aboutsummaryrefslogtreecommitdiff
path: root/share/security/advisories/FreeBSD-EN-15:02.openssl.asc
blob: 268b47edcd42dc84cf9cb10fe0bac3ff37428a67 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-15:02.openssl                                        Errata Notice
                                                          The FreeBSD Project

Topic:          OpenSSL update

Category:       contrib
Module:         openssl
Announced:      2015-02-25
Affects:        All supported versions of FreeBSD.
Corrected:      2015-01-23 19:14:36 UTC (stable/10, 10.1-STABLE)
                2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6)
                2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18)
                2015-01-09 01:11:43 UTC (stable/9, 9.3-STABLE)
                2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10)
                2015-01-09 01:11:43 UTC (stable/8, 8.4-STABLE)
                2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.freebsd.org/>.

I.   Background

FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II.  Problem Description

The OpenSSL software bundled with the FreeBSD base system has been diverged
due to various security advisories in the past and some reliability fixes
were not merged.

III. Impact

Divergence in the cryptographic code makes it harder to review changes, and
running unique code exposes users who run FreeBSD to possible unique bugs,
if there is any.

IV.  Workaround

No workaround is available, but systems that do not use base system OpenSSL
for public facing services are not affected.

V.   Solution

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

2) To update your present system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your present system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 8.4]
# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-8.4.patch
# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-8.4.patch.asc

[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-9.3.patch
# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-9.3.patch.asc

[FreeBSD 10.0]
# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.0.patch
# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.0.patch.asc

[FreeBSD 10.1]
# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.1.patch
# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.1.patch.asc

# gpg --verify XXXX.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all deamons using the library, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/8/                                                         r276865
releng/8.4/                                                       r279265
stable/9/                                                         r276865
releng/9.3/                                                       r279265
stable/10/                                                        r277597
releng/10.0/                                                      r279264
releng/10.1/                                                      r279264
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

The latest revision of this Errata Notice is available at
https://security.FreeBSD.org/advisories/FreeBSD-EN-15:02.openssl.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.1 (FreeBSD)

iQIcBAEBCgAGBQJU7WjCAAoJEO1n7NZdz2rnqScP/0nfy96IWKzt6GdHXIF7rgSl
yNF9xCfsG0jYgL2B7eLOmLyqT4+P5kEgarTCncjtDh/YEtfx/xXTseCPCAbVGmre
qhYQ/8J05bmw4vkFUxUtQAt0Kn2e911IfU1BM1J9/7sO39iBZkrbTf+mQ3zbuHP/
0Iluz0vQY4N5qrStywr34Qy3UVzh06YmrNYGryxn+vw4FmGMp0eMeX7SGHO1saAI
Rwe8Q2nArl1pIffMtbB84MU8GphIS9td5U3w7+wJ94r7s9bXULIvKwd91H8+A8sW
njmldZLs4L192Ez7NoL25+uz0AdB0R2Flb9iDwTxDyvuudQeZR0qJAfXU/sbsa6r
PFt41UCV1ZJA0d+N8GG1X2lHBkaw5LWcV5GNKAFwGj659ycYqRndpPhjviM1WLJs
s/zlhM/0z3iFC5EZn0z1oNf8W0AhxGMrGG9EdFLGFE1w0U6BqPujqdZMBoey0y+Q
00O0APcQENNo4jr8xBg/ykzA7cbCao48nbPDOWiY2SLiB+HLdbafapPimndyF0nf
JxOe973UzZVRg+mdni3I6MriK1uaTAjMzNYD5x0avoResocrJKwZVUswNOJV1ONs
gvTvmAAYHGvDXeiV8YP1nb2+G8dusljawRkkY2Hg0yBH6PS+qKfMfCq+UEQ5ewdc
L7YxxXDEwrBgtAkv5A5z
=xouA
-----END PGP SIGNATURE-----