FreeBSD-SA-12:01.openssl(修订)

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:01.openssl Security Advisory
The FreeBSD Project

Topic: OpenSSL multiple vulnerabilities

Category: contrib
Module: openssl
Announced: 2012-05-03
Credits: Adam Langley, George Kadianakis, Ben Laurie,
Ivan Nestlerode, Tavis Ormandy
Affects: All supported versions of FreeBSD.
Corrected: 2012-05-30 12:01:28 UTC (RELENG_7, 7.4-STABLE)
2012-05-30 12:01:28 UTC (RELENG_7_4, 7.4-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8, 8.3-STABLE)
2012-05-30 12:01:28 UTC (RELENG_8_3, 8.3-RELEASE-p2)
2012-05-30 12:01:28 UTC (RELENG_8_2, 8.2-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8_1, 8.1-RELEASE-p10)
2012-05-30 12:01:28 UTC (RELENG_9, 9.0-STABLE)
2012-05-30 12:01:28 UTC (RELENG_9_0, 9.0-RELEASE-p2)
CVE Name: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109,
CVE-2012-0884, CVE-2012-2110

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

0. Revision History

v1.0 2012-05-02 Initial release.
v1.1 2012-05-30 Updated patch to add SGC and BUF_MEM_grow_clean(3) bug
fixes.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II. Problem Description

OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0
records when operating as a client or a server that accept SSL 3.0
handshakes. As a result, in each record, up to 15 bytes of uninitialized
memory may be sent, encrypted, to the SSL peer. This could include
sensitive contents of previously freed memory. [CVE-2011-4576]

OpenSSL support for handshake restarts for server gated cryptography (SGC)
can be used in a denial-of-service attack. [CVE-2011-4619]

If an application uses OpenSSL’s certificate policy checking when
verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK
flag, a policy check failure can lead to a double-free. [CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can be exploited using
Bleichenbacher’s attack on PKCS #1 v1.5 RSA padding also known as the
million message attack (MMA). [CVE-2012-0884]

The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp
functions, in OpenSSL contains multiple integer errors that can cause
memory corruption when parsing encoded ASN.1 data. This error can occur
on systems that parse untrusted ASN.1 data, such as X.509 certificates
or RSA public keys. [CVE-2012-2110]

III. Impact

Sensitive contents of the previously freed memory can be exposed
when communicating with a SSL 3.0 peer. However, FreeBSD OpenSSL
version does not support SSL_MODE_RELEASE_BUFFERS SSL mode and
therefore have a single write buffer per connection. That write buffer
is partially filled with non-sensitive, handshake data at the beginning
of the connection and, thereafter, only records which are longer than
any previously sent record leak any non-encrypted data. This, combined
with the small number of bytes leaked per record, serves to limit to
severity of this issue. [CVE-2011-4576]

Denial of service can be caused in the OpenSSL server application
supporting server gated cryptography by performing multiple handshake
restarts. [CVE-2011-4619]

The double-free, when an application performs X509 certificate policy
checking, can lead to denial of service in that application.
[CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can lead to a successful
Bleichenbacher attack. Only users of PKCS #7 decryption operations are
affected. A successful attack needs on average 2^20 messages. In
practice only automated systems will be affected as humans will not be
willing to process this many messages. SSL/TLS applications are not
affected. [CVE-2012-0884]

The vulnerability in the asn1_d2i_read_bio() OpenSSL function can lead
to a potentially exploitable attack via buffer overflow. The SSL/TLS
code in OpenSSL is not affected by this issue, nor are applications
using the memory based ASN.1 functions. There are no applications in
FreeBSD base system affected by this issue, though some 3rd party
consumers of these functions might be vulnerable when processing
untrusted ASN.1 data. [CVE-2012-2110]

The patch provided with the initial version of this advisory introduced
bug to the Server Gated Cryptography (SGC) handshake code, that could
cause SGC handshake to fail for a legitimate client. The updated patch
also fixes the return error code in the BUF_MEM_grow_clean(3) function in the
buffer size check code introduced by the CVE-2012-2110 fix.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, RELENG_9_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 8.3,
8.2, 8.1, and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:01/openssl2.patch # fetch http://security.FreeBSD.org/patches/SA-12:01/openssl2.patch.asc
NOTE: The patch distributed at the time of the original advisory fixed
the security vulnerability, but introduced a bug to the SGC handshake
code that can cause the SGC handshake to fail for a legitimate client.
Systems to which the original patch was applied should be patched with
the following corrective patch, which contains only the additional
changes required to fix the newly-introduced SGC handshake bug. The
updated patch also corrects an error code for an error check introduced
in the original patch.

