bin/163951: bundled openssl seems to miss fix for a CVE-2011-1945

Volodymyr Kostyrko c.kworr at
Mon Jan 9 09:40:16 UTC 2012

>Number:         163951
>Category:       bin
>Synopsis:       bundled openssl seems to miss fix for a CVE-2011-1945
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 09 09:40:15 UTC 2012
>Originator:     Volodymyr Kostyrko
>Release:        RELENG_9
FreeBSD green.tandem.local 9.0-STABLE FreeBSD 9.0-STABLE #0 r229848: Mon Jan  9 10:58:48 EET 2012     arcade at green.tandem.local:/usr/obj/usr/src/sys/MINIMAL_4BSD  amd64
Recently I started to recheck usability of ssh keys and found that ECDSA keys are already available. I've tried to make one and it points me about key bit length. Reading about this on

I also noticed that a timing attack is possible against OpenSSL. Quick checking the code shows that we haven't integrated the fix yet as current revision of

misses the fix from:

And after latest OpenSSH import by des:

we are automatically creating (and using?) private ECDSA key:

Import fix from


More information about the freebsd-bugs mailing list