FreeBSD Security Advisory FreeBSD-SA-09:02.openssl
Matthew Seaman
m.seaman at infracaninophile.co.uk
Wed Jan 7 22:49:20 UTC 2009
FreeBSD Security Advisories wrote:
> I. Background
>
> FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
> a collaborative effort to develop a robust, commercial-grade, full-featured
> Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
> and Transport Layer Security (TLS v1) protocols as well as a full-strength
> general purpose cryptography library.
>
> II. Problem Description
>
> The EVP_VerifyFinal() function from OpenSSL is used to determine if a
> digital signature is valid. The SSL layer in OpenSSL uses
> EVP_VerifyFinal(), which in several places checks the return value
> incorrectly and treats verification errors as a good signature. This
> is only a problem for DSA and ECDSA keys.
>
> III. Impact
>
> For applications using OpenSSL for SSL connections, an invalid SSL
> certificate may be interpreted as valid. This could for example be
> used by an attacker to perform a man-in-the-middle attack.
>
> Other applications which use the OpenSSL EVP API may similarly be
> affected.
The oCert advisory at http://ocert.org/advisories/ocert-2008-016.html
lists BIND and NTP as affected packages. Don't the base system versions
of those apps also need patching?
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20090107/4a532b05/signature.pgp
More information about the freebsd-security
mailing list