FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F9.3.0 2014-06-09T16:30:56Z 2014-06-09T16:30:56Z Jung-uk Kim jkim@FreeBSD.org 2014-06-09T16:30:56Z urn:sha1:9b3686cdf76ea1aeb060cd93cca157356e753786 Approved by: re (kib), so (delphij) 2014-06-05T12:53:06Z Xin LI delphij@FreeBSD.org 2014-06-05T12:53:06Z urn:sha1:27532720a21528379cfaad214472d58f2d9c8fc4 Security: CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470 Security: SA-14:14.openssl Approved by: re (jpaetzel) 2014-04-20T13:12:32Z Dag-Erling Smørgrav des@FreeBSD.org 2014-04-20T13:12:32Z urn:sha1:0f2bad1ba425b11ca3285cf6f61c9d5ec1a03f14 2014-04-17T20:09:41Z Xin LI delphij@FreeBSD.org 2014-04-17T20:09:41Z urn:sha1:97da9288a593c92c4df8e85a0ad2335000f936ab ==== Author: Dr. Stephen Henson <steve@openssl.org> Treat a zero length passed to ssleay_rand_add a no op: the existing logic zeroes the md value which is very bad. OpenSSL itself never does this internally and the actual call doesn't make sense as it would be passing zero bytes of entropy. Thanks to Marcus Meissner <meissner@suse.de> for reporting this bug. ==== This is a direct commit to stable/8 and stable/9. -HEAD and stable/10 already have this fix as part of OpenSSL 1.0.1g. Noticed by: koobs Reviewed by: benl (maintainer) 2014-04-08T23:16:19Z Xin LI delphij@FreeBSD.org 2014-04-08T23:16:19Z urn:sha1:219a80bd287b49f6db82a93b9c9be109a6ea46a7 Fix ECDSA Cache Side-channel Attack in OpenSSL. [SA-14:06] 2014-03-31T14:39:56Z Dag-Erling Smørgrav des@FreeBSD.org 2014-03-31T14:39:56Z urn:sha1:8445f9d73512b4333e78ed31f64eab75a676110f r256126, r257954, r261320, r261499, r263691, r263712): upgrade to OpenSSH 6.6p1 via 6.3p1, 6.4p1 and 6.5p1. Differences relative to head: - No DNSSEC support since stable/9 does not have LDNS - Sandboxing off by default, and uses rlimit instead of Capsicum - ED25519 moved to the bottom of the order of preference to avoid "new public key" warnings 2013-12-16T06:52:30Z Benjamin Kaduk bjk@FreeBSD.org 2013-12-16T06:52:30Z urn:sha1:b2fc255c83ff041403b38acd132ef0f4480f8ee3 Approved by: hrs (mentor, src committer) 2013-12-16T02:25:28Z Benjamin Kaduk bjk@FreeBSD.org 2013-12-16T02:25:28Z urn:sha1:939ba244c8d1c188df67c19e8e36ba47c6a14b29 Apply patch from upstream Heimdal for encoding fix RFC 4402 specifies the implementation of the gss_pseudo_random() function for the krb5 mechanism (and the C bindings therein). The implementation uses a PRF+ function that concatenates the output of individual krb5 pseudo-random operations produced with a counter and seed. The original implementation of this function in Heimdal incorrectly encoded the counter as a little-endian integer, but the RFC specifies the counter encoding as big-endian. The implementation initializes the counter to zero, so the first block of output (16 octets, for the modern AES enctypes 17 and 18) is unchanged. (RFC 4402 specifies that the counter should begin at 1, but both existing implementations begin with zero and it looks like the standard will be re-issued, with test vectors, to begin at zero.) This is upstream's commit f85652af868e64811f2b32b815d4198e7f9017f6, from 13 October, 2013: % Fix krb5's gss_pseudo_random() (n is big-endian) % % The first enctype RFC3961 prf output length's bytes are correct because % the little- and big-endian representations of unsigned zero are the % same. The second block of output was wrong because the counter was not % being encoded as big-endian. % % This change could break applications. But those applications would not % have been interoperating with other implementations anyways (in % particular: MIT's). Bump __FreeBSD_version accordingly and add a note in UPDATING. Approved by: hrs (mentor, src committer) 2013-08-20T07:22:20Z Dag-Erling Smørgrav des@FreeBSD.org 2013-08-20T07:22:20Z urn:sha1:ae53d5c183f1d05b1932976ad98f33decb3e1f57 2013-06-28T09:55:00Z Dag-Erling Smørgrav des@FreeBSD.org 2013-06-28T09:55:00Z urn:sha1:2a1b5570a7a0dc6b0ed1d671b09334d13be0eaf3