FreeBSD Security Advisory FreeBSD-SA-09:02.openssl

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Jan 7 22:49:20 UTC 2009


FreeBSD Security Advisories wrote:
 
> I.   Background
> 
> FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is
> a collaborative effort to develop a robust, commercial-grade, full-featured
> Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
> and Transport Layer Security (TLS v1) protocols as well as a full-strength
> general purpose cryptography library.
> 
> II.  Problem Description
> 
> The EVP_VerifyFinal() function from OpenSSL is used to determine if a
> digital signature is valid.  The SSL layer in OpenSSL uses
> EVP_VerifyFinal(), which in several places checks the return value
> incorrectly and treats verification errors as a good signature.  This
> is only a problem for DSA and ECDSA keys.
> 
> III. Impact
> 
> For applications using OpenSSL for SSL connections, an invalid SSL
> certificate may be interpreted as valid.  This could for example be
> used by an attacker to perform a man-in-the-middle attack.
> 
> Other applications which use the OpenSSL EVP API may similarly be
> affected.

The oCert advisory at http://ocert.org/advisories/ocert-2008-016.html
lists BIND and NTP as affected packages.  Don't the base system versions
of those apps also need patching?

	Cheers,

	Matthew


-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20090107/4a532b05/signature.pgp


More information about the freebsd-security mailing list