Re: FreeBSD Errata Notice FreeBSD-EN-24:08.kerberos

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Alan Somers <asomers_at_freebsd.org>
Date: Thu, 28 Mar 2024 14:51:58 UTC
On Thu, Mar 28, 2024 at 1:56 AM FreeBSD Errata Notices
<errata-notices@freebsd.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> =============================================================================
> FreeBSD-EN-24:08.kerberos                                       Errata Notice
>                                                           The FreeBSD Project
>
> Topic:          Kerberos segfaults when using weak crypto
>
> Category:       contrib
> Module:         heimdal
> Announced:      2024-03-28
> Affects:        FreeBSD 14.0
> Corrected:      2024-01-22 15:49:24 UTC (stable/14, 14.0-STABLE)
>                 2024-03-28 05:06:25 UTC (releng/14.0, 14.0-RELEASE-p6)
>
> For general information regarding FreeBSD Errata Notices and Security
> Advisories, including descriptions of the fields above, security
> branches, and the following sections, please visit
> <URL:https://security.FreeBSD.org/>.
>
> I.   Background
>
> FreeBSD includes Heimdal, an implementation of ASN.1/DER, PKIX, and Kerberos.
> It uses OpenSSL to provide a number of cryptographic routines.
>
> II.  Problem Description
>
> Weak crypto is provided by the openssl "legacy" provider which is not loaded
> by default.
>
> III. Impact
>
> Attempting to use weak crypto routines when the legacy provider is not loaded
> results in the application crashing.
>
> IV.  Workaround
>
> Edit /etc/ssl/openssl.cnf to load the legacy provider unconditionally.
>
> V.   Solution
>
> Upgrade your system to a supported FreeBSD stable or release / security
> branch (releng) dated after the correction date.
>
> Perform one of the following:
>
> 1) To update your system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
> or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
> utility:
>
> # freebsd-update fetch
> # freebsd-update install
>
> 2) To update your system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch https://security.FreeBSD.org/patches/EN-24:08/kerberos.patch
> # fetch https://security.FreeBSD.org/patches/EN-24:08/kerberos.patch.asc
> # gpg --verify kerberos.patch.asc
>
> b) Apply the patch.  Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile the operating system using buildworld and installworld as
> described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
>
> Restart all daemons that use the library, or reboot the system.
>
> VI.  Correction details
>
> This issue is corrected as of the corresponding Git commit hash in the
> following stable and release branches:
>
> Branch/path                             Hash                     Revision
> - -------------------------------------------------------------------------
> stable/14/                              c7db2e15e404    stable/14-n266467
> releng/14.0/                            c48fe39ad139  releng/14.0-n265415
> - -------------------------------------------------------------------------
>
> Run the following command to see which files were modified by a
> particular commit:
>
> # git show --stat <commit hash>
>
> Or visit the following URL, replacing NNNNNN with the hash:
>
> <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
>
> To determine the commit count in a working tree (for comparison against
> nNNNNNN in the table above), run:
>
> # git rev-list --count --first-parent HEAD
>
> VII. References
>
> <other info on the problem>
>
> <URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272835>
>
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:08.kerberos.asc>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGawACgkQbljekB8A
> Gu9Euw/+LX8qcrGUvA11MNOVemD+SEH/Ol97L4gLHhzGlWSf3VMq5F1KtY0VRwGK
> ykM3VsSAk3PoYHLn+jbHPuAMjJVym+MLg27ZZWlqnx2Z7/wk2KuAb9RVCUl4FnPy
> eTXzBNt3tCSYa2ZCRWEH+uN6dZh4o8VP0DWfrNdaazH7R7ezRmTzirvcQ39MXTcE
> 8wI+zQedVZG4OSuqOSFY21d70nlzqgs6ThY3K6KrtcaQGfenYBSQgFmjMJlBqtrb
> Mr1Yvgc+wE66Ara/Hz+/2L11bwjyFwT1dpO57DKrcyTaGTnSYiDQiDscUIAW0gCh
> bUMCgWCHq+kk7pAyUIMlRbdrA/6N/wmvwP/iO6GGxYmN0lNX8udxeZWz3OPPnbif
> anM5OGnvKFkkTzCqnpHumljolvJL0/VeD7XCNBBgWa1I46gFmmNZ7R2esm7UEdU8
> IR4Hk9EqGhfl+EwU7OW04/Hq3br667kXbVsq1TTVM4ht39K+WhVoxzirp7QzOGTJ
> WjRq6DK+44PyhQgnnAJgM/4gOGr5O/Y3ezRx4uj1S9L9faXTC5xlT8Vw78xU2wXq
> BjG7vXi5r9d4POjtRcNiaMVKXQPF/saGjHcPGrGnuBLC8AFG54bFycmvM5QzWqng
> AeRFOg+O8lkxLoQMDqJsNt8OMIk7vZHguwL7pt0tRtouuoaszU0=
> =UnED
> -----END PGP SIGNATURE-----

Cherry-picking the suggested hash doesn't work.  It produces a merge
conflict.  It looks like a second change is needed too:
aaf2c7fdb81a1dd9de9fc77c9313f4e60e68fa76 .  Should we update the
advisory to include both?