Slashdot Mirror
Multiple Vulnerabilities in OpenSSL
gfilion writes "Updated versions of OpenSSL are now available which correct two security issues: A null-pointer assignment during SSL handshake and an out-of-bounds read that affects Kerberos ciphersuites. Full advisory available on OpenSSL site and US-CERT."
According to this link ;)
Here
There are three vulnerabilities.
This was, like, sooo yesterday on the Bugtraq lists
Bored? Why not join a decent mess
Please don't comment "so I guess Windows isn't so insecure, is it...". We always seem to get a few of these. OpenSSL/OpenBSD has a VERY good security track record. Is a vulnerability a problem? Yes, but when MS has OpenBSD's track record, you can compare.
Also I think this is a good news post simply because it helps to show we're not Anti-windows bias. We report security problems on ALL os's.
Oh well, sometimes you just have to combat the trolls.
For those of us not on the FreeBSD mailing list, it is.
I'm betting that there are a large number of sysadmins who pay more attention to /. than they do to keeping systems up to date.
It's certainly front page news if there's a non-exploitable flaw in Windows for which a patch has been released.
cvs, make and build sure.. But when it's click windows update, somehow it's some monumental task thats just the worst thing imaginable.
I don't need no instructions to know how to rock!!!!
Slackware Linux also has this fixed. Incidentally, like the parent's subject line says, this is a minor vulnerability that at the most makes openssl crash, not an exploit or a trojan like all the stuff we've been seeing about Windows on /. lately.
...is this really /. front page news? This came out on the FreeBSD mailing list 36 hrs ago.
./ to report the problem. Also it's good to wait about 36 hours or so for the fix to go through the motions as the sudden intrest rattles free other problems.
Yes. Most of us are not on the FreeBSD mailing list. Instead we wait for the more mainstream outlets like
Nothing really to see here folks. Both attacks crash the SSL server, so we're looking at DOS attacks and not 'holes'. This is certainly serious for the business who relies on it, but for home networks and casual use (which I'm sure is common among slashdotters) this is no sweat.
:)
Nice to hear that they found the holes, though.
~Dalcius
Rome wasn't burnt in a day.
Probally has something to do with many people being able to do code audits freely and of course submit their fix for it ;)
GeekLeak.com - Silly name, serious geeks
For people who've never done this before (such as myself), this is an intimidating operation; care to walk me through it? It also glosses over insignificant little details, such as:
Dumb questions I'm sure, but the answers have never been revealed in a form I can understand.
Schwab
Editor, A1-AAA AmeriCaptions
Okay, maybe not less funny - but just as unfunny.
Copy it from
Over a period of several updates, how do you avoid having stale libraries/executables/config files scattered all over your machine?
That's a fine question indeed. What I do is:
make DESTDIR=/usr/local/fake_root distrib-dirs distribution
make DESTDIR=/usr/local/fake_root installworld
make DESTDIR=/usr/local/fake_root installkernel KERNCONF=foobar
/usr/local/fake_root and stuff in /. I like find and sort and vimdiff to do that. It's not super elegant, but you don't have to do it too often if you're tracking something like RELENG_4_9, since rarely do things get updated. What you would use it for is when you make changes to the base, which leads me to:
/etc/make.conf, do:
Then you can compare the contents of
Is there a risk that 'make installworld' will silently overwrite a functional replacement previously installed from ports?
Yes! But you can get around it. In
NO_SENDMAIL=true
Now sendmail won't be built, although its stale files will hang around; refer to point 2 above.
You'll also, in rc.conf, want:
sendmail_enable="YES"
sendmail_flags="-bd"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
sendmail_msp_queue_enable="NO"
At least for Postfix, which you say you use.
Considering most setups (namely FreeBSD ones) aren't affected because this is a problem with Kerberos ciphersuites and the OpenSSL code is extremely MIT Kerberos specific so this flaw doesn't affect it.
From the FreeBSD security list:
If one compiles OpenSSL oneself, *and* has MIT Kerberos, *and*
> enables the Kerberos options, *and* has all ciphersuites (or at least
> the Kerberos ciphersuites) specified in your application's
> configuration, then you might be affected. But that has nothing to
> do with FreeBSD.
> Thus, answering your question again:
>
> Isn't FreeBSD vulnerable to the second "Out-of-bounds read affects
> Kerberos ciphersuites" security problem?
>
> No, FreeBSD is not.
You have a good point, as using Windows Update is easier (or at least as easy) as any GNU/Linux update method, and can be made automatic very easily (like some GNU/Linux update methods).
One noteworthy difference, however, is that none of the BSD or GNU/Linux update methods tell the vendor the software (and their versions) that you run. To their credit, at least, none of them (including Microsoft) collect any actual personally identifiable information.
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
For people who've never done this before (such as myself), this is an intimidating operation; care to walk me through it?
h andbook/cutting-edge.html h andbook/makeworld.html
/etc/make.conf. You can look at /etc/defaults/make.conf and in the handbook for more details:
t rue
P =/usr/local/bin/cvsupf ile- supfi le
/etc/make.conf, you can update the source tree by doing this:
/usr/src
/usr/ports. If you want to just update ports, run make update from /usr/ports.
/usr/obj/*
First, RTFM:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/
http://www.freebsd.org/doc/en_US.ISO8859-1/books/
I run 4-STABLE on all of my boxes, so this will be a bit different for 5. Create
CFLAGS=-O -pipe
NOPROFILE=true
NO_BIND=true
NO_SENDMAIL=
SUPHOST=cvsupXX.freebsd.org
SUP_UPDATE=yes
SU
SUPFLAGS=-g -L2
SUPFILE=/usr/share/examples/cvsup/stable-sup
PORTSSUPFILE=/usr/share/examples/cvsup/ports
Replace SUPHOST with your CVSup mirror. See the handbook for more info. The NO_BIND and NO_SENDMAIL lines keep buildworld from building BIND and Sendmail, respectively, since I use djbdns and qmail.