# fetch http://security.FreeBSD.org/patches/SA-12:01/openssl-sgc-fix.patch # fetch http://security.FreeBSD.org/patches/SA-12:01/openssl-sgc-fix.patch.asc
b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/handbook/makeworld.html> and reboot the
system.

NOTE: Any third-party applications, including those installed from the
FreeBSD ports collection, which are statically linked to libcrypto(3)
should be recompiled in order to use the corrected code.

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE or
9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
– ————————————————————————-
RELENG_7
src/crypto/openssl/crypto/buffer/buffer.c 1.1.1.4.2.3
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.2.2
src/crypto/openssl/crypto/mem.c 1.1.1.8.2.2
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.1.1.1.2.2
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.1.1.2.2.2
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.2.1
src/crypto/openssl/ssl/ssl.h 1.1.1.16.2.3
src/crypto/openssl/ssl/ssl_err.c 1.1.1.11.2.3
src/crypto/openssl/ssl/s3_enc.c 1.1.1.13.2.2
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.8
src/crypto/openssl/ssl/ssl3.h 1.1.1.6.2.2
RELENG_7_4
src/UPDATING 1.507.2.36.2.10
src/sys/conf/newvers.sh 1.72.2.18.2.13
src/crypto/openssl/crypto/buffer/buffer.c 1.1.1.4.2.1.2.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.2.1.2.1
src/crypto/openssl/crypto/mem.c 1.1.1.8.2.1.2.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.1.1.1.2.1.2.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.1.1.2.2.1.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.20.1
src/crypto/openssl/ssl/ssl.h 1.1.1.16.2.2.2.1
src/crypto/openssl/ssl/ssl_err.c 1.1.1.11.2.2.2.1
src/crypto/openssl/ssl/s3_enc.c 1.1.1.13.2.1.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.5.2.2
src/crypto/openssl/ssl/ssl3.h 1.1.1.6.2.1.2.1
RELENG_8
src/crypto/openssl/crypto/buffer/buffer.c 1.2.2.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.2
src/crypto/openssl/crypto/mem.c 1.2.2.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.2.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.2
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.10.1
src/crypto/openssl/ssl/ssl.h 1.2.2.2
src/crypto/openssl/ssl/ssl_err.c 1.2.2.2
src/crypto/openssl/ssl/s3_enc.c 1.2.2.2
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.6
src/crypto/openssl/ssl/ssl3.h 1.2.2.2
RELENG_8_3
src/UPDATING 1.632.2.26.2.4
src/sys/conf/newvers.sh 1.83.2.15.2.6
src/crypto/openssl/crypto/buffer/buffer.c 1.2.14.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.1.4.1
src/crypto/openssl/crypto/mem.c 1.2.14.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.14.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.6.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.26.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.6.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.6.1
src/crypto/openssl/ssl/s3_enc.c 1.2.2.1.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.4.2.2
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.6.1
RELENG_8_2
src/UPDATING 1.632.2.19.2.10
src/sys/conf/newvers.sh 1.83.2.12.2.13
src/crypto/openssl/crypto/buffer/buffer.c 1.2.8.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.1.2.1
src/crypto/openssl/crypto/mem.c 1.2.8.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.8.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.4.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.18.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.4.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.4.1
src/crypto/openssl/ssl/s3_enc.c 1.2.2.1.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.3.2.2
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.4.1
RELENG_8_1
src/UPDATING 1.632.2.14.2.13
src/sys/conf/newvers.sh 1.83.2.10.2.14
src/crypto/openssl/crypto/buffer/buffer.c 1.2.6.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.16.1
src/crypto/openssl/crypto/mem.c 1.2.6.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.6.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.16.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.2.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.2.1
src/crypto/openssl/ssl/s3_enc.c 1.2.6.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.2.2.2
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.2.1
RELENG_9
src/crypto/openssl/crypto/buffer/buffer.c 1.2.10.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.2.2.1
src/crypto/openssl/crypto/mem.c 1.2.10.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.10.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.3.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.22.1
src/crypto/openssl/ssl/ssl.h 1.3.2.1
src/crypto/openssl/ssl/ssl_err.c 1.3.2.1
src/crypto/openssl/ssl/s3_enc.c 1.3.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.7.2.2
src/crypto/openssl/ssl/ssl3.h 1.3.2.1
RELENG_9_0
src/UPDATING 1.702.2.4.2.4
src/sys/conf/newvers.sh 1.95.2.4.2.6
src/crypto/openssl/crypto/buffer/buffer.c 1.2.12.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.2.4.1
src/crypto/openssl/crypto/mem.c 1.2.12.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.12.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.3.4.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.24.1
src/crypto/openssl/ssl/ssl.h 1.3.4.1
src/crypto/openssl/ssl/ssl_err.c 1.3.4.1
src/crypto/openssl/ssl/s3_enc.c 1.3.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.7.4.2
src/crypto/openssl/ssl/ssl3.h 1.3.4.1
– ————————————————————————-

