diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-EN-15:08.sendmail.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-EN-15:08.sendmail.asc | 165 |
1 files changed, 0 insertions, 165 deletions
diff --git a/share/security/advisories/FreeBSD-EN-15:08.sendmail.asc b/share/security/advisories/FreeBSD-EN-15:08.sendmail.asc deleted file mode 100644 index e5e333fae4..0000000000 --- a/share/security/advisories/FreeBSD-EN-15:08.sendmail.asc +++ /dev/null @@ -1,165 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA512 - -============================================================================= -FreeBSD-EN-15:08.sendmail Errata Notice - The FreeBSD Project - -Topic: sendmail TLS/DH Interoperability Improvement - -Category: contrib -Module: sendmail -Announced: 2015-06-18; Last revised on 2015-06-30. -Credits: Frank Seltzer, Gregory Shapiro -Affects: All supported versions of FreeBSD. -Corrected: 2015-06-25 01:49:44 UTC (stable/10, 10.1-STABLE) - 2015-06-30 23:21:37 UTC (releng/10.1, 10.1-RELEASE-p14) - 2015-06-25 01:53:45 UTC (stable/9, 9.3-STABLE) - 2015-06-30 23:21:48 UTC (releng/9.3, 9.3-RELEASE-p18) - 2015-06-25 01:56:36 UTC (stable/8, 8.4-STABLE) - 2015-06-30 23:21:59 UTC (releng/8.4, 8.4-RELEASE-p32) - -For general information regarding FreeBSD Errata Notices and Security -Advisories, including descriptions of the fields above, security -branches, and the following sections, please visit -<URL:https://security.freebsd.org/>. - -0. Revision history - -v1.0 2015-06-18 Initial release. -v1.1 2015-06-30 Revised patch for non-existent DH parameter file. - -I. Background - -Sendmail supports STARTTLS encrypted connections using DHE_EXPORT -ciphers. As part of that support, by default, Sendmail employs 1024-bit -DH parameters for server connections but 512-bit DH parameters if -configured to use a DH parameter file that does not exist. - -II. Problem Description - -In response to CVE-2015-4000 ("Logjam TLS vulnerability"), OpenSSL and -other encryption packages have begun rejecting 512-bit and lower DH -parameters during negotiation, thereby reducing interoperability. - -III. Impact - -In its default FreeBSD configuration, client connections from Sendmail -to other SMTP servers will not be able to negotiate a STARTTLS encrypted -session with SMTP servers that reject 512-bit DH parameters. This may -cause mail deliverability issues for outbound mail. - -IV. Workaround - -Systems that do not use Sendmail are not affected. - -To work around this interoperability, Sendmail can be configured to use -a 1024 or 2048 bit DH parameter using these steps: - - 1. Edit /etc/mail/`hostname`.mc - 2. If a setting for confDH_PARAMETERS does not exist or - exists and is set to a string beginning with '5', - replace it with '1' for 1024-bit or '2' for 2048-bit. - 3. If a setting for confDH_PARAMETERS exists and is set to - a file path, create a new file with: - openssl dhparam -out /path/to/file 2048 - for 2048-bit or: - openssl dhparam -out /path/to/file 1024 - for 1024-bit. - - 4. Rebuild the .cf file: - cd /etc/mail/; make; make install - 5. Restart sendmail: - cd /etc/mail/; make restart - -V. Solution - -A change to the raise the default for Sendmail connections to use -1024-bit DH parameters if the configured DH parameters file does not -exist has been committed. - -Perform one of the following: - -1) Upgrade your system to a supported FreeBSD stable or release / security -branch (releng) dated after the correction date. - -2) To update your present system via a binary patch: - -Systems running a RELEASE version of FreeBSD on the i386 or amd64 -platforms can be updated via the freebsd-update(8) utility: - -# freebsd-update fetch -# freebsd-update install - -3) To update your present system via a source code patch: - -The following patches have been verified to apply to the applicable -FreeBSD release branches. - -a) Download the relevant patch from the location below, and verify the -detached PGP signature using your PGP utility. - -# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch -# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch.asc -# gpg --verify sendmail.patch.asc - -# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail-01.patch -# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail-01.patch.asc -# gpg --verify sendmail.patch.asc - -b) Apply the patch. Execute the following commands as root: - -# cd /usr/src -# patch < /path/to/patch - -c) Recompile the operating system using buildworld and installworld as -described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. - -Restart the Sendmail daemon(s), or reboot the system. - -VI. Correction details - -The following list contains the correction revision numbers for each -affected branch. - -Branch/path Revision -- ------------------------------------------------------------------------- -stable/8/ r284790 -releng/8.4/ r284987 -stable/9/ r284788 -releng/9.3/ r284986 -stable/10/ r284786 -releng/10.1/ r284985 -- ------------------------------------------------------------------------- - -To see which files were modified by a particular revision, run the -following command, replacing NNNNNN with the revision number, on a -machine with Subversion installed: - -# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base - -Or visit the following URL, replacing NNNNNN with the revision number: - -<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> - -VII. References - -The latest revision of this Errata Notice is available at -https://security.FreeBSD.org/advisories/FreeBSD-EN-15:08.sendmail.asc ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.1.5 (FreeBSD) - -iQIcBAEBCgAGBQJVkyZLAAoJEO1n7NZdz2rnsdsP/2+xJUiaNWialSFlTwE75sHC -vN/CrkceLw6QrUi5U0PpQdI7xP/y8Cspj/vDCNUbHlkK8WfA5G8J6WhyyaVxMREG -aZTPHFBn0/IeP2vxlyf0PLq6hL1KtasOQNjDEasUMb4uclaE+hn3QxrWk+KGoe8B -8rZHYS6Y9gOfWLJj7Rvf6T6TEtKf8Mz1cBfn7lRQbF7yDwkvNDpmNv7BhTQOM5rw -/2q2i4ZjuZT4AX0IaSzZLC1dEyxuUKqAxMV1D+F1WYBQqMUwnoJLMAETmWXphuSa -QGDNU0w3PbAJrgK06qeLSswVo/r/5h+kjra5eL17MPKZPO+sWHv9E1jS7wUsbsFB -RE7kcafgWcN9S0TBldyuFo9g8nwjsWq4uooSLrf8pG8y7U6FtXbgyitS3BNVKT7i -9GqzTi89HKPefnPQR5wfJIl9YXgKvWJ/FNei7MpGTl2LGKHSd2P/21+OoIjfNeQl -hYOP9uWDrk3Uf7gJVrJOobMfme5Zb1/LDSQegTIFjzQ0Iac1p4nqj53rzG2Nufyx -/Y93rKOz280NCS193buARcl4KmFp9oGaJTjVG9Cthu8FUFlCkCeZl13ZrhDufKBS -z2ZEwkIYFamOFjbhCUJ5wm3gsozV7bzAOSRQEFEzzLDlYGPv2RPDAlgREcuzxr8N -OhK1HFcIqXbXRthWN7Sp -=ibhZ ------END PGP SIGNATURE----- |