misc/122479: In the systems subsequent to FreeBSD7,
openssl is older than 0.9.8g.
M. Kozuka
ma-kun at kozuka.jp
Sun Apr 6 04:30:01 UTC 2008
>Number: 122479
>Category: misc
>Synopsis: In the systems subsequent to FreeBSD7, openssl is older than 0.9.8g.
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Sun Apr 06 04:30:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: M. Kozuka
>Release: 7.0-RELEASE
>Organization:
Kyoto University
>Environment:
FreeBSD sctp3.sctp.jp 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root at logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
In all versions of 0.9.8 prior to 0.9.8f, openssl has a vulnerability around DTLS1 processing.
However, FreeBSD 7.0-RELEASE includes 0.9.8e.
>How-To-Repeat:
Using openssl command, you can use DTLS1.
% /usr/bin/openssl s_server -dtls1 -accept 8080 -cert /usr/src/crypto/openssl/demos/sign/cert.pem -key /usr/src/crypto/openssl/demos/sign/key.pem
% /usr/bin/openssl s_client -dtls1 -connect 127.0.0.1:8080
You cannot communicate each other using DTLS1.
And sometimes, you will meet a SEGV.
If you install 0.9.8g through ports (security/openssl) and use it, you will communicate correctly.
>Fix:
Upgrade to 0.9.8g or disable DTLS1 support.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list