Subversion:

Branch/path Revision
– ————————————————————————-
stable/7/ r236304
releng/7.4/ r236304
stable/8/ r236304
releng/8.3/ r236304
releng/8.2/ r236304
releng/8.1/ r236304
stable/9/ r236304
releng/9.0/ r236304
– ————————————————————————-

VII. References

http://www.openssl.org/news/secadv_20120419.txt http://www.openssl.org/news/secadv_20120312.txt http://www.openssl.org/news/secadv_20120104.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110 http://lists.openwall.net/full-disclosure/2012/04/19/4
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:01.openssl.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (FreeBSD)

iEYEARECAAYFAk/GEsMACgkQFdaIBMps37IOkwCgj6lSWidx+sk/C/seNNBmQfN8
36sAn2OQg0TEYq9xPf8yd0hrPICuDyGK
=T8ip
—–END PGP SIGNATURE—–

FreeBSD-SA-12:01.openssl

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:01.openssl Security Advisory
The FreeBSD Project

Topic: OpenSSL multiple vulnerabilities

Category: contrib
Module: openssl
Announced: 2012-05-03
Credits: Adam Langley, George Kadianakis, Ben Laurie,
Ivan Nestlerode, Tavis Ormandy
Affects: All supported versions of FreeBSD.
Corrected: 2012-05-03 15:25:11 UTC (RELENG_7, 7.4-STABLE)
2012-05-03 15:25:11 UTC (RELENG_7_4, 7.4-RELEASE-p7)
2012-05-03 15:25:11 UTC (RELENG_8, 8.3-STABLE)
2012-05-03 15:25:11 UTC (RELENG_8_3, 8.3-RELEASE-p1)
2012-05-03 15:25:11 UTC (RELENG_8_2, 8.2-RELEASE-p7)
2012-05-03 15:25:11 UTC (RELENG_8_1, 8.1-RELEASE-p9)
2012-05-03 15:25:11 UTC (RELENG_9, 9.0-STABLE)
2012-05-03 15:25:11 UTC (RELENG_9_0, 9.0-RELEASE-p1)
CVE Name: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109,
CVE-2012-0884, CVE-2012-2110

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II. Problem Description

OpenSSL failes to clear the bytes used as block cipher padding in SSL 3.0
records when operating as a client or a server that accept SSL 3.0
handshakes. As a result, in each record, up to 15 bytes of uninitialized
memory may be sent, encrypted, to the SSL peer. This could include
sensitive contents of previously freed memory. [CVE-2011-4576]

OpenSSL support for handshake restarts for server gated cryptograpy (SGC)
can be used in a denial-of-service attack. [CVE-2011-4619]

If an application uses OpenSSL’s certificate policy checking when
verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK
flag, a policy check failure can lead to a double-free. [CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can be exploited using
Bleichenbacher’s attack on PKCS #1 v1.5 RSA padding also known as the
million message attack (MMA). [CVE-2012-0884]

The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp
functions, in OpenSSL contains multiple integer errors that can cause
memory corruption when parsing encoded ASN.1 data. This error can occur
on systems that parse untrusted ASN.1 data, such as X.509 certificates
or RSA public keys. [CVE-2012-2110]

III. Impact

Sensitive contents of the previously freed memory can be exposed
when communicating with a SSL 3.0 peer. However, FreeBSD OpenSSL
version does not support SSL_MODE_RELEASE_BUFFERS SSL mode and
therefore have a single write buffer per connection. That write buffer
is partially filled with non-sensitive, handshake data at the beginning
of the connection and, thereafter, only records which are longer than
any previously sent record leak any non-encrypted data. This, combined
with the small number of bytes leaked per record, serves to limit to
severity of this issue. [CVE-2011-4576]

Denial of service can be caused in the OpenSSL server application
supporting server gated cryptograpy by performing multiple handshake
restarts. [CVE-2011-4619]

