真狠！

【 在 delphij (许可证超出一页纸，非*即盗！) 的大作中提到: 】
: 此问题 CVSS 分数高达 9.4 （最高10）。
: 仅仅修补漏洞是不够的，修正之后建议更换全部证书并撤销先前使用的证书，
: 此外通过 SSL/TLS 发送的全部敏感信息应视为已泄密。
: ...................

--
■■■＼ ■■■   ■  ■■■  ■  ■  ■ 
■  ■  ■ ■  ■  ■  ■  ■  ■ 
■  ■  ■■■ ■  ■  ■  ■■■  ■ 
■  ■  ■ ■  ■■■  ■  ■  ■ 
■■■  ■■■  ■■■  ■ ■  ■  ■ 


※ 来源:・水木社区 newsmth.net・[FROM: 218.16.63.*]

看 OpenSSL 的消息，此问题只出现在 OpenSSL 1.0.1 和 1.0.2
版本里： http://www.openssl.org/news/secadv_20140407.txt

【 在 delphij (许可证超出一页纸，非*即盗！) 的大作中提到: 】
: 标 题: [极度高危安全公告] FreeBSD-SA-14:06.openssl
: 发信站: 水木社区 (Wed Apr 9 07:42:19 2014), 转信
:
: -----BEGIN PGP SIGNED MESSAGE-----
: Hash: SHA512
:
: =============================================================================
: FreeBSD-SA-14:06.openssl Security Advisory
: The FreeBSD Project
:
: Topic: OpenSSL multiple vulnerabilities
:
: Category: contrib
: Module: openssl
: Announced: 2014-04-08
: Affects: All supported versions of FreeBSD.
: Corrected: 2014-04-08 18:27:39 UTC (stable/10, 10.0-STABLE)
: 2014-04-08 18:27:46 UTC (releng/10.0, 10.0-RELEASE-p1)
: 2014-04-08 23:16:19 UTC (stable/9, 9.2-STABLE)
: 2014-04-08 23:16:05 UTC (releng/9.2, 9.2-RELEASE-p4)
: 2014-04-08 23:16:05 UTC (releng/9.1, 9.1-RELEASE-p11)
: 2014-04-08 23:16:19 UTC (stable/8, 8.4-STABLE)
: 2014-04-08 23:16:05 UTC (releng/8.4, 8.4-RELEASE-p8)
: 2014-04-08 23:16:05 UTC (releng/8.3, 8.3-RELEASE-p15)
: CVE Name: CVE-2014-0076, CVE-2014-0160
:
: For general information regarding FreeBSD Security Advisories,
: including descriptions of the fields above, security branches, and the
: following sections, please visit <URL:http://security.FreeBSD.org/>.
:
: I. Background
:
: FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
: a collaborative effort to develop a robust, commercial-grade, full-featured
: Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
: and Transport Layer Security (TLS v1) protocols as well as a full-strength
: general purpose cryptography library.
:
: The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the
: usage of keep-alive functionality without performing a renegotiation and a
: basis for path MTU (PMTU) discovery for DTLS.
:
: Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the
: Digital Signature Algorithm (DSA) which uses Elliptic Curve Cryptography.
: OpenSSL uses the Montgomery Ladder Approach to compute scalar multiplication
: in a fixed amount of time, which does not leak any information through timing
: or power.
:
: II. Problem Description
:
: The code used to handle the Heartbeat Extension does not do sufficient boundary
: checks on record length, which allows reading beyond the actual payload.
: [CVE-2014-0160]. Affects FreeBSD 10.0 only.
:
: A flaw in the implementation of Montgomery Ladder Approach would create a
: side-channel that leaks sensitive timing information. [CVE-2014-0076]
:
: III. Impact
:
: An attacker who can send a specifically crafted packet to TLS server or client
: with an established connection can reveal up to 64k of memory of the remote
: system. Such memory might contain sensitive information, including key
: material, protected content, etc. which could be directly useful, or might
: be leveraged to obtain elevated privileges. [CVE-2014-0160]
:
: A local attacker might be able to snoop a signing process and might recover
: the signing key from it. [CVE-2014-0076]
:
: IV. Workaround
:
: No workaround is available, but systems that do not use OpenSSL to implement
: the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
: protocols implementation and do not use the ECDSA implementation from OpenSSL
: are not vulnerable.
:
: V. Solution
:
: Perform one of the following:
:
: 1) Upgrade your vulnerable system to a supported FreeBSD stable or
: release / security branch (releng) dated after the correction date.
:
: 2) To update your vulnerable system via a source code patch:
:
: The following patches have been verified to apply to the applicable
: FreeBSD release branches.
:
: a) Download the relevant patch from the location below, and verify the
: detached PGP signature using your PGP utility.
:
: [FreeBSD 8.x and FreeBSD 9.x]
: # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl.patch
: # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl.patch.asc
: # gpg --verify openssl.patch.asc
:
: [FreeBSD 10.0]
: # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl-10.patch
: # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl-10.patch.asc
: # gpg --verify openssl-10.patch.asc
:
: Recompile the operating system using buildworld and installworld as
: described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
:
: Restart all deamons using the library, or reboot the system.
:
: 3) To update your vulnerable system via a binary patch:
:
: Systems running a RELEASE version of FreeBSD on the i386 or amd64
: platforms can be updated via the freebsd-update(8) utility:
:
: # freebsd-update fetch
: # freebsd-update install
:
: IMPORTANT: the update procedure above does not update OpenSSL from the
: Ports Collection or from a package, known as security/openssl, which
: has to be updated separately via ports or package. Users who have
: installed security/openssl should update to at least version 1.0.1_10.
:
: VI. Correction details
:
: The following list contains the correction revision numbers for each
: affected branch.
:
: Branch/path Revision
: - -------------------------------------------------------------------------
: stable/8/ r264285
: releng/8.3/ r264284
: releng/8.4/ r264284
: stable/9/ r264285
: releng/9.1/ r264284
: releng/9.2/ r264284
: stable/10/ r264266
: releng/10.0/ r264267
: - -------------------------------------------------------------------------
:
: To see which files were modified by a particular revision, run the
: following command, replacing NNNNNN with the revision number, on a
: machine with Subversion installed:
:
: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
:
: Or visit the following URL, replacing NNNNNN with the revision number:
:
: <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
:
: VII. References
:
: <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076>
: <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160>
:
: <URL:http://www.openssl.org/news/secadv_20140407.txt>
: <URL:http://eprint.iacr.org/2014/140.pdf>
:
: The latest revision of this advisory is available at
: <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:06.openssl.asc>
: -----BEGIN PGP SIGNATURE-----
: Version: GnuPG v2.0.22 (FreeBSD)
:
: iQIcBAEBCgAGBQJTRISyAAoJEO1n7NZdz2rnwdgP/RFT6HsugPJZeIKX2Rn36Mat
: qgAET7gotiU1Y7G/647BiSCOn/BQs9Z1yTLE7wKdgiVDDTZOHJCJxssXav/+Cqli
: G1Cyoi2Rv9R77sno0wdj62YguTg0EKnU52CYpHVmF2NA0H/zexXDrCgiQtyvnU62
: ZtM2TO76qhKFXwNtIQ1EQYmu+qsxLbp65ryyu9Tq7rXlc52JYTa0QdWDcKoPtcBO
: U85HzJwQglX2lEmipv63s0vwur5eSTtlWSmUSpFzE1jsjYiRl7xFHQKdXxA5Ifw0
: qO7LYrYK7b4EyEq9TcQQKvh05IgorjRcA4i0mSQFpc0HINtgv3bYlHyQL+tyN1+k
: /4uzdDFB27j8EuKZzEg6aF1JLNq9/zMvx+E0iykPodb5i+n5BzPzWc4rogHvj7rU
: mfSeABG3m/SifTewy1258V3TRfTKLNU8EPX2CTnJI9WjYX83GO7sM1vtaGQUOAFK
: gff2tFfeSmDpyCmp+RwnmIr5IefIG2y8s/0iJM/wLF3rW8ZrwP1zX+cot5KRCWfT
: FpdhHHLRcsCLM7frxmSgRdN+iuXIAcdfbj1EN7z1ryHLk2vRsm2n66kojt4BCnig
: 7JcStOjMSz843+1L3eCZubHIxVxxjKBGwqVfQ9OWbgeIro0+bapYLJIavuAa9BM6
: 1T0hWKFh59zAxyGPqX49
: =X7Qk
: -----END PGP SIGNATURE-----
:
: --
:
: ※ 修改:・delphij 于 Apr 9 09:10:55 2014 修改本文・[FROM: 24.5.244.*]
: ※ 来源:・水木社区 newsmth.net・[FROM: 24.5.244.*]


