Summary: | [patch] [vuxml] security/openssl: update to 0.9.8k thus fixing secadv_20090325 | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | Eygene Ryabinkin <rea-fbsd> |
Component: | Individual Port(s) | Assignee: | Dirk Meyer <dinoex> |
Status: | Closed FIXED | ||
Severity: | Affects Only Me | ||
Priority: | Normal | ||
Version: | Latest | ||
Hardware: | Any | ||
OS: | Any |
Description
Eygene Ryabinkin
2009-03-28 14:50:01 UTC
Responsible Changed From-To: freebsd-ports-bugs->dinoex Over to maintainer (via the GNATS Auto Assign Tool) dinoex 2009-03-28 17:32:24 UTC FreeBSD ports repository Modified files: security/openssl Makefile distinfo Removed files: security/openssl/files patch-enc_min.c Log: - Security update to 0.9.8k Security: http://www.openssl.org/news/secadv_20090325.txt Security: CVE-2009-0590 Security: CVE-2009-0591 (port not affected) Security: CVE-2009-0789 PR: 133156 Submitted by: Eygene Ryabinkin Revision Changes Path 1.145 +1 -2 ports/security/openssl/Makefile 1.51 +3 -3 ports/security/openssl/distinfo 1.2 +0 -11 ports/security/openssl/files/patch-enc_min.c (dead) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" Here are the references to the OpenSSL repository commits that were fixing the vulnerabilities mentioned in secadv_20090325: http://cvs.openssl.org/chngview?cn=17907 http://cvs.openssl.org/chngview?cn=17908 http://cvs.openssl.org/chngview?cn=17909 I see that both /stable/7 and /head have no such changes, so they should be evaluated and possibly added to the bundled OpenSSL, because it seems to be also vulnerable to the mentioned bugs. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # State Changed From-To: open->patched port is updated. waiting for vulnerability entry. and keep it open for base. Sun, Mar 29, 2009 at 03:04:44AM +0400, Eygene Ryabinkin wrote: > I see that both /stable/7 and /head have no such changes, so they should > be evaluated and possibly added to the bundled OpenSSL, because it seems > to be also vulnerable to the mentioned bugs. Base systems received patch for OpenSSL issue 7 hours ago (FreeBSD-SA-09:08.openssl), so the only thing that is left is the VuXML entry for the base system. I had drafted one: --- vuln.xml begins here --- <vuln vid="fbc8413f-2f7a-11de-9a3f-001b77d09812"> <topic>FreeBSD -- remotely exploitable crash in OpenSSL</topic> <affects> <package> <name>FreeBSD</name> <range><ge>6.3</ge><lt>6.3_10</lt></range> <range><ge>6.4</ge><lt>6.4_4</lt></range> <range><ge>7.0</ge><lt>7.0_12</lt></range> <range><ge>7.1</ge><lt>7.1_5</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <h1>Problem Description</h1> <p>The function ASN1_STRING_print_ex does not properly validate the lengths of BMPString or UniversalString objects before attempting to print them.</p> <h1>Impact</h1> <p>An application which attempts to print a BMPString or UniversalString which has an invalid length will crash as a result of OpenSSL accessing invalid memory locations. This could be used by an attacker to crash a remote application.</p> <h1>Workaround</h1> <p>No workaround is available, but applications which do not use the ASN1_STRING_print_ex function (either directly or indirectly) are not affected.</p> </body> </description> <references> <freebsdsa>SA-09:08.openssl</freebsdsa> <cvename>CVE-2009-0590</cvename> </references> <dates> <discovery>2009-03-25</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # dinoex 2009-05-07 07:40:39 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - add SA-09:08.openssl PR: 133156 Revision Changes Path 1.1924 +39 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" State Changed From-To: patched->closed committed, thanks. |