The double-free, when an application performs X509 certificate policy
checking, can lead to denial of service in that application.
[CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can lead to a successful
Bleichenbacher attack. Only users of PKCS #7 decryption operations are
affected. A successful attack needs on average 2^20 messages. In
practice only automated systems will be affected as humans will not be
willing to process this many messages. SSL/TLS applications are not
affected. [CVE-2012-0884]

The vulnerability in the asn1_d2i_read_bio() OpenSSL function can lead
to a potentially exploitable attack via buffer overflow. The SSL/TLS
code in OpenSSL is not affected by this issue, nor are applications
using the memory based ASN.1 functions. There are no applications in
FreeBSD base system affected by this issue, though some 3rd party
consumers of these functions might be vulnerable when processing
untrusted ASN.1 data. [CVE-2012-2110]

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, RELENG_9_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 8.3,
8.2, 8.1, and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:01/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-12:01/openssl.patch.asc
b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/handbook/makeworld.html> and reboot the
system.

NOTE: Any third-party applications, including those installed from the
FreeBSD ports collection, which are statically linked to libcrypto(3)
should be recompiled in order to use the corrected code.

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE or
9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
– – ————————————————————————-
RELENG_7
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.2.2
src/crypto/openssl/crypto/mem.c 1.1.1.8.2.2
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.1.1.1.2.2
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.1.1.2.2.2
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.2.1
src/crypto/openssl/crypto/buffer/buffer.c 1.1.1.4.2.2
src/crypto/openssl/ssl/ssl_err.c 1.1.1.11.2.3
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.7
src/crypto/openssl/ssl/ssl.h 1.1.1.16.2.3
src/crypto/openssl/ssl/s3_enc.c 1.1.1.13.2.2
src/crypto/openssl/ssl/ssl3.h 1.1.1.6.2.2
RELENG_7_4
src/UPDATING 1.507.2.36.2.9
src/sys/conf/newvers.sh 1.72.2.18.2.12
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.2.1.2.1
src/crypto/openssl/crypto/mem.c 1.1.1.8.2.1.2.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.1.1.1.2.1.2.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.1.1.2.2.1.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.20.1
src/crypto/openssl/crypto/buffer/buffer.c 1.1.1.4.2.1.2.1
src/crypto/openssl/ssl/ssl_err.c 1.1.1.11.2.2.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.5.2.1
src/crypto/openssl/ssl/ssl.h 1.1.1.16.2.2.2.1
src/crypto/openssl/ssl/s3_enc.c 1.1.1.13.2.1.2.1
src/crypto/openssl/ssl/ssl3.h 1.1.1.6.2.1.2.1
RELENG_8
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.2
src/crypto/openssl/crypto/mem.c 1.2.2.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.2.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.2
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.10.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.2.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.2
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.5
src/crypto/openssl/ssl/ssl.h 1.2.2.2
src/crypto/openssl/ssl/s3_enc.c 1.2.2.2
src/crypto/openssl/ssl/ssl3.h 1.2.2.2
RELENG_8_3
src/UPDATING 1.632.2.26.2.3
src/sys/conf/newvers.sh 1.83.2.15.2.5
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.1.4.1
src/crypto/openssl/crypto/mem.c 1.2.14.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.14.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.6.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.26.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.14.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.6.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.4.2.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.6.1
src/crypto/openssl/ssl/s3_enc.c 1.2.2.1.4.1
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.6.1
RELENG_8_2
src/UPDATING 1.632.2.19.2.9
src/sys/conf/newvers.sh 1.83.2.12.2.12
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.1.2.1
src/crypto/openssl/crypto/mem.c 1.2.8.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.8.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.4.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.18.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.8.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.3.2.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.4.1
src/crypto/openssl/ssl/s3_enc.c 1.2.2.1.2.1
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.4.1
RELENG_8_1
src/UPDATING 1.632.2.14.2.12
src/sys/conf/newvers.sh 1.83.2.10.2.13
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.16.1
src/crypto/openssl/crypto/mem.c 1.2.6.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.6.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.16.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.6.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.2.2.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.2.1
src/crypto/openssl/ssl/s3_enc.c 1.2.6.1
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.2.1
RELENG_9
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.2.2.1
src/crypto/openssl/crypto/mem.c 1.2.10.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.10.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.3.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.22.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.10.1
src/crypto/openssl/ssl/ssl_err.c 1.3.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.7.2.1
src/crypto/openssl/ssl/ssl.h 1.3.2.1
src/crypto/openssl/ssl/s3_enc.c 1.3.2.1
src/crypto/openssl/ssl/ssl3.h 1.3.2.1
RELENG_9_0
src/UPDATING 1.702.2.4.2.3
src/sys/conf/newvers.sh 1.95.2.4.2.5
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.2.4.1
src/crypto/openssl/crypto/mem.c 1.2.12.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.12.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.3.4.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.24.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.12.1
src/crypto/openssl/ssl/ssl_err.c 1.3.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.7.4.1
src/crypto/openssl/ssl/ssl.h 1.3.4.1
src/crypto/openssl/ssl/s3_enc.c 1.3.4.1
src/crypto/openssl/ssl/ssl3.h 1.3.4.1
– – ————————————————————————-

