DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th April 2014
comet--berkeley comet--berkeley is offline
Real Name: Richard
Package Pilot
 
Join Date: Apr 2009
Location: California
Posts: 163
Default Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping

http://arstechnica.com/security/2014...eavesdropping/

Quote:
Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.

The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.
Reply With Quote
  #2   (View Single Post)  
Old 8th April 2014
comet--berkeley comet--berkeley is offline
Real Name: Richard
Package Pilot
 
Join Date: Apr 2009
Location: California
Posts: 163
Default

OpenBSD just released a patch to stable version 5.4 in order to fix this.
Quote:
007: SECURITY FIX: April 8, 2014 All architectures
Missing bounds checking in OpenSSL's implementation of the TLS/DTLS heartbeat extension (RFC6520) which can result in a leak of memory contents.
http://www.openbsd.org/errata54.html
Reply With Quote
  #3   (View Single Post)  
Old 8th April 2014
comet--berkeley comet--berkeley is offline
Real Name: Richard
Package Pilot
 
Join Date: Apr 2009
Location: California
Posts: 163
Default

Quote:
Originally Posted by comet--berkeley View Post
OpenBSD just released a patch to stable version 5.4 in order to fix this.

http://www.openbsd.org/errata54.html
This patch applies to versions 5.3 and 5.5 as well...

Quote:
OpenBSD 5.4 errata 7, Apr 8, 2014: Missing bounds checking in OpenSSL's
implementation of the TLS/DTLS heartbeat extension (RFC6520) which, if
exploited, can result in a leak of memory contents.

After patching, private keys and certificates exposed to services running
this code (for example web/mail server SSL certificates) should be replaced
and old certificates revoked.


Only SSL/TLS services are affected. Software that uses libcrypto alone
is not affected. In particular, ssh/sshd are not affected and there
is no need to regenerate SSH host keys that have not otherwise been
exposed.
Reply With Quote
  #4   (View Single Post)  
Old 8th April 2014
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Thank you, comet--berkeley.

Users of -current should also maintain their systems. Either -current users should upgrade to a snapshot built after Monday Apr 7 23:57:27 2014 UTC (14 hours ago at this writing) or if they maintain by source they should update src/lib/libssl/src/ssl/d1_both.c so it is at or beyond r1.3, then rebuild. Then replace their keys.

Last edited by jggimi; 8th April 2014 at 02:51 PM.
Reply With Quote
  #5   (View Single Post)  
Old 8th April 2014
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Thank you also. Updated packages for Slackware are available at the main site but not yet on all mirrors.
Reply With Quote
  #6   (View Single Post)  
Old 10th April 2014
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

Theo weighs in on openbsd-misc
Reply With Quote
  #7   (View Single Post)  
Old 13th April 2014
comet--berkeley comet--berkeley is offline
Real Name: Richard
Package Pilot
 
Join Date: Apr 2009
Location: California
Posts: 163
Default Saturday April 12...another OpenBSD 5.4 patch for OpenSSL

Yet another OpenBSD 5.4 patch to OpenSSL:

Quote:
OpenBSD 5.4 errata 8, Apr 12, 2014: A use-after-free race condition
in OpenSSL's read buffer may permit an attacker to inject data from
one connection into another.

The advice in the previous OpenSSL errata also applies.
http://www.openbsd.org/errata54.html

http://ftp.openbsd.org/pub/OpenBSD/p..._openssl.patch
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping J65nko News 0 4th March 2014 10:59 PM
OpenSSL challenge Ooonak OpenBSD Security 1 9th July 2012 02:47 PM
OpenSSL fixes DoS bug in recent bug fix J65nko News 0 20th January 2012 12:02 AM
OpenSSL updates fix vulnerabilities J65nko News 0 4th June 2010 12:48 PM
'Severe' OpenSSL vuln busts public key crypto J65nko News 0 5th March 2010 01:01 AM


All times are GMT. The time now is 11:15 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick