Re: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound
- In reply to: Wall, Stephen: "RE: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 19 Apr 2024 15:46:42 UTC
You are likely on your own here. I’m surprised the base system kinit ever worked with OpenSSL in FIPS mode. Given the age of the Heimdal code (and I believe dependence on algorithms that should be deprecated), I would strongly suggest looking at Kerberos in ports as a path forward as they will likely be better supported with modern crypto. Gordon > On Apr 19, 2024, at 08:12, Wall, Stephen <stephen.wall@redcom.com> wrote: > > >> >> FreeBSD-SA-24:03.unbound Security Advisory >> >> Topic: Multiple vulnerabilities in unbound > > Since upgrading to p6 in response to this SA, we've found that kinit has started > failing for us. This looks to be due to aaf2c7fdb8 [1], when it attempts to load > the legacy OpenSSL provider, which we do not install on our systems. > Furthermore, it loads the default provider as well, which we specifically do not > load when systems are configured for FIPS operation. > > What is our exposure if we simple revert this commit? Are there any CVE's > associated with it? Is there a way to disable the ciphers at build time that > can trigger the segfaults? > > Or am I on my own resolving this because we do not use the legacy provider (I.e. > not a default system)? > > Thanks for your consideration. > > - Steve Wall > > [1] https://cgit.freebsd.org/src/commit/?h=releng/14.0&id=aaf2c7fdb81a1dd9de9fc77c9313f4e60e68fa76