Subversion:

Branch/path Revision
– – ————————————————————————-
stable/7/ r234954
releng/7.4/ r234954
stable/8/ r234954
releng/8.3/ r234954
releng/8.2/ r234954
releng/8.1/ r234954
stable/9/ r234954
releng/9.0/ r234954
– – ————————————————————————-

VII. References

http://www.openssl.org/news/secadv_20120419.txt http://www.openssl.org/news/secadv_20120312.txt http://www.openssl.org/news/secadv_20120104.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110 http://lists.openwall.net/full-disclosure/2012/04/19/4
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:01.openssl.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (FreeBSD)

iEYEARECAAYFAk+ipzUACgkQFdaIBMps37I7pACeI7zZ21vj+6AVz5+15OP4foXm
N1IAn2rMThkptUz62e0QDCv3tJKW6N9i
=ko2h
—–END PGP SIGNATURE—–

FreeBSD下如何使用mutt连接gmail

FreeBSD下如何使用mutt连接gmail

电子邮件是一个很重要的通讯工具,很多人都有自己的电子邮件,google的gmail完全免费,而且空间很大,还允许用户使用客户端对其进行访问,这样就不需要直接登陆google的网站,非常方便,总之是优点多多。为了保证电子邮件的安全性,gmail的电子邮件服务器使用了SSL安全协议,目前多数图形界面的邮件客户端都直接支持这个协议,不需要用户进行某些特殊的设置,比如:Evolution。

这些图形界面的电子邮件客户端有许多优点,比如比较漂亮,比如很容易使用,可以很快的上手,但是也有一个共同的缺点:体积比较大,编译起来比较费劲。Mutt是一个非常小巧的电子邮件客户端,编译起来很容易,并且定制性非常的高,但是配置上稍微有点复杂,尤其是由于gmail使用了SSL协议,所以很多人在使用Mutt连接gmail的时候总是配置不好。

这个wiki页面主要介绍在FreeBSD系统下如何使用mutt将openssl、vim、gnupg、fetchmail、procmail、msmtp、ca_root_nss整合起来并连接到gmail,虽然是针对FreeBSD系统的,其中多数内容也适合各个Linux发行版本以及各个BSD分支,在其他系统上只需要做少量调整。

目标:

我们在这里,我们假设需要配置的gmail账号的详细信息如下:

gmail账号:fender0107401_2_gmail.com
gmail账号的密码:123456

其中:_2_等价于@,这么写是为了防止这个电子邮件被“机器人”给抓去了。

这个人订阅了很多FreeBSD的邮件列表,并且给每个邮件列表建立一个邮箱来保存,以此来方便自己管理自己的电子邮件,并且这个人不喜欢编译太大的软件,在经过几次对Evolution的编译以及升级之后,决定放弃Evolution而转向Mutt,于是乎他选择了mutt+fetchmail+procmail+msmtp+ca_root_nss+vim+gnupg这个解决方案,为了实现这个解决方案,他需要进行一些配置工作。在配置完成后,他决定把整个过程整理一下并写在wiki上,于是就有了这个wiki页面。

需要安装的port:

ca_root_nss:这port是第三方认证。
fetchmail:用来从gmail的邮件服务器上(pop.gmail.com)取回电子邮件(首先和服务器建立SSL连接);
procmail:由getchmail取会来的电子邮件,通过procmail进行分拣工作,分发的各自的邮箱去,比如你可以给freebsd-doc邮件列表单独制定一个邮箱,这样可以方便对邮件进行管理;
msmtp:用于发送电子邮件到gmail的邮件服务器(smtp.gmail.com)上去(首先和服务器建立SSL连接);
gnupg:用于对电子邮件进行加密,这样只有某个人才能察看文件的内容;或者是对电子邮件进行数字签名,这样别人可以通过你的gpg公钥开验证你的电子邮件是否被编辑过,如果被别人编辑过,数字签名验证就会失败。关于gnupg的加密模型或者说加密机制可以参考其主页:gnupg;
vim:用于编辑邮件,我是一个vim用户,几乎用vim和gvim写一切东西,写邮件虽然不需要什么太多高级功能,但是用习惯了,自然是选择vim来编辑邮件,你也可以指定任何一个你喜欢的编辑器来代替vim;
mutt:用于把上面的各个port串起来,或者说是集成起来。

