svn commit: r48116 - in head/share: security/advisories security/patches/SA-16:11 xml
Xin LI
delphij at FreeBSD.org
Sat Jan 30 06:33:45 UTC 2016
Author: delphij
Date: Sat Jan 30 06:33:43 2016
New Revision: 48116
URL: https://svnweb.freebsd.org/changeset/doc/48116
Log:
Add SA-16:11.
Added:
head/share/security/advisories/FreeBSD-SA-16:11.openssl.asc (contents, props changed)
head/share/security/patches/SA-16:11/
head/share/security/patches/SA-16:11/openssl-10.1.patch (contents, props changed)
head/share/security/patches/SA-16:11/openssl-10.1.patch.asc (contents, props changed)
head/share/security/patches/SA-16:11/openssl-10.2.patch (contents, props changed)
head/share/security/patches/SA-16:11/openssl-10.2.patch.asc (contents, props changed)
head/share/security/patches/SA-16:11/openssl-9.3.patch (contents, props changed)
head/share/security/patches/SA-16:11/openssl-9.3.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-16:11.openssl.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-16:11.openssl.asc Sat Jan 30 06:33:43 2016 (r48116)
@@ -0,0 +1,159 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-16:11.openssl Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSL SSLv2 ciphersuite downgrade vulnerability
+
+Category: contrib
+Module: openssl
+Announced: 2016-01-30
+Affects: All supported versions of FreeBSD.
+Corrected: 2016-01-28 21:42:10 UTC (stable/10, 10.2-STABLE)
+ 2016-01-30 06:12:03 UTC (releng/10.2, 10.2-RELEASE-p12)
+ 2016-01-30 06:12:03 UTC (releng/10.1, 10.1-RELEASE-p29)
+ 2016-01-30 06:09:38 UTC (stable/9, 9.3-STABLE)
+ 2016-01-30 06:12:03 UTC (releng/9.3, 9.3-RELEASE-p36)
+CVE Name: CVE-2015-3197
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
+a collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
+and Transport Layer Security (TLS v1) protocols as well as a full-strength
+general purpose cryptography library.
+
+II. Problem Description
+
+A malicious client can negotiate SSLv2 ciphers that have been disabled on
+the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+been disabled, provided that the SSLv2 protocol was not also disabled via
+SSL_OP_NO_SSLv2.
+
+III. Impact
+
+An active MITM attacker may be able to force a protocol downgrade to SSLv2,
+which is a flawed protocol and intercept the communication between client
+and server.
+
+IV. Workaround
+
+No workaround is available, but only applications that do not explicitly
+disable SSLv2 are affected.
+
+To determine if a server have SSLv2 enabled, a system administrator can
+use the following command:
+
+% openssl s_client -ssl2 -connect <host>:<port> </dev/null 2>&1 | grep DONE
+
+which will print "DONE" if and only if SSLv2 is enabled. Note that this
+check will not work for services that uses STARTTLS or DTLS.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Restart all deamons using the library, or reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all deamons using the library, or reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.2]
+# fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.2.patch.asc
+# gpg --verify openssl-10.2.patch.asc
+
+[FreeBSD 10.1]
+# fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.1.patch.asc
