
> > /Thomas Steen Rasmussen
> >
> > ps. there is a bit on the openssl site too:
> > https://www.openssl.org/news/secadv_20140407.txt
>
> The port has been updated. 1.0.1_10 has the fix.
>
> --
> Regards,
> Bryan Drewery
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 553 bytes
> Desc: OpenPGP digital signature
> URL: <
>
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140407/07e15f81/attachment-0001.sig
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org
> "
>
> ------------------------------
>
> End of freebsd-security Digest, Vol 482, Issue 1
> ************************************************
>