SSL协议:

SSL是Secure Socket Layer的缩写,本质上一个协议,或者说是一个保证连接安全性的机制。所谓协议就是一个文本,目前有许多这个协议的实现方案,在开源世界里面我们自然使用开源的实现方案:OpenSSL。谈到OpenSSL这个SSL实现,我们应该感谢Eric Young和Tim Hudson这两个程序员,因为是他们开发并实现了OpenSSL。

为了保证能正确的配置成功,需要简单地了解一下OpenSSL这个协议在建立连接时需要哪些步骤,也就是客户端和服务器建立连接时“握手”的基本过程。

游戏角色:

客户端:提出建立ssl连接的人;
服务器:提供ssl服务的人;
第三方认证机构:第三方认证机构签发数字证书,客户端使用这个证书对服务器所发送来的公钥进行验证,保证的确是目标服务器。

游戏规则:

客户机对目标服务器提出建立ssl连接的申请,告诉服务器自己所能支持的加密方案;
服务器收到申请以后,从客户机所支持的加密方案里面选择一个最安全的,作为本次连接的加密方案;然后把自己的公钥发送给客户端;
客户端收到公钥以后,使用第三方认证来验证这个收到的服务器公钥,如果验证成功就使用这个收到的服务器公钥加密一个随机数后发送给服务器,作为对称加密的对称加密的密钥;
服务器接受到这个加密的随机数以后,使用自己的私钥解密,作为对称加密的密钥;
自此之后服务器和客户端之间使用对称加密来进行加密的通信连接,也就是连接建立成功了;
在上述过程中,任何一个环节的失败都会导致链接失败。

总结一下:首先使用“非对称加密”,然后使用“对称加密”;第三方认证机构确保用户在“非对称加密”过程中使用正确的服务器“公钥”;在“对称加密”过程中使用的“对称密钥”由“非对称加密过程”来传递。

注:

这是只是一个很简单的介绍,实际中连接的建立过程比这个要复杂一些,另外还可能有一些变化(用于减少服务器负担)。我看到过有人说SSL协议并不安全,我并没有仔细的研究过,但是从上面的“握手”过程来看,还是比较安全的,关于SSL的详细内容可以参考相关资料。

配置任务:

任务1:安装第三方认证

我最开始写这个wiki的时候,按认证是比较麻烦的,需要一些手工操作,现在要简单多了,只需要安装ca_root_nss这个port就可以了,这个port里面包含了很多的第三方认证。

# cd /usr/ports/security/ca_root_nss
# make install clean

安装的时候会问题是否”Add symlink to /etc/ssl/cert.pem”。

如果添加,那么/etc/ssl/cert.pem就是一个符号连结。

$ file /etc/ssl/cert.pem
/etc/ssl/cert.pem: symbolic link to `/usr/local/share/certs/ca-root-nss.crt’

任务2:安装并配置msmtp

安装:

安装方法:

# cd /usr/ports/mail/msmtp
# make install clean

注意一定打开GNUTLS的支持,我们需要使用这个协议来进行加密连接。

配置:

配置就是写.msmtprc这个文件,我的.msmtprc文件内容如下,使用时注意换成自己的账号和密码就可以了,还需要注意的是自己的第三方认证放在哪里了以及自己的msmtplog保存在什么地方,因为你可能选择和我不同目录:

# set default values

defaults

tls on

tls_starttls on

tls_trust_file /usr/local/share/certs/ca-root-nss.crt # 这里是设定认证文件的位置。

logfile /home/fender/Mail/.msmtp.log

# set my first account

account fender0107401

host smtp.gmail.com

port 587

from fender0107401_2_gmail.com

auth on

user fender0107401

password 123456

# set a default account

account default : fender0107401

注意,写好配置文件以后要修改文件的权限:

$ chmod 600 .msmtprc

现在:发邮件的问题解决了。

任务3:安装并配置fetchmail

安装:

# cd /usr/ports/mail/fetchmail
# make install clean

配置:

配置就是写.fetchmailrc这个文件,我的.fetchmailrc文件内容如下,使用时注意换成自己的账号和密码就可以了,还有就是要注意自己的第三方认证位置:

poll pop.gmail.com

port 995

proto POP3

user ‘fender0107401_2_gmail.com’

password ‘123456’

options

no keep

ssl

sslcertck

注意,写好配置文件以后要修改文件的权限:

$ chmod 600 .fetchmailrc

现在:收邮件的问题解决了。

任务4:安装并配置procmail

安装:

# cd /usr/ports/mail/procmail
# make install clean

配置:

我主要是接收各种订阅的电子邮件列表,通过procmail来进行分拣工作,我的.procmailrc配置文件如下,使用时注意调整目录设置:

################################################################################
PATH=$HOME/bin:/usr/bin:/usr/local/bin:

MAILDIR=$HOME/mail

LOGFILE=$MAILDIR/.procmaillog

################################################################################
# FreeBSD mailing list:
:0
* ^List-Id:.*freebsd-announce
1_freebsd-announce

:0
* ^List-Id:.*freebsd-security-notifications
1_freebsd-security-notifications

:0
* ^List-Id:.*freebsd-amd64
1_freebsd-amd64

:0
* ^List-Id:.*freebsd-doc
1_freebsd-doc

:0
* ^List-Id:.*freebsd-gnome
1_freebsd-gnome

:0
* ^List-Id:.*freebsd-performance
1_freebsd-performance

:0
* ^List-Id:.*freebsd-security
1_freebsd-security

:0
* ^List-Id:.*cnproj-cvs
1_cnproj-cvs

:0
* ^List-Id:.*cnproj-submit
1_cnproj-submit

################################################################################
# Gnu Octave mailing list:

:0
* ^List-Id:.*bug-octave
2_bug-octave
:0
* ^List-Id:.*help-octave
2_help-octave
:0
* ^List-Id:.*octave-maintainers
2_octave-maintainers

################################################################################
:0
* .*
3_default

################################################################################

关于procmail的语法可以参考FreeBSD Handbook中Electronic Mail的相关内容。

现在:分拣邮件的问题解决了。

任务5:安装并配置mutt

安装:

# cd /usr/ports/mail/mutt
# make install clean

配置:

mutt的配置工作主要是通过.muttrc来实现,详细的各种配置选项可以参考下述连接:

mutt_manual

muttrc_example

我把自己的.muttrc中一些比较基本的配置写出来,方便大家参考:

# Personal information
set hostname=PC-686.Workstation

定义系统名。

set realname=Li

定义用户名。

my_hdr From:fender0107401_2_gmail.com

定义我的电子邮件地址。

# sendmail
set sendmail="/usr/local/bin/msmtp"

定义msmtp来发送电子邮件。

# fetchmail and procmail
macro index G "!fetchmail -a -m ‘procmail -d %T’\r"

定义使用fetchmail来接受电子邮件,接受以后使用procmail来分拣邮件。

# GnuPG
source usr/local/share/examples/mutt/gpg.rc

使用gnupg。

set editor="vim"

定义vim作为我编辑器。

set index_format="| %4C | %Z | %{%b %d} | %-15.15L | %s"

定义index的显示方式。

set folder_format="| %2C | %t %N | %8s | %d | %f"

定义邮箱的显示方式,一定要有%N,否则没法知道哪个有新邮件。

.muttrc内容汇总:

# Personal information
set hostname=PC-686.Workstation

set realname=Li

my_hdr From:fender0107401_2_gmail.com

# sendmail
set sendmail="/usr/local/bin/msmtp"

# fetchmail and procmail
macro index G "!fetchmail -a -m ‘procmail -d %T’\r"

# GnuPG
source usr/local/share/examples/mutt/gpg.rc

set editor="vim"

set index_format="| %4C | %Z | %{%b %d} | %-15.15L | %s"

set folder_format="| %2C | %t %N | %8s | %d | %f"

注意事项:

必须打开防火墙,以我使用的ipfw为例,需要在防火墙规则中添加下述内容:
$cmd 00700 allow tcp from any to any 587 out via $nic setup $ks
$cmd 00800 allow tcp from any to any 995 out via $nic setup $ks

其中,$ks和$nic是我设定的变量,$ks的定义如下:

ks="keep-state"

$nic代表我的网卡,定义如下:

nic="re0"

mutt的配置选项很多,我没有都写出来,详细的可以参考下述连接。

mutt_manual

muttrc_example

后记:

现在,打开一个虚拟终端,比如gnome-terminal,然后运行mutt,

G将会下载你的邮件;
如果有新邮件mutt会在相应邮箱前显示一个N;
想发送邮件就按m,编辑以后使用p键可以使用gnupg对其签名;
我并没有写如何安装vim或者是如何使用gnupg,而是直接假设使用者知道如何使用gnupg,相关内容需要可以参考vim或者是gnupg的文档;
有意思的事情还有很多,需要慢慢的探索,我不能把mutt所有的功能都写出来,因为实在是太多太多了,可以定制显示的颜色,可以定义显示邮件的哪些部分,可以指定如何排序……
欢迎补充。

FreeBSD-SA-10:10.openssl

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-10:10.openssl                                    Security Advisory
The FreeBSD Project

Topic:          OpenSSL multiple vulnerabilities

Category:       contrib
Module:         openssl
Announced:      2010-11-29
Credits:        Georgi Guninski, Rob Hulswit
Affects:        FreeBSD 7.0 and later
Corrected:      2010-11-26 22:50:58 UTC (RELENG_8, 8.1-STABLE)
2010-11-29 20:43:06 UTC (RELENG_8_1, 8.1-RELEASE-p2)
2010-11-29 20:43:06 UTC (RELENG_8_0, 8.0-RELEASE-p6)
2010-11-28 13:45:51 UTC (RELENG_7, 7.3-STABLE)
2010-11-29 20:43:06 UTC (RELENG_7_3, 7.3-RELEASE-p4)
2010-11-29 20:43:06 UTC (RELENG_7_1, 7.1-RELEASE-p16)
CVE Name:       CVE-2010-2939, CVE-2010-3864

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II.  Problem Description

A race condition exists in the OpenSSL TLS server extension code
parsing when used in a multi-threaded application, which uses
OpenSSL’s internal caching mechanism.  The race condition can lead to
a buffer overflow. [CVE-2010-3864]

A double free exists in the SSL client ECDH handling code, when
processing specially crafted public keys with invalid prime
numbers. [CVE-2010-2939]

III. Impact

For affected server applications, an attacker may be able to utilize
the buffer overflow to crash the application or potentially run
arbitrary code with the privileges of the application. [CVE-2010-3864].

It may be possible to cause a DoS or potentially execute arbitrary in
the context of the user connection to a malicious SSL server.
[CVE-2010-2939]

IV.  Workaround

No workaround is available, but CVE-2010-3864 only affects FreeBSD 8.0
and later.

It should also be noted that CVE-2010-3864 affects neither the Apache
HTTP server nor Stunnel.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch
dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.1, 7.3,
8.0 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch.asc

[FreeBSD 8.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries.  On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>

3) To update your vulnerable system via a binary patch:

Systems running 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or 8.1-RELEASE
on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_7_3
src/UPDATING                                             1.507.2.34.2.6
src/sys/conf/newvers.sh                                   1.72.2.16.2.8
src/crypto/openssl/ssl/s3_clnt.c                       1.1.1.14.2.1.4.1
RELENG_7_1
src/UPDATING                                            1.507.2.13.2.19
src/sys/conf/newvers.sh                                   1.72.2.9.2.20
src/crypto/openssl/ssl/s3_clnt.c                           1.1.1.14.6.2
RELENG_8_1
src/UPDATING                                             1.632.2.14.2.5
src/sys/conf/newvers.sh                                   1.83.2.10.2.6
src/crypto/openssl/ssl/s3_clnt.c                            1.3.2.1.2.1
src/crypto/openssl/ssl/t1_lib.c                             1.2.2.1.2.1
RELENG_8_0
src/UPDATING                                              1.632.2.7.2.9
src/sys/conf/newvers.sh                                    1.83.2.6.2.9
src/crypto/openssl/ssl/s3_clnt.c                                1.3.4.1
src/crypto/openssl/ssl/t1_lib.c                                 1.2.4.1
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r215997
releng/7.3/                                                       r216063
releng/7.1/                                                       r216063
stable/8/                                                         r215912
releng/8.0/                                                       r216063
releng/8.1/                                                       r216063
– ————————————————————————-

VII. References

https://bugzilla.redhat.com/show_bug.cgi?id=649304
http://www.openssl.org/news/secadv_20101116.txt
http://www.mail-archive.com/openssl-dev@openssl.org/msg28043.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:10.openssl.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9

iEYEARECAAYFAkz0FdsACgkQFdaIBMps37JjAgCcC7NSDXR7P4d2y4XFF/Ce9sG1
Bs8An36Pjplsfovx6Im/NCnVgHtVgj5x
=xU/h
—–END PGP SIGNATURE—–

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-10:10.openssl.asc