FreeBSD Security Advisory FreeBSD-SA-15:06.openssl

Mike Tancsa mike at sentex.net
Thu Mar 19 18:08:49 UTC 2015 

Wow, thanks for the quick fix/commit Xin!!

	---Mike


On 3/19/2015 1:55 PM, FreeBSD Security Advisories wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> =============================================================================
> FreeBSD-SA-15:06.openssl                                    Security Advisory
>                                                            The FreeBSD Project
>
> Topic:          Multiple OpenSSL vulnerabilities
>
> Category:       contrib
> Module:         openssl
> Announced:      2015-03-19
> Affects:        All supported versions of FreeBSD.
> Corrected:      2015-03-19 17:40:43 UTC (stable/10, 10.1-STABLE)
>                  2015-03-19 17:42:38 UTC (releng/10.1, 10.1-RELEASE-p7)
>                  2015-03-19 17:40:43 UTC (stable/9, 9.3-STABLE)
>                  2015-03-19 17:42:38 UTC (releng/9.3, 9.3-RELEASE-p11)
>                  2015-03-19 17:40:43 UTC (stable/8, 8.4-STABLE)
>                  2015-03-19 17:42:38 UTC (releng/8.4, 8.4-RELEASE-p25)
> CVE Name:       CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288,
>                  CVE-2015-0289, CVE-2015-0293
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
>
> I.   Background
>
> FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is
> a collaborative effort to develop a robust, commercial-grade, full-featured
> Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
> and Transport Layer Security (TLS v1) protocols as well as a full-strength
> general purpose cryptography library.
>
> Abstract Syntax Notation One (ASN.1) is a standard and notation that
> describes rules and structures for representing, encoding, transmitting,
> and decoding data in telecommunications and computer networking, which
> enables representation of objects that are independent of machine-specific
> encoding technique.
>
> II.  Problem Description
>
> A malformed elliptic curve private key file could cause a use-after-free
> condition in the d2i_ECPrivateKey function.  [CVE-2015-0209]
>
> An attempt to compare ASN.1 boolean types will cause the ASN1_TYPE_cmp
> function to crash with an invalid read.  [CVE-2015-0286]
>
> Reusing a structure in ASN.1 parsing may allow an attacker to cause memory
> corruption via an invalid write. [CVE-2015-0287]
>
> The function X509_to_X509_REQ will crash with a NULL pointer dereference if
> the certificate key is invalid.  [CVE-2015-0288]
>
> The PKCS#7 parsing code does not handle missing outer ContentInfo correctly.
> [CVE-2015-0289]
>
> A malicious client can trigger an OPENSSL_assert in servers that both support
> SSLv2 and enable export cipher suites by sending a specially crafted SSLv2
> CLIENT-MASTER-KEY message.  [CVE-2015-0293]
>
> III. Impact
>
> A malformed elliptic curve private key file can cause server daemons using
> OpenSSL to crash, resulting in a Denial of Service.  [CVE-2015-0209]
>
> A remote attacker who is able to send specifically crafted certificates
> may be able to crash an OpenSSL client or server.  [CVE-2015-0286]
>
> An attacker who can cause invalid writes with applications that parse
> structures containing CHOICE or ANY DEFINED BY components and reusing
> the structures may be able to cause them to crash.  Such reuse is believed
> to be rare.  OpenSSL clients and servers are not affected. [CVE-2015-0287]
>
> An attacker may be able to crash applications that create a new certificate
> request with subject name the same as in an existing, specifically crafted
> certificate.  This usage is rare in practice.  [CVE-2015-0288]
>
> An attacker may be able to crash applications that verify PKCS#7 signatures,
> decrypt PKCS#7 data or otherwise parse PKCS#7 structures with specifically
> crafted certificates.  [CVE-2015-0289]
>
> A malicious client can trigger an OPENSSL_assert in servers that both support
> SSLv2 and enable export cipher suites by sending a carefully crafted SSLv2
> CLIENT-MASTER-KEY message, resulting in a Denial of Service.  [CVE-2015-0293]
>
> Note that two issues in the original OpenSSL advisory, CVE-2015-0204 and
> CVE-2015-0292, were already addressed by FreeBSD-SA-15:01.openssl and
> FreeBSD-EN-15:02.openssl.
>
> IV.  Workaround
>
> No workaround is available.
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
>
> 2) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
>
> 3) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 8.4 and FreeBSD 9.3]
> # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8.patch
> # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8.patch.asc
> # gpg --verify openssl-0.9.8.patch.asc
>
> [FreeBSD 10.1]
> # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-1.0.1.patch
> # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-1.0.1.patch.asc
> # gpg --verify openssl-1.0.1.patch.asc
>
> b) Apply the patch.  Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile the operating system using buildworld and installworld as
> described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
>
> Restart all deamons using the library, or reboot the system.
>
> VI.  Correction details
>
> The following list contains the correction revision numbers for each
> affected branch.
>
> Branch/path                                                      Revision
> - -------------------------------------------------------------------------
> stable/8/                                                         r280266
> releng/8.4/                                                       r280268
> stable/9/                                                         r280266
> releng/9.3/                                                       r280268
> stable/10/                                                        r280266
> releng/10.1/                                                      r280268
> - -------------------------------------------------------------------------
>
> To see which files were modified by a particular revision, run the
> following command, replacing NNNNNN with the revision number, on a
> machine with Subversion installed:
>
> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>
> Or visit the following URL, replacing NNNNNN with the revision number:
>
> <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
>
> VII. References
>
> <URL:https://www.openssl.org/news/secadv_20150319.txt>
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209>
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286>
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287>
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288>
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289>
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293>
>
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:06.openssl.asc>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.1.2 (FreeBSD)
>
> iQIcBAEBCgAGBQJVCwr1AAoJEO1n7NZdz2rnayEP/0w3Pba5k/1G0mJ1T9APNAns
> hhXm0YuR/rNJ1XBooWEOctrijlsVChcIt8KvJCU9apOZWjDvm/nvaQ077GCi5RSp
> jhQBs8MLVfXzwMbJ0/uBpp6ChF8uafk5O+gr8ulb2jG6VIaLkGOWPYv61aRYSGxy
> R7+6FxD8M0lLbGOQGETy1HxKzeWztA2p0ILORNAsi+bF8GSJpxGhSxqDDi4+ic/C
> 3oEw0zT/E6DhxJovOPebKq0eGcRbv7ETqDmtNQdqbOddV+0FY1E+nHtrAo6B/Kln
> rL+meBJHmLeEREROFk4OvCynuROUJGmXJGKwjN3uOVM05qcEZS4NkVhFNrxt6S5H
> t3wQ02SesbA3pbmce5OuXmlJgdL57DVlMb5sQjkqPeoJ6pn6Rz7VLSgLNfXDUSxs
> x/Lgx0+qLQUubMud7zT97UIvZmDqFTWXfJu5S/0Qt8BPFunmoNJttJ5Cr+brzEtu
> 5RLjcvkC1giVCpSXS96QbeT67uqSkMZa8gtII8bA77HBGA0Ky8AOwTAXbCiUovuH
> sLwsI8KUC3lsKUh7eyLsSm2+wRHn0e6dZ1PE0JRazCnCRboTvMWK2d4R7ANdrwsq
> CgtCWLRz6vbB9J4XTNupcEoZGhIA4RuOBqx43eQmaRw1HoV3vn85QP94oL5jzXBd
> UQg3YfrXHDlxCsqEzN7o
> =wi0T
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
>


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

More information about the freebsd-security mailing list