Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2011-002: OpenSSL TLS extension parsing race condition
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2011-002
=================================
Topic: OpenSSL TLS extension parsing race condition.
Version: NetBSD-current: source prior to February 11, 2011
NetBSD 5.0.*: affected
NetBSD 5.0: affected
NetBSD 5.1: affected
NetBSD 4.0.*: not affected
NetBSD 4.0: not affected
pkgsrc: openssl package prior to 0.9.8qnb1
Severity: Denial of Service and potential Information Disclosure
Fixed: NetBSD-current: February 11, 2011
NetBSD-5-0 branch: February 17, 2011
NetBSD-5-1 branch: February 17, 2011
NetBSD-5 branch: February 17, 2011
pkgsrc 2010Q4: openssl-0.9.8qnb1 corrects this issue
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
Incorrectly formatted ClientHello handshake messages could cause OpenSSL
to parse past the end of the message.
Applications are only affected if they act as a server and call
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes
Apache httpd >= 2.3.3, if configured with "SSLUseStapling On".
This vulnerability has been assigned CVE-2011-0014.
Technical Details
=================
Incorrectly formatted ClientHello handshake messages could cause OpenSSL
to parse past the end of the message. An attacker may be able to cause
a crash (denial of service) by triggering invalid memory accesses.
The results of the parse are only available to the application using
OpenSSL so do not directly cause an information leak. However, some
applications may expose the contents of parsed OCSP extensions,
specifically an OCSP nonce extension. An attacker could use this to read
the contents of memory following the ClientHello.
See http://www.openssl.org/news/secadv_20110208.txt for the vulnerability
announcement from OpenSSL.
Solutions and Workarounds
=========================
- - Patch, recompile, and reinstall libssl.
CVS branch file revision
------------- ---------------- --------
HEAD src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c 1.4
CVS branch file revision
------------- ---------------- --------
netbsd-5-1 src/crypto/dist/openssl/ssl/t1_lib.c 1.2.12.3
netbsd-5-0 src/crypto/dist/openssl/ssl/t1_lib.c 1.2.8.3
netbsd-5 src/crypto/dist/openssl/ssl/t1_lib.c 1.2.4.3
The following instructions briefly summarize how to update and
recompile libssl. In these instructions, replace:
BRANCH with the appropriate CVS branch (from the above table)
FILES with the file names for that branch (from the above table)
To update from CVS, re-build, and re-install libc and sftp:
* NetBSD-current:
# cd src
# cvs update -d -P -A crypto/external/bsd/openssl/dist/ssl
# cd lib/libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../crypto/external/bsd/openssl/lib/libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 5.*:
# cd src
# cvs update -d -P -r BRANCH crypto/dist/openssl/ssl
# cd lib/libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
For more information on building (oriented towards rebuilding the
entire system, however) see:
http://www.netbsd.org/guide/en/chap-build.html
Thanks To
=========
Thanks to Neel Mehta (Google) for discovering the problem and
Adam Langley and Bodo Moeller (Google) for providing the fix.
Revision History
================
2011-03-08 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-002.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2011-002.txt,v 1.1 2011/03/08 01:36:24 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)
iQIcBAEBAgAGBQJNdYhcAAoJEAZJc6xMSnButaEQALUOV70xn1FWvE6t82fpiEjn
1AUuK7khEjpazxDmrsr4XQ39XgmuKV3Sgr1vYnn3x0GVWpUNIZA6OIRP49TIwPAV
tqFyP6G9HONtdam2MwEmv8Mg0OuK+M3AUrys3wv/YXecnpoju5bVzTrYs3L0X4SH
qnlZDoUWCX4yXXCgowtSUEQdhyNc0SDb7m6aKASAwyNRRDROCXAkuWRkNROnFCX5
Vnkpjqkq1ihLnYW16mo0T/TxBF2MmNl9HIwo1DBKGeoizsj8HdY7cFJ3ztf2wYH0
ZuSFq7iFyuDjvdA2AjnBQVz7O5SmeQLfsXCLoMoO60punExQMUoLy9mRPIuPo7b4
6p3OnV62GYI4iPuOjsob1R42nq7i93CMsKD0E//8Q3lhFuRyUkATVjgMU+u0ftOc
80sOAln2Am6pP0NzauU7iFFHZ80FhObBlvdiFev6UymdHSiM7ISfRBhcfcCnIrXy
rpL1miPULcToy6hdvpvwPmSkgSBzt0UAx64ZfM5jGu3GHDDdsI+B5BjLudtDhvjP
kK2W1gx5v1PQWoi/wgfxT6WGbBq6Moh7clkMlzZ3NBdu/T/lRabeqDzpcuDBfRIE
xLuwRwu+Jx/AUnEIa8wQMKQpDI9tKyJU1zCKr4ZitEKtkkCmUV5dRtJQp1Mps3Ud
rvNTRBXAtiCpBNPJpryg
=WMth
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index