LibSSL Patch Available

Contributed by tbert on 2015-03-12 from the get-your-FREAK-on dept.

Patches for the recently-announced FREAK attack are now available:

When CVE-2015-0204 (RSA silently downgrades to EXPORT_RSA) was announced, it was labeled "Severity: Low". Our assessment at the time was that export ciphers had already been removed prior to the release of 5.6, and that the fix was not worth backporting to 5.5.
Then CVE-2015-0204 was renamed the FREAK attack. Now it has a fancy name so you know it's important.
Unfortunately, our original assessment was not entirely correct. Some of the features exploited by FREAK were not deleted until after 5.6, although this was not known until testing tools became available. We've corrected libssl by backporting the necessary changes to 5.6.

The patch below includes the fix for CVE-2015-0204 as well as some other "low severity" fixes for similar downgrade issues relating to ECDHE.
Statement regarding 5.5: SSL/TLS is hooped. There have been too many changes, large and small, that make backporting and testing indvidual fixes difficult. Additionally, many small fixes get overlooked.
Thanks to Florian Riehm for pointing out that 5.6 was still vulnerable to FREAK.
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/017_openssl.patch.sig
untrusted comment: signature from openbsd 5.6 base private key RWR0EANmo9nqhpxHVrEZWmf2qAA9zblsetB0gpcMFrkMumxjVXGdcaRNHc7TS+IkdiYNDncAU2qjYSaM8bDI+nQp9HUayjp3RQQ=
OpenBSD 5.6 errata 17, Mar 13, 2015:
Don't permit TLS client connections to be downgraded to weak keys.
Apply by doing:
    cd /usr/src
    signify -Vep /etc/signify/openbsd-56-base.pub -x 017_openssl.patch.sig -m - | \
        patch -p0
And then rebuild and install libssl:
    cd lib/libssl/ssl
    make obj
    make depend
    make
    make install

(Comments are closed)

Comments

By Anonymous Coward (72.95.160.22) on 2015-03-12 12:37

>
> OpenBSD 5.6 errata 17, Mar 13, 2015:
>

This patch appears to be from the future!

>
> cd lib/libssl/ssl
> make obj
> make depend
> make
> make install
>

I thought that "make depend" wasn't needed anymore. Is that line necessary?
Comments
1. By brynet (Brynet) on 2015-03-12 16:27 http://brynet.biz.tm/
  
  > I thought that "make depend" wasn't needed anymore.
  
  That's for the kernel.
  Comments
  1. By Anonymous Coward (72.95.160.22) on 2015-03-13 15:19
    
    > > I thought that "make depend" wasn't needed anymore.
    >
    > That's for the kernel.
    
    But then why didn't the previous LibSSl patch
    
    http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/005_nosslv3.patch.sig
    
    include a "make depend"?
By Anonymous Coward (174.141.67.42) on 2015-03-12 15:50

Does this mean that 5.5 is still possibly vulnerable to a FREAK attack?
Or am I reading it wrong?
Comments
1. By Anonymous Coward (62.224.111.40) on 2015-03-13 10:06
  
  > Does this mean that 5.5 is still possibly vulnerable to a FREAK attack?
  > Or am I reading it wrong?
  
  From TFA: "Statement regarding 5.5: SSL/TLS is hooped."
  
  It appears that you are not reading it wrong. Time to perform a security-related upgrade for you, it seems :)

Latest Articles

Wed, Apr 24
- 04:35 Game of Trees 0.98 released (0)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]