+# gpg --verify openssl-10.1.patch.asc
+
+[FreeBSD 9.3]
+# fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-9.3.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-9.3.patch.asc
+# gpg --verify openssl-9.3.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r295060
+releng/9.3/ r295061
+stable/10/ r295016
+releng/10.1/ r295061
+releng/10.2/ r295061
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://www.openssl.org/news/secadv/20160128.txt>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:11.openssl.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAEBCgAGBQJWrFhQAAoJEO1n7NZdz2rnzcwQAJJQvYkvHuVHHBHCuV576ceJ
+39Ry8ooGsNquyThUndbDYOV+Vhpj62XEnI+PXUgZPKENglnf+rRu0CWfCs1SqFQE
+EGOSsiXmBFyvJ8AMoQfiBdCoNRCBafqhY637IG8FU7WSpg8vYJO3bGCLmsgVbeoz
+V2kHmUtGUNSgksvOjo2O6ezc6rYc5jPrpB11mUZ8xFoBE9YhLNRpfttCajKAYy+9
+t7S3tuGnleWWmnLdFj0jNJXjg38h9gG18L4kr+z/mFFWKYmFNdKuoXlpseMFD7pb
+LP7RipHDh0WQqtVOQtyu0x6BuijiuIlByadcHZO1MfDNXnu1UR5OEESs0EYElh8O
+6mR/i3MZ1m9DoIoRcR1eCNQN2NiWV4tVCflSTi2pUl3TTCBpYn+THMi17c4IzTNA
+kaMR7AUeXgJVAntfmAx4mdqdjTam2EfCNRoMS3WdfVCD8cZQDewxFmEY2FbHUzix
+WUBVTUzx2BTUQO7PKJ6UdEiojetJ+OmwlaAb8WfGQTypANKUfMcyXzfmtmM4dgJg
+NjNIUxA9T3unmWUg5nh7CACJVWcykyM1ORLqFTrrxAlIz3d1gPI2kqGiMGtEMbzI
+A42xSFfHVvUJ6MzXe98Sf6cDWs98qQBTLDxHo5COpq6zV4AFDqlvdyzcJ/SQTAfq
+tsPAVgWspt40dxnRQfku
+=DN5y
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-16:11/openssl-10.1.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:11/openssl-10.1.patch Sat Jan 30 06:33:43 2016 (r48116)
@@ -0,0 +1,43 @@
+Index: crypto/openssl/ssl/s2_srvr.c
+===================================================================
+--- crypto/openssl/ssl/s2_srvr.c (revision 294905)
++++ crypto/openssl/ssl/s2_srvr.c (working copy)
+@@ -400,7 +400,7 @@ static int get_client_master_key(SSL *s)
+ }
+
+ cp=ssl2_get_cipher_by_char(p);
+- if (cp == NULL)
++ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0)
+ {
+ ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+@@ -698,9 +698,12 @@ static int get_client_hello(SSL *s)
+ prio = cs;
+ allow = cl;
+ }
+- for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
++ /* Generate list of SSLv2 ciphers shared between client and server */
++ for (z = 0; z < sk_SSL_CIPHER_num(prio); z++)
+ {
+- if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
++ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++ if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
++ sk_SSL_CIPHER_find(allow, cp) < 0)
+ {
+ (void)sk_SSL_CIPHER_delete(prio,z);
+ z--;
+@@ -711,6 +714,14 @@ static int get_client_hello(SSL *s)
+ sk_SSL_CIPHER_free(s->session->ciphers);
+ s->session->ciphers = prio;
+ }
++
++ /* Make sure we have at least one cipher in common */
++ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0)
++ {
++ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++ return -1;
++ }
+ /* s->session->ciphers should now have a list of
+ * ciphers that are on both the client and server.
+ * This list is ordered by the order the client sent
Added: head/share/security/patches/SA-16:11/openssl-10.1.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:11/openssl-10.1.patch.asc Sat Jan 30 06:33:43 2016 (r48116)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAABCgAGBQJWrFhgAAoJEO1n7NZdz2rnrYUQAJcK0DBwDfvVysKdQBmryikB
