Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2015-006: OpenSSL and SSLv3 vulnerabilities

Hash: SHA1

		NetBSD Security Advisory 2015-006

Topic:		OpenSSL and SSLv3 vulnerabilities

Version:	NetBSD-current:		source prior to Jan 14th
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected
		NetBSD 5.1 - 5.1.4:	affected
		NetBSD 5.2 - 5.2.2:	affected

Severity:	remote DoS, confidentiality compromise

Fixed:		NetBSD-current:		Jan 14th, 2015
		NetBSD-7 branch:	Jan 18th, 2015
		NetBSD-6-0 branch:	Jan 17th, 2015
		NetBSD-6-1 branch:	Jan 17th, 2015
		NetBSD-6 branch:	Jan 17th, 2015
		NetBSD-5-2 branch:	Jan 27th, 2015
		NetBSD-5-1 branch:	Jan 27th, 2015
		NetBSD-5 branch:	Jan 27th, 2015

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


This advisory covers the OpenSSL Security Advisory of Jan 8th, 2015
which lists eight different vulnerabilities:

DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)             
DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)                 
no-ssl3 configuration sets method to NULL (CVE-2014-3569)               
ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)              
RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)          
DH client certificates accepted without verification [Server] (CVE-2015-0205)
Certificate fingerprints can be modified (CVE-2014-8275)                
Bignum squaring may produce incorrect results (CVE-2014-3570)           

Please note that the OpenSSL project has announced the release of
a new version of OpenSSL, with advisories, on March 19th, 2015.

Technical Details


Solutions and Workarounds

Workarounds: the MiTM weakening of chosen encryption will not work
if the server does not allow weak encryption; this is usually
configurable on the server side.

Update the OpenSSL libraries.

- From source:
Update src and rebuild and install.
Note: OpenSSL in NetBSD-6, NetBSD-7 and NetBSD-current has been updated
to version 1.0.1k; NetBSD-5 received a more selective patch but that's
still 59 files touched. Updating the entire src tree is recommended.

- From tarballs:
To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz
from a daily build later than the fix dates, from<rel>/<date>/<arch>/binary/sets/
with a date later than the fix date for your branch as listed above,
and your release version and architecture
and then extract the files:

Shared libraries:

tar xzpf base.tgz \*libssl\* \*libcrypto\*

And static libraries and linker config files:

tar xzpf comp.tgz \*libssl\* \*libcrypto\*

Get the fixed library into use
Since the vulnerability is in a shared library, getting the old
library purged and the fixed one into use requires restarting
all programs that load libssl.
The easiest way to do this is to reboot the system.
Another method: using /bin/sh,
ps ax -o pid | (while read pid; do \
        pmap $pid | egrep '(libssl|libcrypto)' && echo found $pid ;\
will find non-chrooted programs that have the affected libraries open;
restart them. sshd will not show up in this list since it runs chrooted
and re-exec'ed but also needs to be restartet.
ldd <programname> will show the shared libraries a program will want to use.

Thanks To

Thanks to the OpenSSL team for the advisory and fixes,
Markus Stenberg of Cisco Systems, Inc. for reporting CVE-2014-3571,
Chris Mueller for reporting CVE-2015-0206,
Frank Schmirler for reporting CVE-2014-3569,
Karthikeyan Bhargavan of the PROSECCO team at INRIA for reporting
	CVE-2014-3572, CVE-2015-0204 and CVE-2015-0205,
Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program,
and Konrad Kraszewski from Google, for reporting CVE-2014-8275,
Pieter Wuille from Blockstream, for reporting CVE-2014-3570 and suggesting
an initial fix, and Adam Langley of Google for further analysis of the issue.

Revision History

	2015-03-17	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2015, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2015-006.txt,v 1.1 2015/03/17 06:58:44 spz Exp $

Version: GnuPG v1


Home | Main Index | Thread Index | Old Index