Fwd: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl
Ronald Klop
ronald-lists at klop.ws
Mon Oct 20 12:28:28 UTC 2014
Can you do 'ls /usr/local/share/certs/ca-root-nss.crt'?
Fetch does not complain if the cert-file does not exist (see below), but
continues with no certificate chain. Using the -v option to fetch might
also help in finding the cause.
fetch -v --ca-cert=/yeahyeahyeah
http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch
looking up security.FreeBSD.org
connecting to security.FreeBSD.org:80
requesting http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch
301 redirect to
https://www.FreeBSD.org/security/patches/SA-14:18/openssl-10.0.patch
looking up www.FreeBSD.org
connecting to www.FreeBSD.org:443
SSL options: 81004bff
Peer verification enabled
Using CA cert file: /yeahyeahyeah
Certificate verification failed for /C=US/ST=UT/L=Salt Lake City/O=The
USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
34380945272:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1180:
fetch: http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch:
Authentication error
As a last resort (but 'unsafe') you can add the option '--no-verify-peer'
to fetch.
Ronald.
On Mon, 20 Oct 2014 14:06:49 +0200, tethys ocean <tethys.ocean at gmail.com>
wrote:
> Again same err. hust below
>
> fetch --ca-cert=/usr/local/share/certs/ca-root-nss.crt
> http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch
> Certificate verification failed for /C=US/ST=UT/L=Salt Lake City/O=The
> USERTRUST Network/OU=http://www.usertrust.com/>CN=UTN-USERFirst-Hardware
> 675119676:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed:/usr/src/secure/lib/libssl/../../../>crypto/openssl/ssl/s3_clnt.c:1180:
> fetch: http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch:
> Authentication error
>
>
>
> On Mon, Oct 20, 2014 at 2:35 PM, Ronald Klop <ronald-lists at klop.ws>
> wrote:
>> Install port security/ca_root_nss and use:
>>
>> fetch --ca-cert=/usr/local/share/certs/ca-root-nss.crt
>> http://security.FreeBSD.org/patches/SA-14:18/>>openssl-10.0.patch
>>
>>
>>
>> That works. And still checks validity of the https server as long as
>> you trust the ca_root_nss port.
>>
>>
>>
>> But I think it is kind of lame the default certificates from base don't
>> work out of the box.
>>
>>
>>
>> Ronald.
>>
>>
>>
>>
>>
>>
>>
>>
>> On Mon, 20 Oct 2014 12:22:32 +0200, tethys ocean
>> <tethys.ocean at gmail.com> wrote:
>>
>>
>>
>>>
>>> I am using FreeBSD 10.0-STABLE on my servers. But according to this
>>> mail
>>>
>>> I tried
>>>
>>>
>>>
>>> [FreeBSD 10.0]
>>>
>>> # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch
>>>
>>> # fetch
>>> http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch.asc
>>>
>>> # gpg --verify openssl-10.0.patch.asc
>>>
>>>
>>>
>>> But my server say this below:
>>>
>>>
>>>
>>> fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch
>>>
>>> Certificate verification failed for /C=US/ST=UT/L=Salt Lake City/O=The
>>>
>>> USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
>>>
>>> 675119676:error:14090086:SSL
>>>
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>>>
>>> failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1180:
>>>
>>> fetch: http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch:
>>>
>>> Authentication error
>>>
>>>
>>>
>>> What should I do ?
>>>
>>>
>>>
>>> thanx
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>>
>>> From: FreeBSD Security Advisories <security-advisories at freebsd.org>
>>>
>>> Date: Tue, Sep 9, 2014 at 2:04 PM
>>>
>>> Subject: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl
>>>
>>> To: FreeBSD Security Advisories <security-advisories at freebsd.org>
>>>
>>>
>>>
>>>
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>
>>> Hash: SHA512
>>>
>>>
>>>
>>> =============================================================================
>>>
>>> FreeBSD-SA-14:18.openssl Security
>>>
>>> Advisory
>>>
>>> The FreeBSD
>>>
>>> Project
>>>
>>>
>>>
>>> Topic: OpenSSL multiple vulnerabilities
>>>
>>>
>>>
>>> Category: contrib
>>>
>>> Module: openssl
>>>
>>> Announced: 2014-09-09
>>>
>>> Affects: All supported versions of FreeBSD.
>>>
>>> Corrected: 2014-08-07 21:04:42 UTC (stable/10, 10.0-STABLE)
>>>
>>> 2014-09-09 10:09:46 UTC (releng/10.0, 10.0-RELEASE-p8)
>>>
>>> 2014-08-07 21:06:34 UTC (stable/9, 9.3-STABLE)
>>>
>>> 2014-09-09 10:13:46 UTC (releng/9.3, 9.3-RELEASE-p1)
>>>
>>> 2014-09-09 10:13:46 UTC (releng/9.2, 9.2-RELEASE-p11)
>>>
>>> 2014-09-09 10:13:46 UTC (releng/9.1, 9.1-RELEASE-p18)
>>>
>>> 2014-08-07 21:06:34 UTC (stable/8, 8.4-STABLE)
>>>
>>> 2014-09-09 10:13:46 UTC (releng/8.4, 8.4-RELEASE-p15)
>>>
>>> CVE Name: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508,
>>> CVE-2014-3510,
>>>
>>> CVE-2014-3509, CVE-2014-3511, CVE-2014-3512,
>>> CVE-2014-5139
>>>
>>>
>>>
>>> For general information regarding FreeBSD Security Advisories,
>>>
>>> including descriptions of the fields above, security branches, and the
>>>
>>> following sections, please visit <URL:http://security.FreeBSD.org/>.
>>>
>>>
>>>
>>> I. Background
>>>
>>>
>>>
>>> FreeBSD includes software from the OpenSSL Project. The OpenSSL
>>> Project is
>>>
>>> a collaborative effort to develop a robust, commercial-grade,
>>> full-featured
>>>
>>> Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
>>>
>>> and Transport Layer Security (TLS v1) protocols as well as a
>>> full-strength
>>>
>>> general purpose cryptography library.
>>>
>>>
>>>
>>> II. Problem Description
>>>
>>>
>>>
>>> The receipt of a specifically crafted DTLS handshake message may cause
>>>
>>> OpenSSL
>>>
>>> to consume large amounts of memory. [CVE-2014-3506]
>>>
>>>
>>>
>>> The receipt of a specifically crafted DTLS packet could cause OpenSSL
>>> to
>>>
>>> leak
>>>
>>> memory. [CVE-2014-3507]
>>>
>>>
>>>
>>> A flaw in OBJ_obj2txt may cause pretty printing functions such as
>>>
>>> X509_name_oneline, X509_name_print_ex et al. to leak some information
>>> from
>>>
>>> the stack. [CVE-2014-3508]
>>>
>>>
>>>
>>> OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are
>>> subject to
>>>
>>> a denial of service attack. [CVE-2014-3510]
>>>
>>>
>>>
>>> The following problems affect FreeBSD 10.0-RELEASE and later:
>>>
>>>
>>>
>>> If a multithreaded client connects to a malicious server using a
>>> resumed
>>>
>>> session and the server sends an ec point format extension it could
>>> write
>>>
>>> up to 255 bytes to freed memory. [CVE-2014-3509]
>>>
>>>
>>>
>>> A flaw in the OpenSSL SSL/TLS server code causes the server to
>>> negotiate
>>>
>>> TLS 1.0 instead of higher protocol versions when the ClientHello
>>> message
>>>
>>> is badly fragmented. [CVE-2014-3511]
>>>
>>>
>>>
>>> A malicious client or server can send invalid SRP parameters and
>>> overrun
>>>
>>> an internal buffer. [CVE-2014-3512]
>>>
>>>
>>>
>>> A malicious server can crash the client with a NULL pointer
>>> dereference by
>>>
>>> specifying a SRP ciphersuite even though it was not properly negotiated
>>>
>>> with the client. [CVE-2014-5139]
>>>
>>>
>>>
>>> III. Impact
>>>
>>>
>>>
>>> A remote attacker may be able to cause a denial of service (application
>>>
>>> crash, large memory consumption), obtain additional information,
>>>
>>> cause protocol downgrade. Additionally, a remote attacker may be able
>>>
>>> to run arbitrary code on a vulnerable system if the application has
>>> been
>>>
>>> set up for SRP.
>>>
>>>
>>>
>>> IV. Workaround
>>>
>>>
>>>
>>> No workaround is available.
>>>
>>>
>>>
>>> V. Solution
>>>
>>>
>>>
>>> Perform one of the following:
>>>
>>>
>>>
>>> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
>>>
>>> release / security branch (releng) dated after the correction date.
>>>
>>>
>>>
>>> 2) To update your vulnerable system via a source code patch:
>>>
>>>
>>>
>>> The following patches have been verified to apply to the applicable
>>>
>>> FreeBSD release branches.
>>>
>>>
>>>
>>> a) Download the relevant patch from the location below, and verify the
>>>
>>> detached PGP signature using your PGP utility.
>>>
>>>
>>>
>>> [FreeBSD 10.0]
>>>
>>> # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch
>>>
>>> # fetch
>>> http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch.asc
>>>
>>> # gpg --verify openssl-10.0.patch.asc
>>>
>>>
>>>
>>> [FreeBSD 9.3]
>>>
>>> # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch
>>>
>>> # fetch
>>> http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch.asc
>>>
>>> # gpg --verify openssl-9.3.patch.asc
>>>
>>>
>>>
>>> [FreeBSD 9.2, 9.1, 8.4]
>>>
>>> # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch
>>>
>>> # fetch
>>> http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch.asc
>>>
>>> # gpg --verify openssl-9.patch.asc
>>>
>>>
>>>
>>> b) Apply the patch. Execute the following commands as root:
>>>
>>>
>>>
>>> # cd /usr/src
>>>
>>> # patch < /path/to/patch
>>>
>>>
>>>
>>> c) Recompile the operating system using buildworld and installworld as
>>>
>>> described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
>>>
>>>
>>>
>>> Restart all deamons using the library, or reboot the system.