Once you have setup
# cd
# make update
That will also update
Once your source tree is up to date, update the system following section 21.4.1 in the handbook. I skip the single user mode part, since I do everything over SSH:
# mergemaster -p
# rm -rf
# make -j4 buildworld
# make -j4 buildkernel
# make installkernel
# make installworld
# mergemaster -i
# reboot
The order there is important. The kernel should be built after the world is built, since building the world updates the build tools (this is especially important when it has been a long time since you last updated). The kernel should also be installed before the world is installed.
You should almost always update the kernel when you update the world. If you choose not to reboot immediately after installing the new world, you might notice that tools like ps no longer work, since they don't match the kernel.
These is how I do things after several years of experience. Make sure to read and understand the handbook before doing anything. But really, it's not that hard, especially after you do it a few times.
An unrelated but very useful tip: check out the sysutils/portupgrade port.
Rule #1: Unsafe data should be handled in sandboxed languages.
Rule #2: Programs that are exposed to unsafe data (server processes) should run at some minimum and constrained privilege level, not as root. The "must be root to bind to ports less than 1024" rule on Unix is almost exactly the opposite of what the rule should be.
I'm sure many people who don't understand these issues will flame me or say I am trolling, but oh well, someone needs to keep bringing this up until it sinks in.
------------
Create a WAP server
There is a minimal cvsup config for FreeBSD 4.9 - cvsup -g -L 2 and you're off and running.
*default host=cvsup6.FreeBSD.org
*default base=/usr
*default prefix=/usr
# The following line is for 4-stable. If you want 3-stable or 2.2-stable,
# change "RELENG_4" to "RELENG_3" or "RELENG_2_2" respectively.
*default release=cvs tag=RELENG_4
*default delete use-rel-suffix
# If your network link is a T1 or faster, comment out the following line.
*default compress
src-all
#ports-all tag=.
make buildworld & make installworld install *world*, which does not include anything you built out of
FreeBSD *is* intimidating at first, but if you take the thirty days of pain at the end of that time you'll be looking at your Linux boxes and wondering why you ever put up with the chaos
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
Never used RHN, have you?
First thing it does is `rpm -qa` and sends that list right to RedHat.
It's really hard to know what updates to provide without seeing a list of software packages installed. Sure, they could differentiate between "Our" software and "Other" software in the list of installed programs, but that's just silly - send the whole list, and ignore the stuff you don't care about.
--
Use Vobbo for Video Blogs
CVSup; make buildworld && make installworld
For people who've never done this before (such as myself), this is an intimidating operation; care to walk me through it?
If you're intimidated by buildworld, there's an easier option:
# freebsd-update fetch
# freebsd-update install
Tarsnap: Online backups for the truly paranoid
When an OSS / Linux / BSD / OS X / something other than Windows flaw is found, it's serious.
It really is. You need to take it seriously and fix it. ASAP. Hopefully, most folks who run said OSes are paying attention, and will do what they need to do to secure the flaw.
That said, every time anyone uses Outlook to read email, the above looks really, really good.
Department of Homeland Security: Removing the rights real patriots fought and died for since 2001
If you have RedHat and can't do the up2date any longer, here's what I did to make mine work:
g z ./config shared --prefix=/usr
:)
wget http://www.openssl.org/source/openssl-0.9.7d.tar.
tar xvfz openssl-0.9.7d.tar.gz
cd openssl-0.9.7d
make
make test
make install
Configure with "shared" because it will install the shared library, which is needed for other programs such as SSHD. The prefix is where RedHat put its *.so files that's needed by OpenSSH.
Not sure if it's required or not, but I just restarted SSHD (uses OpenSSL) after that just in case.
Btw, the above is just what I did. I make no warranties. Follow it at your own risk.
eTrade SUCKS
>Honestly people, is this really /. front page news?
Yes, lets just wait till some kiddie write a worm that crashes thousands servers all over the world and then post about it.
I like that slashdot posts security problems. Why?
1. For the lazy admin. Theres lot of them.
2. because its important to keep reinforcing the idea that computers suck (I dont care what OS you like) and need constant care.
I see a fair number of posts from people who rely on /. to learn about security flaws. That doesn't seem to be a sensible approach. It is pretty easy to follow a security list and keep an eye out for vulnerabilities affecting your system(s). I am a home user with a simple Web server in the basement. I subscribe to the CERT list. Others here mentioned Bugtraq. I catch quite a few alerts that I don't hear about in more general forums until after I see activity in my Snort logs. Even with a nightly update via yum some things need individual attention. Case in point, a flaw in a PHP application (Gallery) that falls outside of the packages covered by yum. You have to know about it to fix it -- and the bad guys know about immediately.
Don
A null-pointer assignment
an out-of-bounds read
Aside from the programmer's errors, if C was safer, both bugs would have already been caught a long time ago. C is clearly to blame here.
For most applications, you are right that safety outweighs performance concerns. However, OpenSSL is in that 1% of applications where performance outweighs everything. It is a crypto library. Crypto is extremely CPU intensive.
OpenSSL is expected to run as fast as possible, to the point where parts of it aren't even written in C. The core bignum and hashing routines are written in assembly language for various platforms.
You even mentioned this caveat:
if you're not writing an OS, a game, or a calculation based app (lapack, etc...)
But you didn't seem to realize that this caveat certainly applies to OpenSSL (if ever there were a calculation based app, this is it).