FreeBSD Security Advisory FreeBSD-SA-09:02.openssl
matt donovan
kitchetech at gmail.com
Thu Jan 8 02:01:27 UTC 2009
On Wed, Jan 7, 2009 at 5:49 PM, Matthew Seaman <
m.seaman at infracaninophile.co.uk> wrote:
> FreeBSD Security Advisories wrote:
>
> I. Background
>>
>> FreeBSD includes software from the OpenSSL Project. The OpenSSL Project
>> is
>> a collaborative effort to develop a robust, commercial-grade,
>> full-featured
>> Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
>> and Transport Layer Security (TLS v1) protocols as well as a full-strength
>> general purpose cryptography library.
>>
>> II. Problem Description
>>
>> The EVP_VerifyFinal() function from OpenSSL is used to determine if a
>> digital signature is valid. The SSL layer in OpenSSL uses
>> EVP_VerifyFinal(), which in several places checks the return value
>> incorrectly and treats verification errors as a good signature. This
>> is only a problem for DSA and ECDSA keys.
>>
>> III. Impact
>>
>> For applications using OpenSSL for SSL connections, an invalid SSL
>> certificate may be interpreted as valid. This could for example be
>> used by an attacker to perform a man-in-the-middle attack.
>>
>> Other applications which use the OpenSSL EVP API may similarly be
>> affected.
>>
>
> The oCert advisory at http://ocert.org/advisories/ocert-2008-016.html
> lists BIND and NTP as affected packages. Don't the base system versions
> of those apps also need patching?
>
> Cheers,
>
> Matthew
>
>
> --
> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
> Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
> Kent, CT11 9PW
I was told they don't but I believe they do since it's the code inside of
ntp and bind don't check the return code correctly from what I can tell for
the OpenSSL EVP API
More information about the freebsd-security
mailing list