>>>
>>>
>>>
>>> 3) To update your vulnerable system via a binary patch:
>>>
>>>
>>>
>>> Systems running a RELEASE version of FreeBSD on the i386 or amd64
>>>
>>> platforms can be updated via the freebsd-update(8) utility:
>>>
>>>
>>>
>>> # freebsd-update fetch
>>>
>>> # freebsd-update install
>>>
>>>
>>>
>>> VI. Correction details
>>>
>>>
>>>
>>> The following list contains the correction revision numbers for each
>>>
>>> affected branch.
>>>
>>>
>>>
>>> Branch/path
>>> Revision
>>>
>>> -
>>> -------------------------------------------------------------------------
>>>
>>> stable/8/
>>> r269687
>>>
>>> releng/8.4/
>>> r271305
>>>
>>> stable/9/
>>> r269687
>>>
>>> releng/9.1/
>>> r271305
>>>
>>> releng/9.2/
>>> r271305
>>>
>>> releng/9.3/
>>> r271305
>>>
>>> stable/10/
>>> r269686
>>>
>>> releng/10.0/
>>> r271304
>>>
>>> -
>>> -------------------------------------------------------------------------
>>>
>>>
>>>
>>> To see which files were modified by a particular revision, run the
>>>
>>> following command, replacing NNNNNN with the revision number, on a
>>>
>>> machine with Subversion installed:
>>>
>>>
>>>
>>> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>>>
>>>
>>>
>>> Or visit the following URL, replacing NNNNNN with the revision number:
>>>
>>>
>>>
>>> <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
>>>
>>>
>>>
>>> VII. References
>>>
>>>
>>>
>>> <URL:https://www.openssl.org/news/secadv_20140806.txt>
>>>
>>>
>>>
>>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506>
>>>
>>>
>>>
>>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507>
>>>
>>>
>>>
>>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508>
>>>
>>>
>>>
>>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509>
>>>
>>>
>>>
>>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510>
>>>
>>>
>>>
>>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511>
>>>
>>>
>>>
>>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512>
>>>
>>>
>>>
>>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139>
>>>
>>>
>>>
>>> The latest revision of this advisory is available at
>>>
>>> <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:18.openssl.asc>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>>
>>>
>>>
>>> iQIcBAEBCgAGBQJUDtUBAAoJEO1n7NZdz2rnOUoP/jNoEEPVt1RoVPQoOQc6vno5
>>>
>>> 2HXcCDsu0ql3kCNIIZ7E6TddfduzV04EMzBrIgulg7eXft+Lnx6HlEgJOo7QLImc
>>>
>>> aWLWxjcbyby6wrbYOc+FLK11yx9/uZJF0VCdSeyzhy0EFD3tOZPsDMXKZmG7FRkg
>>>
>>> 6A7ENJU25Mx8V1myzHw/VfDwAHCtXHliFVVE0CUku55pYnlhMeetu/wuB6KYbmgV
>>>
>>> 1WUamiHEGl4Dh4Up7nGHYYm32kqZLaE+cf1Ovc2VGT98ZyXmCgDB4+8kkA/HZxxp
>>>
>>> DRgQlojeQhahee5MmzD+wMJXlq6dekoo+JVf22+Nb+oNmlKT6/UxtUhCwW11MLUV
>>>
>>> rnOMr3u1JCNvBc+3KroSmtFeEtqh7jx3Ag4w8lS5mJO+wX1/lilbsFxSS/9G65fy
>>>
>>> LqHUQSxkuDJ1bNzPfKreBPyUmQlG5t/3DonIDCF9r3sefDN+kxqe1+RwjdNRM0ov
>>>
>>> V7OH/AW1NBQtV/F/h0tKCcskvcJo9Q+inAohheLPnWkFj7F2tLNt5TAxsGy7WvFZ
>>>
>>> MuQSAXpZkdh7OkhAhBM3Xk+EOv7Qk7zZL5HJ1Lpm6kfJ8wSb4etoUV7oELaDMBz8
>>>
>>> +9r+Vr9GtjSsec2a4tjNIixZKV9bzEhgKP5gsWD/JewhAzF+0bYNa9snOWxzpAYb
>>>
>>> j+eW9IT7pEAJK9DtIsDd
>>>
>>> =f4To
>>>
>>> -----END PGP SIGNATURE-----
>>>
>>> _______________________________________________
>>>
>>> freebsd-security at freebsd.org mailing list
>>>
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>>>
>>> To unsubscribe, send any mail to
>>> "freebsd-security-unsubscribe at freebsd.org"
>>>
>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>>
>> freebsd-stable at freebsd.org mailing list
>>
>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>>
>> To unsubscribe, send any mail to
>> "freebsd-stable-unsubscribe at freebsd.org"
>>
>
>
>
> --Share now a pigeon's flightBluebound along the ancient skies,Its women
> forever hair and mammal,A Mediterranean town may ariseIf you rip apart a
> pigeon's heart.
More information about the freebsd-stable
mailing list