From nobody Fri Apr 19 15:46:42 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VLfCf54dGz5HG9T for ; Fri, 19 Apr 2024 15:47:10 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from ms11p00im-hyfv17281201.me.com (ms11p00im-hyfv17281201.me.com [17.58.38.39]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4VLfCf2z1Pz4V3G for ; Fri, 19 Apr 2024 15:47:10 +0000 (UTC) (envelope-from gordon@tetlows.org) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1713541627; bh=asVv8NlE7CwZux+iWKAvMTE/ZAC/RsPV5sPa+77mbVY=; h=Content-Type:From:Mime-Version:Subject:Date:Message-Id:To; b=Siv60rF/GnORifT5XZj69MUMDachL6TgLhORXGafingfyJ/dako3dddxyqXA5XhY5 QHcNsfgZ16IfA61tBShusDWs2oTZRl3hjfk84OmuYO4y12lgs34eJlZxCg9XKTuF+g ZIGM0Sh7h62WQBnX8okRj0oUFuHwupW5kPU1+4C5M5VnAU8EM4JfVF4v2d2YkB2gkq hSGldNim++u7WYycduFGel3KgUAhUcJkJAsXfIRB8xRVoGkhxEM+Fu3LP3qVdfyYRV V3EBNi4nY7vqt66RCJVpW0i+8C3jg93E14MhFclBISe6Vx45IAGDHC9kx2wHtyNWbo BOjy2HbfObG7A== Received: from smtpclient.apple (ms11p00im-dlb-asmtpmailmevip.me.com [17.57.154.19]) by ms11p00im-hyfv17281201.me.com (Postfix) with ESMTPSA id 62B00C8057A; Fri, 19 Apr 2024 15:47:06 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Gordon Tetlow List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 (1.0) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound Date: Fri, 19 Apr 2024 08:46:42 -0700 Message-Id: References: Cc: freebsd-security@freebsd.org In-Reply-To: To: "Wall, Stephen" X-Mailer: iPhone Mail (21E236) X-Proofpoint-GUID: cHJtDbunVwqNWUoTmDFMMeVmYfk3eWBb X-Proofpoint-ORIG-GUID: cHJtDbunVwqNWUoTmDFMMeVmYfk3eWBb X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-04-19_11,2024-04-19_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 bulkscore=0 adultscore=0 suspectscore=0 clxscore=1030 malwarescore=0 mlxscore=0 phishscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2404190119 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:714, ipnet:17.58.32.0/20, country:US] X-Rspamd-Queue-Id: 4VLfCf2z1Pz4V3G You are likely on your own here. I=E2=80=99m surprised the base system kinit ever worked with OpenSSL in FIPS= mode. Given the age of the Heimdal code (and I believe dependence on algori= thms that should be deprecated), I would strongly suggest looking at Kerbero= s in ports as a path forward as they will likely be better supported with mo= dern crypto. Gordon > On Apr 19, 2024, at 08:12, Wall, Stephen wrote: >=20 > =EF=BB=BF >>=20 >> FreeBSD-SA-24:03.unbound Security Advi= sory >>=20 >> Topic: Multiple vulnerabilities in unbound >=20 > Since upgrading to p6 in response to this SA, we've found that kinit has s= tarted > failing for us. This looks to be due to aaf2c7fdb8 [1], when it attempts t= o load > the legacy OpenSSL provider, which we do not install on our systems. > Furthermore, it loads the default provider as well, which we specifically d= o not > load when systems are configured for FIPS operation. >=20 > What is our exposure if we simple revert this commit? Are there any CVE's= > associated with it? Is there a way to disable the ciphers at build time t= hat > can trigger the segfaults? >=20 > Or am I on my own resolving this because we do not use the legacy provider= (I.e. > not a default system)? >=20 > Thanks for your consideration. >=20 > - Steve Wall >=20 > [1] https://cgit.freebsd.org/src/commit/?h=3Dreleng/14.0&id=3Daaf2c7fdb81a= 1dd9de9fc77c9313f4e60e68fa76