+iNjcbriE3X/secGwz2DnN38LoeXS1dP9N0Zk07KWaWi516PpQq1bHLxvomlvcxhw
+m98/Vmwv/MAK6g8AxEeVoXP8A2dCYeVGu8AWmfp9wwum1Kl9vGmm4UE3McPC3a59
+9mqJ1U+icn72EasyZMGNc8WnwZleuievXYxUkFJwQ32urbMgnIk/XkNT9ULpWjiH
+omgu4C4IXKyb/zer0AW5xfQ2WbMqmxD93R4ApcM79+wxCtHFK+CxFeX7Xc8BXAXn
+SEn69KggtFCYCXnsIdAE42IK28c3iw7MoeHPSZAYUf8SJ3x99NvXvdfPairLz6X1
+kjaAbbi2ycZRJBdBWTiSqYrtW3tSPGz+LtutbctcOjB6EsZMbbOZWKZYwAD2d1vi
+httOrSpgd15Jqkhh6xYoK5qmk4rDUMe8MbaSmYH0rmjB/79VxBSneocwWnYpbsUO
+m6Zrg1EpKfoIGcXYeanRHZqobeR+0uhi3oX/dBOUmxycWEMlALxboVJ7DU/q+AXE
+Fq7+H8wkATvMXaJtlRWmKV34ShfmIqTEceNLJMDHFqb/j/yUNKrA3pjfqgkoYflf
+IHrG1v61haJNREs2hx1fTWWy315ua9pwOHrpR9eYNiOwh3b4MbKdA9QErYZLMyuM
+gt45GgReqbU50ikXipnp
+=voQ/
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-16:11/openssl-10.2.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:11/openssl-10.2.patch Sat Jan 30 06:33:43 2016 (r48116)
@@ -0,0 +1,41 @@
+Index: crypto/openssl/ssl/s2_srvr.c
+===================================================================
+--- crypto/openssl/ssl/s2_srvr.c (revision 294905)
++++ crypto/openssl/ssl/s2_srvr.c (working copy)
+@@ -402,7 +402,7 @@ static int get_client_master_key(SSL *s)
+ }
+
+ cp = ssl2_get_cipher_by_char(p);
+- if (cp == NULL) {
++ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) {
+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+ return (-1);
+@@ -687,8 +687,12 @@ static int get_client_hello(SSL *s)
+ prio = cs;
+ allow = cl;
+ }
++
++ /* Generate list of SSLv2 ciphers shared between client and server */
+ for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) {
+- if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) {
++ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++ if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
++ sk_SSL_CIPHER_find(allow, cp) < 0) {
+ (void)sk_SSL_CIPHER_delete(prio, z);
+ z--;
+ }
+@@ -697,6 +701,13 @@ static int get_client_hello(SSL *s)
+ sk_SSL_CIPHER_free(s->session->ciphers);
+ s->session->ciphers = prio;
+ }
++
++ /* Make sure we have at least one cipher in common */
++ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) {
++ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++ return -1;
++ }
+ /*
+ * s->session->ciphers should now have a list of ciphers that are on
+ * both the client and server. This list is ordered by the order the
Added: head/share/security/patches/SA-16:11/openssl-10.2.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:11/openssl-10.2.patch.asc Sat Jan 30 06:33:43 2016 (r48116)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAABCgAGBQJWrFhgAAoJEO1n7NZdz2rn7pIP/RfM/xbLqKh6jOQKzCAs/hqK
+erl+zzNNn8cJF00c1T2kFY05pwvFExAIAdPQ09uk7S+d+qC1tfn55ioPT0rUaLsv
+qvhsRGEB2FZi+c6l8ZFK9qvePbqTzGAwYjhcmbaxw83YtosdxM5Z6Q3v9Nzfd6cG
+qvGH6X91MDlpzyKx/ZQ/vXXFkMO1gDzMgOJe6phgKkxMiNfknqBifsLaJBUq0uSZ
+WaqlfbhPDDXFu2hJ3lvizAxz2+6OQVUZeuGaw0UPtAzofBdX4H3UhUXjFPO1iECV
+D3P0jTUKnNswd1l6xR8AUNHPh78Zf3T8hE9Ihf7jBiwVpA4VX2+jyan3NfC5ESO2
+dXStOPa4weEMERJVoBra8ZcvUwl+F63/ti35mf42KQK/dMXfn4YYJg06ZOyAxdG2
++7bAJCCW6IVmIWhh+k7UdajP7KKSjyaopw/sNEAvU01iS4nB9EBnFebQ785GgRfE
+iUEm98lCjIzkWLqZU6aGwLL46S3GUYkIhylUjLuHwsVm7YjEhURU0ghhM+srZDuX