--
我的车间： http://www.intron.ac/



※ 来源:・水木社区 newsmth.net・[FROM: 222.128.157.*]

FreeBSD 8.x 和 9.x 的补丁有什么用呢？

【 在 delphij (许可证超出一页纸，非*即盗！) 的大作中提到: 】
: 标 题: [极度高危安全公告] FreeBSD-SA-14:06.openssl
: 发信站: 水木社区 (Wed Apr 9 07:42:19 2014), 转信
:
: -----BEGIN PGP SIGNED MESSAGE-----
: Hash: SHA512
:
: =============================================================================
: FreeBSD-SA-14:06.openssl Security Advisory
: The FreeBSD Project
:
: Topic: OpenSSL multiple vulnerabilities
:
: Category: contrib
: Module: openssl
: Announced: 2014-04-08
: Affects: All supported versions of FreeBSD.
: Corrected: 2014-04-08 18:27:39 UTC (stable/10, 10.0-STABLE)
: 2014-04-08 18:27:46 UTC (releng/10.0, 10.0-RELEASE-p1)
: 2014-04-08 23:16:19 UTC (stable/9, 9.2-STABLE)
: 2014-04-08 23:16:05 UTC (releng/9.2, 9.2-RELEASE-p4)
: 2014-04-08 23:16:05 UTC (releng/9.1, 9.1-RELEASE-p11)
: 2014-04-08 23:16:19 UTC (stable/8, 8.4-STABLE)
: 2014-04-08 23:16:05 UTC (releng/8.4, 8.4-RELEASE-p8)
: 2014-04-08 23:16:05 UTC (releng/8.3, 8.3-RELEASE-p15)
: CVE Name: CVE-2014-0076, CVE-2014-0160
:
: For general information regarding FreeBSD Security Advisories,
: including descriptions of the fields above, security branches, and the
: following sections, please visit <URL:http://security.FreeBSD.org/>.
:
: I. Background
:
: FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
: a collaborative effort to develop a robust, commercial-grade, full-featured
: Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
: and Transport Layer Security (TLS v1) protocols as well as a full-strength
: general purpose cryptography library.
:
: The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the
: usage of keep-alive functionality without performing a renegotiation and a
: basis for path MTU (PMTU) discovery for DTLS.
:
: Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the
: Digital Signature Algorithm (DSA) which uses Elliptic Curve Cryptography.
: OpenSSL uses the Montgomery Ladder Approach to compute scalar multiplication
: in a fixed amount of time, which does not leak any information through timing
: or power.
:
: II. Problem Description
:
: The code used to handle the Heartbeat Extension does not do sufficient boundary
: checks on record length, which allows reading beyond the actual payload.
: [CVE-2014-0160]. Affects FreeBSD 10.0 only.
:
: A flaw in the implementation of Montgomery Ladder Approach would create a
: side-channel that leaks sensitive timing information. [CVE-2014-0076]
:
: III. Impact
:
: An attacker who can send a specifically crafted packet to TLS server or client
: with an established connection can reveal up to 64k of memory of the remote
: system. Such memory might contain sensitive information, including key
: material, protected content, etc. which could be directly useful, or might
: be leveraged to obtain elevated privileges. [CVE-2014-0160]
:
: A local attacker might be able to snoop a signing process and might recover
: the signing key from it. [CVE-2014-0076]
:
: IV. Workaround
:
: No workaround is available, but systems that do not use OpenSSL to implement
: the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
: protocols implementation and do not use the ECDSA implementation from OpenSSL
: are not vulnerable.
:
: V. Solution
:
: Perform one of the following:
:
: 1) Upgrade your vulnerable system to a supported FreeBSD stable or
: release / security branch (releng) dated after the correction date.
:
: 2) To update your vulnerable system via a source code patch:
:
: The following patches have been verified to apply to the applicable
: FreeBSD release branches.
:
: a) Download the relevant patch from the location below, and verify the
: detached PGP signature using your PGP utility.
:
: [FreeBSD 8.x and FreeBSD 9.x]
: # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl.patch
: # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl.patch.asc
: # gpg --verify openssl.patch.asc
:
: [FreeBSD 10.0]
: # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl-10.patch
: # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl-10.patch.asc
: # gpg --verify openssl-10.patch.asc
:
: Recompile the operating system using buildworld and installworld as
: described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
:
: Restart all deamons using the library, or reboot the system.
:
: 3) To update your vulnerable system via a binary patch:
:
: Systems running a RELEASE version of FreeBSD on the i386 or amd64
: platforms can be updated via the freebsd-update(8) utility:
:
: # freebsd-update fetch
: # freebsd-update install
:
: IMPORTANT: the update procedure above does not update OpenSSL from the
: Ports Collection or from a package, known as security/openssl, which
: has to be updated separately via ports or package. Users who have
: installed security/openssl should update to at least version 1.0.1_10.
:
: VI. Correction details
:
: The following list contains the correction revision numbers for each
: affected branch.
:
: Branch/path Revision
: - -------------------------------------------------------------------------
: stable/8/ r264285
: releng/8.3/ r264284
: releng/8.4/ r264284
: stable/9/ r264285
: releng/9.1/ r264284
: releng/9.2/ r264284
: stable/10/ r264266
: releng/10.0/ r264267
: - -------------------------------------------------------------------------
:
: To see which files were modified by a particular revision, run the
: following command, replacing NNNNNN with the revision number, on a
: machine with Subversion installed:
:
: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
:
: Or visit the following URL, replacing NNNNNN with the revision number:
:
: <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
:
: VII. References
:
: <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076>
: <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160>
:
: <URL:http://www.openssl.org/news/secadv_20140407.txt>
: <URL:http://eprint.iacr.org/2014/140.pdf>
:
: The latest revision of this advisory is available at
: <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:06.openssl.asc>
: -----BEGIN PGP SIGNATURE-----
: Version: GnuPG v2.0.22 (FreeBSD)
:
: iQIcBAEBCgAGBQJTRISyAAoJEO1n7NZdz2rnwdgP/RFT6HsugPJZeIKX2Rn36Mat
: qgAET7gotiU1Y7G/647BiSCOn/BQs9Z1yTLE7wKdgiVDDTZOHJCJxssXav/+Cqli
: G1Cyoi2Rv9R77sno0wdj62YguTg0EKnU52CYpHVmF2NA0H/zexXDrCgiQtyvnU62
: ZtM2TO76qhKFXwNtIQ1EQYmu+qsxLbp65ryyu9Tq7rXlc52JYTa0QdWDcKoPtcBO
: U85HzJwQglX2lEmipv63s0vwur5eSTtlWSmUSpFzE1jsjYiRl7xFHQKdXxA5Ifw0
: qO7LYrYK7b4EyEq9TcQQKvh05IgorjRcA4i0mSQFpc0HINtgv3bYlHyQL+tyN1+k
: /4uzdDFB27j8EuKZzEg6aF1JLNq9/zMvx+E0iykPodb5i+n5BzPzWc4rogHvj7rU
: mfSeABG3m/SifTewy1258V3TRfTKLNU8EPX2CTnJI9WjYX83GO7sM1vtaGQUOAFK
: gff2tFfeSmDpyCmp+RwnmIr5IefIG2y8s/0iJM/wLF3rW8ZrwP1zX+cot5KRCWfT
: FpdhHHLRcsCLM7frxmSgRdN+iuXIAcdfbj1EN7z1ryHLk2vRsm2n66kojt4BCnig
: 7JcStOjMSz843+1L3eCZubHIxVxxjKBGwqVfQ9OWbgeIro0+bapYLJIavuAa9BM6
: 1T0hWKFh59zAxyGPqX49
: =X7Qk
: -----END PGP SIGNATURE-----
:
: --
:
: ※ 修改:・delphij 于 Apr 9 09:10:55 2014 修改本文・[FROM: 24.5.244.*]
: ※ 来源:・水木社区 newsmth.net・[FROM: 24.5.244.*]


