FreeBSD Security Advisory FreeBSD-SA-16:35.openssl
Borys Bezukladov
borys.bezukladov at gmail.com
Wed Nov 2 08:21:49 UTC 2016
On Wed, Nov 2, 2016 at 9:55 AM, FreeBSD Security Advisories
<security-advisories at freebsd.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> =============================================================================
> FreeBSD-SA-16:35.openssl Security Advisory
> The FreeBSD Project
>
> Topic: OpenSSL Remote DoS vulnerability
>
> Category: contrib
> Module: openssl
> Announced: 2016-11-02
> Affects: FreeBSD 9.x and FreeBSD 10.x.
> Corrected: 2016-11-02 07:09:31 UTC (stable/10, 10.3-STABLE)
> 2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12)
> 2016-11-02 07:24:14 UTC (releng/10.2, 10.2-RELEASE-p25)
> 2016-11-02 07:24:14 UTC (releng/10.1, 10.1-RELEASE-p42)
> 2016-11-02 07:09:31 UTC (stable/9, 9.3-STABLE)
> 2016-11-02 07:24:34 UTC (releng/9.3, 9.3-RELEASE-p50)
> CVE Name: CVE-2016-8610
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
>
> I. Background
>
> FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
> a collaborative effort to develop a robust, commercial-grade, full-featured
> Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
> and Transport Layer Security (TLS v1) protocols as well as a full-strength
> general purpose cryptography library.
>
> The SSL alert protocol is a way to communicate problems within a SSL/TLS session.
>
> II. Problem Description
>
> Due to improper handling of alert packets, OpenSSL would consume an excessive
> amount of CPU time processing undefined alert messages.
>
> III. Impact
>
> A remote attacker who can initiate handshakes with an OpenSSL based server
> can cause the server to consume a lot of computation power with very little
> bandwidth usage, and may be able to use this technique in a leveraged Denial
> of Service attack.
>
> IV. Workaround
>
> No workaround is available.
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
>
> Restart all daemons that use the library, or reboot the system.
>
> 2) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
>
> Restart all daemons that use the library, or reboot the system.
>
> 3) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 10.x]
> # fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-10.patch
> # fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-10.patch.asc
> # gpg --verify openssl-10.patch.asc
>
> [FreeBSD 9.3]
> # fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-9.patch
> # fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-9.patch.asc
> # gpg --verify openssl-9.patch.asc
>
> b) Apply the patch. Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile the operating system using buildworld and installworld as
> described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
>
> Restart all daemons that use the library, or reboot the system.
>
> VI. Correction details
>
> The following list contains the correction revision numbers for each
> affected branch.
>
> Branch/path Revision
> - -------------------------------------------------------------------------
> stable/9/ r308200
> releng/9.3/ r308205
> stable/10/ r308200
> releng/10.1/ r308204
> releng/10.2/ r308204
> releng/10.3/ r308203
> - -------------------------------------------------------------------------
>
> To see which files were modified by a particular revision, run the
> following command, replacing NNNNNN with the revision number, on a
> machine with Subversion installed:
>
> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>
> Or visit the following URL, replacing NNNNNN with the revision number:
>
> <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
>
> VII. References
>
> <URL:http://seclists.org/oss-sec/2016/q4/224>
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8610>
>
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.asc>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.1.15 (FreeBSD)
>
> iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rnwbMQAOiGWegkYQodqBzNboK9U+6M
> 8Jt6HNrYDWAyzp+mZmWxgPWZMkGaNAsBEFXwZlHgs65RCbRczxr/kUWZx2/XHbM3
> kGx5eNIq46BFIrTDPvUgNciorl/ncJGeO4SYEFBYImceDNwIQVtpfz1IUAve+LNW
> RYYICakWn8HPuqzmIFjQydMkoyEaHMwsmkv3nVNVX46sVIQ1umZ3RZsKtlPOQqNs
> sAa0HuOOQbeU2eJhhtcYcDEPNF7Do9WvSMnYrJQ/lE2SuatXq2tdbvZLV8ieiPoj
> 3AMf9p2yPpeqqO9yy19CayTSPmDiKMVQq8jikVomX5XkVqNKLrQoQfrvpwR0DWOW
> fwIDjZ1H9IXoqjVVZwp5GLfHhAURNjbsszF4B1lXQHI1D/p4bXyOOrcuM1JxHXRK
> UGvagbs30DWH+4Baph/UVOsFUhPU0sguPtpPa0XFxSIxB6qZJJGjdOh7el6aBYJu
> VxQuw1wWQvJPm9CsIIZrX4WYBcwS8ro82wsfNWO+ZC0j5UbMwh2joFgrbEdWNM3f
> MWVYuH5czzoJO85Nu7uGB+qa9GYqKkdwGRDnFshnvPhHHnpmGL/tLHM+Kqg7uDeu
> 8RsNaZ4PYChZh8YHVooOraDl0Nz0Ln/kok8GdsZUpNfuiXm3U9fLUCAFAdNUOlr6
> PJuvkUEQRMlhG8tX3+11
> =1gO7
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
--
Borys Bezukladov
Embedded Systems Developer
cell:+38 063 837 40 51
More information about the freebsd-security
mailing list