From nobody Thu Mar 28 14:51:58 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V562N2MYWz5G2lq for ; Thu, 28 Mar 2024 14:52:12 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-vk1-f175.google.com (mail-vk1-f175.google.com [209.85.221.175]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V562N0kC8z4m9d for ; Thu, 28 Mar 2024 14:52:12 +0000 (UTC) (envelope-from asomers@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-vk1-f175.google.com with SMTP id 71dfb90a1353d-4d42d18c683so336027e0c.1 for ; Thu, 28 Mar 2024 07:52:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711637531; x=1712242331; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=txeRc35kQ8n8haxQ8BK4i4Ey4trA9rM1+GDm8BdTRNk=; b=jxyvC3M4m0MFlyj6pH2RnzfUVJOOp7RGs5spZMTp00TL5pCkWRWB0f10cduMBk4MpJ FNhBt025VzMoHXPVisByscPw6ktEofbqa7Y+U0KP8z8kLI9IKr9cOqhCjmluA4ndUNpV 89RWy5XzYP+5x7CAJux7uDo9vliqPWGKByHPuFKXLxyenKzCkXGHdz/5pXe4dUB3XS4a /t+oEZL46XgaQpJLtj1AswRVZFwqL7mNKN9/8TT7z9i64r+yLzCQbImKQLpYpKB/pDeF DDhiWZwpQoaZNBGlVy3WGMz+w67y7aonAE11mu66gzBPrKCoyEvF2IBRmW4ei8HxF+2s gBjA== X-Gm-Message-State: AOJu0Yx2a/yvu7dboLkKNKNwWVmn31aUTqCYd7r1XhHoMdYn/mBZ7Wt9 WJboAFIByjx36JoGarSWW9YaZ8iCXi/VWsaHGubwSjVVW3lVP8Gz5PM8mVsbKSVd2eQPkSarrMb aARlf8eTa8frCPBgHUUuXFyUOTd3BiJeMZJE= X-Google-Smtp-Source: AGHT+IHQbjcb+x7ByjfoR4LBtGhEg67KJR7FtWPyp/9bZ6o0RiRbK4F3Ow+5Z2crtpsd78WMZZ4mO4f1Lo0e8jvckK8= X-Received: by 2002:a05:6122:4125:b0:4d4:b89:bd2d with SMTP id ce37-20020a056122412500b004d40b89bd2dmr3164192vkb.1.1711637530638; Thu, 28 Mar 2024 07:52:10 -0700 (PDT) List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 References: <20240328075045.EFBA13437@freefall.freebsd.org> In-Reply-To: <20240328075045.EFBA13437@freefall.freebsd.org> From: Alan Somers Date: Thu, 28 Mar 2024 08:51:58 -0600 Message-ID: Subject: Re: FreeBSD Errata Notice FreeBSD-EN-24:08.kerberos To: freebsd-stable@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US] X-Rspamd-Queue-Id: 4V562N0kC8z4m9d On Thu, Mar 28, 2024 at 1:56=E2=80=AFAM FreeBSD Errata Notices wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-EN-24:08.kerberos Errata No= tice > The FreeBSD Pro= ject > > Topic: Kerberos segfaults when using weak crypto > > Category: contrib > Module: heimdal > Announced: 2024-03-28 > Affects: FreeBSD 14.0 > Corrected: 2024-01-22 15:49:24 UTC (stable/14, 14.0-STABLE) > 2024-03-28 05:06:25 UTC (releng/14.0, 14.0-RELEASE-p6) > > For general information regarding FreeBSD Errata Notices and Security > Advisories, including descriptions of the fields above, security > branches, and the following sections, please visit > . > > I. Background > > FreeBSD includes Heimdal, an implementation of ASN.1/DER, PKIX, and Kerbe= ros. > It uses OpenSSL to provide a number of cryptographic routines. > > II. Problem Description > > Weak crypto is provided by the openssl "legacy" provider which is not loa= ded > by default. > > III. Impact > > Attempting to use weak crypto routines when the legacy provider is not lo= aded > results in the application crashing. > > IV. Workaround > > Edit /etc/ssl/openssl.cnf to load the legacy provider unconditionally. > > V. Solution > > Upgrade your system to a supported FreeBSD stable or release / security > branch (releng) dated after the correction date. > > Perform one of the following: > > 1) To update your system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platfo= rms, > or the i386 platform on FreeBSD 13, can be updated via the freebsd-update= (8) > utility: > > # freebsd-update fetch > # freebsd-update install > > 2) To update your system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/EN-24:08/kerberos.patch > # fetch https://security.FreeBSD.org/patches/EN-24:08/kerberos.patch.asc > # gpg --verify kerberos.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in . > > Restart all daemons that use the library, or reboot the system. > > VI. Correction details > > This issue is corrected as of the corresponding Git commit hash in the > following stable and release branches: > > Branch/path Hash Revision > - -----------------------------------------------------------------------= -- > stable/14/ c7db2e15e404 stable/14-n266467 > releng/14.0/ c48fe39ad139 releng/14.0-n265415 > - -----------------------------------------------------------------------= -- > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat > > Or visit the following URL, replacing NNNNNN with the hash: > > > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > VII. References > > > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGawACgkQbljekB8A > Gu9Euw/+LX8qcrGUvA11MNOVemD+SEH/Ol97L4gLHhzGlWSf3VMq5F1KtY0VRwGK > ykM3VsSAk3PoYHLn+jbHPuAMjJVym+MLg27ZZWlqnx2Z7/wk2KuAb9RVCUl4FnPy > eTXzBNt3tCSYa2ZCRWEH+uN6dZh4o8VP0DWfrNdaazH7R7ezRmTzirvcQ39MXTcE > 8wI+zQedVZG4OSuqOSFY21d70nlzqgs6ThY3K6KrtcaQGfenYBSQgFmjMJlBqtrb > Mr1Yvgc+wE66Ara/Hz+/2L11bwjyFwT1dpO57DKrcyTaGTnSYiDQiDscUIAW0gCh > bUMCgWCHq+kk7pAyUIMlRbdrA/6N/wmvwP/iO6GGxYmN0lNX8udxeZWz3OPPnbif > anM5OGnvKFkkTzCqnpHumljolvJL0/VeD7XCNBBgWa1I46gFmmNZ7R2esm7UEdU8 > IR4Hk9EqGhfl+EwU7OW04/Hq3br667kXbVsq1TTVM4ht39K+WhVoxzirp7QzOGTJ > WjRq6DK+44PyhQgnnAJgM/4gOGr5O/Y3ezRx4uj1S9L9faXTC5xlT8Vw78xU2wXq > BjG7vXi5r9d4POjtRcNiaMVKXQPF/saGjHcPGrGnuBLC8AFG54bFycmvM5QzWqng > AeRFOg+O8lkxLoQMDqJsNt8OMIk7vZHguwL7pt0tRtouuoaszU0=3D > =3DUnED > -----END PGP SIGNATURE----- Cherry-picking the suggested hash doesn't work. It produces a merge conflict. It looks like a second change is needed too: aaf2c7fdb81a1dd9de9fc77c9313f4e60e68fa76 . Should we update the advisory to include both?