+yd4appgHar632XnotetsIiivKkzZJYK+1pt9tVf72/Q7V+ba4Zj7FCs1DEvwAfYa
+LNIFIjS02ocgBQjKKR9+UqazuXe2+o0CpOKlqB/HGeIU3Rcc25h2y3uk8q/cCYoa
+ibsADoMVD+ImHQXbKtlu
+=L3PJ
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-16:11/openssl-9.3.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:11/openssl-9.3.patch Sat Jan 30 06:33:43 2016 (r48116)
@@ -0,0 +1,43 @@
+Index: crypto/openssl/ssl/s2_srvr.c
+===================================================================
+--- crypto/openssl/ssl/s2_srvr.c (revision 294905)
++++ crypto/openssl/ssl/s2_srvr.c (working copy)
+@@ -392,7 +392,7 @@ static int get_client_master_key(SSL *s)
+ }
+
+ cp=ssl2_get_cipher_by_char(p);
+- if (cp == NULL)
++ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0)
+ {
+ ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+@@ -690,9 +690,12 @@ static int get_client_hello(SSL *s)
+ prio = cs;
+ allow = cl;
+ }
+- for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
++ /* Generate list of SSLv2 ciphers shared between client and server */
++ for (z = 0; z < sk_SSL_CIPHER_num(prio); z++)
+ {
+- if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
++ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++ if ((cp->algorithms & SSL_SSLV2) == 0 ||
++ sk_SSL_CIPHER_find(allow, cp) < 0)
+ {
+ (void)sk_SSL_CIPHER_delete(prio,z);
+ z--;
+@@ -703,6 +706,14 @@ static int get_client_hello(SSL *s)
+ sk_SSL_CIPHER_free(s->session->ciphers);
+ s->session->ciphers = prio;
+ }
++
++ /* Make sure we have at least one cipher in common */
++ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0)
++ {
++ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++ return -1;
++ }
+ /* s->session->ciphers should now have a list of
+ * ciphers that are on both the client and server.
+ * This list is ordered by the order the client sent
Added: head/share/security/patches/SA-16:11/openssl-9.3.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:11/openssl-9.3.patch.asc Sat Jan 30 06:33:43 2016 (r48116)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAABCgAGBQJWrFhgAAoJEO1n7NZdz2rnHfAP/0dRSsN5QEeACYvdu7fSGyvq
+/9QUsHLyGMj3wS1SUP3oFCgpXuweYfmWVtvFfA2uLqXOukuOPJLYSpJVdF0QXZrK
+dL0mlU3aaA2NLQlgl3QpnX1Gz5ItV62piljHs9Q87Is765BYnUp7i01gexVIA0PE
+kK0U5ocfYiEwGhtcRl1ndTCHFJxrAQY7quRBPgeONpB2VFoSXOmRLF2cCi8s+ebV
+cUk9sTWT+OCutzjvDFsqEFvcaVHT8jDDlXdXUuDGOzZ4sGc/OgKA6J42Wws++VKw
+LqfQjD/RP4GQNvO0mmvd/1jnr6ug+rMxJapnNRVY6nTRBOcn2qEIZjALBjjVTZdx
+xIQVc5M0CmRF4GcnKlwwJMC5vl+BPxvSbb2mKDEGY+nzXdH7z5618wwqE1EyIwj5
+U7X75vogYMv50uTTuAXazQm1WifxmpDYaaIyTRzz5pnSeXE6seeUEvkKXhmD2s+g
+OQhULV51JUPhousieaJzPVTB8/NSZAiqvma++aW7claJr7drGWL1DEOGXqRBl/Rb
+9iYDOJ6VcdqwfDUb1Hf5Ukc3oYGXkobhpswjbFnmTE96Cu/mH7Z1bKDhlG/0Zzwv
+YYHTmWn9j9/azAwL0ZTUZztDm+9ZQqSPBXJMWVEaPOskyxRUHKurgixB7uEZco9U
+RlgyGJfV0gU3oDgM9XE+
+=wEfU
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Fri Jan 29 19:22:52 2016 (r48115)
+++ head/share/xml/advisories.xml Sat Jan 30 06:33:43 2016 (r48116)
@@ -11,6 +11,14 @@
<name>1</name>
<day>
+ <name>30</name>
+
+ <advisory>
+ <name>FreeBSD-SA-16:11.openssl</name>
+ </advisory>
+ </day>
+
+ <day>
<name>27</name>
<advisory>
More information about the svn-doc-head
mailing list