1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.ANN

  • [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-17:02.openssl

    From FreeBSD Security Advisories@21:1/5 to All on Thu Feb 23 08:00:00 2017
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    ============================================================================= FreeBSD-SA-17:02.openssl Security Advisory
    The FreeBSD Project

    Topic: OpenSSL multiple vulnerabilities

    Category: contrib
    Module: openssl
    Announced: 2017-02-23
    Affects: All supported versions of FreeBSD.
    Corrected: 2017-01-26 19:14:14 UTC (stable/11, 11.0-STABLE)
    2017-02-23 07:11:48 UTC (releng/11.0, 11.0-RELEASE-p8)
    2017-01-27 07:45:06 UTC (stable/10, 10.3-STABLE)
    2017-02-23 07:12:18 UTC (releng/10.3, 10.3-RELEASE-p16)
    CVE Name: CVE-2016-7055, CVE-2017-3731, CVE-2017-3732

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

    I. Background

    FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
    a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
    and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

    II. Problem Description

    If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or
    client to perform an out-of-bounds read, usually resulting in a crash. [CVE-2017-3731]

    There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although
    very difficult) because most of the work necessary to deduce information
    about a private key may be performed offline. The amount of resources
    required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in
    a scenario with persistent DH parameters and a private key that is shared between multiple clients. [CVE-2017-3732]

    Montgomery multiplication may produce incorrect results. [CVE-2016-7055]

    III. Impact

    A remote attacker may trigger a crash on servers or clients that supported RC4-MD5. [CVE-2017-3731]

    A remote attacker may be able to deduce information about a private key,
    but that would require enormous amount of resources. [CVE-2017-3732, CVE-2016-7055]

    IV. Workaround

    No workaround is available.

    V. Solution

    Perform one of the following:

    1) Upgrade your vulnerable system to a supported FreeBSD stable or
    release / security branch (releng) dated after the correction date.

    Restart all daemons that use the library, or reboot the system.

    2) To update your vulnerable system via a binary patch:

    Systems running a RELEASE version of FreeBSD on the i386 or amd64
    platforms can be updated via the freebsd-update(8) utility:

    # freebsd-update fetch
    # freebsd-update install

    Restart all daemons that use the library, or reboot the system.

    3) To update your vulnerable system via a source code patch:

    The following patches have been verified to apply to the applicable
    FreeBSD release branches.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    [FreeBSD 11.0]
    # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-11.patch
    # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-11.patch.asc
    # gpg --verify openssl-11.patch.asc

    [FreeBSD 10.3]
    # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-10.patch
    # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-10.patch.asc
    # gpg --verify openssl-10.patch.asc

    b) Apply the patch. Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

    Restart all daemons that use the library, or reboot the system.

    VI. Correction details

    The following list contains the correction revision numbers for each
    affected branch.

    Branch/path Revision
    - ------------------------------------------------------------------------- stable/10/ r312863 releng/10.3/ r314125 stable/11/ r312826 releng/11.0/ r314126
    - -------------------------------------------------------------------------

    To see which files were modified by a particular revision, run the
    following command, replacing NNNNNN with the revision number, on a
    machine with Subversion installed:

    # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

    Or visit the following URL, replacing NNNNNN with the revision number:

    <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

    VII. References

    <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7055>

    <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731>

    <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732>

    <URL:https://www.openssl.org/news/secadv/20170126.txt>

    The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc> -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.1.18 (FreeBSD)

    iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAliujOsACgkQ7Wfs1l3P aufZHhAAy8U5oOrLGq0XH8Dumpkyc+bFOmsEh+S1hL6jFL13jUVpDqogZ3w/a7If Hcqiyipx5dbcGbHJayokfimkxPcIYydYQK9NwWaXVlnZifvgWka+KxtcD0u2A8S5 cpTbNl+CALQQqEF3+JmOc4Uq2Dtui0xFG1N5Og4oF5Uo+lvQh4bcJ1UbfhMdq8EG US3hGlJLJJW75m3jkgHyu0o7A0swnNTUQrW9Z0p/3iTiel7fM57d/N1who+kt59V UErXTzMDBT1kkWRne0aTA71gdy3SUeRiVi9/LWggjIRJNyMnQjO3UI2UOIHLLQAG CXcZLPekB87iHZxMAw8oV6b4GIkJhqUFW2ep2AZkUdDZ2Mup9bDrx/0Ik0jHjyQY KEmZDroHvP8z569q+aWfIIpMXPv6zJTnent45U2/q13wMHJwWsADu9ukeWKTw7wI P0Rc3vht+AXbXFi9SjxwdldgrVszV7x8Yi6W9KhHsGqCl6NBCW9Md/PWbNQQUVkq I5tV0WB3pTwOk0yMi3h/okM9VBr1lPDU18W0he5T9wbOh4w0jwFb8AqMu1slst3l 9MlhRfO/4LIDlfRQ/dj4dOfVLZqEd/xleax99yFXZUzibUYrOMlBxNaKvV80plwB Kg2Hr3DJuJa3599kNgXMCNV1lRIOJbJ9dRmX6B0YzMgvxKPIXY4=
    =8Jsr
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-announce@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-announce
    To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)