--
我的车间： http://www.intron.ac/



※ 来源:・水木社区 newsmth.net・[FROM: 222.128.157.*]

这问题太要命了。。。作为个人，只能把最重要的几个密码升级一下，其他就当啥也没发生过吧

OpenBSD这次怎么搞的啊，他们代码审核机制不是超级严格么

【 在 delphij (许可证超出一页纸，非*即盗！) 的大作中提到: 】
: 此问题 CVSS 分数高达 9.4 （最高10）。
: 仅仅修补漏洞是不够的，修正之后建议更换全部证书并撤销先前使用的证书，
: 此外通过 SSL/TLS 发送的全部敏感信息应视为已泄密。
: ...................

--

※ 来源:・水木社区 newsmth.net・[FROM: 124.205.77.*]

我看了一下补丁，和我昨天看的相关代码没有直接关系。看起来是顺路加强了另一个地方？

【 在 intron (内含子) 的大作中提到: 】
: FreeBSD 8.x 和 9.x 的补丁有什么用呢？


--

※ 来源:・水木社区 newsmth.net・[FROM: 124.205.77.*]

不知道会导致私钥泄漏么

【 在 delphij (许可证超出一页纸，非*即盗！) 的大作中提到: 】
: 此问题 CVSS 分数高达 9.4 （最高10）。
: 仅仅修补漏洞是不够的，修正之后建议更换全部证书并撤销先前使用的证书，
: 此外通过 SSL/TLS 发送的全部敏感信息应视为已泄密。
: ...................

--
C’est La Vie


※ 来源:・水木社区 newsmth.net・[FROM: 123.113.182.*]

开始我也有这个疑问，安全公告没出来的时候就特别看了一眼 9-R 里的 openssl 版本

看 Problem Description 里有两个 CVE， 8-R 和 9-R 应该是只修第二个 CVE
【 在 intron (内含子) 的大作中提到: 】
: 标 题: Re: [极度高危安全公告] FreeBSD-SA-14:06.openssl
: 发信站: 水木社区 (Wed Apr 9 13:08:44 2014), 转信
:
: FreeBSD 8.x 和 9.x 的补丁有什么用呢？
:
: 【 在 delphij (许可证超出一页纸，非*即盗！) 的大作中提到: 】
: : 标 题: [极度高危安全公告] FreeBSD-SA-14:06.openssl
: : 发信站: 水木社区 (Wed Apr 9 07:42:19 2014), 转信
: :
: : -----BEGIN PGP SIGNED MESSAGE-----
: : Hash: SHA512
: :
: : =============================================================================
: : FreeBSD-SA-14:06.openssl Security Advisory
: : The FreeBSD Project
: :
: : Topic: OpenSSL multiple vulnerabilities
: :
: : Category: contrib
: : Module: openssl
: : Announced: 2014-04-08
: : Affects: All supported versions of FreeBSD.
: : Corrected: 2014-04-08 18:27:39 UTC (stable/10, 10.0-STABLE)
: : 2014-04-08 18:27:46 UTC (releng/10.0, 10.0-RELEASE-p1)
: : 2014-04-08 23:16:19 UTC (stable/9, 9.2-STABLE)
: : 2014-04-08 23:16:05 UTC (releng/9.2, 9.2-RELEASE-p4)
: : 2014-04-08 23:16:05 UTC (releng/9.1, 9.1-RELEASE-p11)
: : 2014-04-08 23:16:19 UTC (stable/8, 8.4-STABLE)
: : 2014-04-08 23:16:05 UTC (releng/8.4, 8.4-RELEASE-p8)
: : 2014-04-08 23:16:05 UTC (releng/8.3, 8.3-RELEASE-p15)
: : CVE Name: CVE-2014-0076, CVE-2014-0160
: :
: : For general information regarding FreeBSD Security Advisories,
: : including descriptions of the fields above, security branches, and the
: : following sections, please visit <URL:http://security.FreeBSD.org/>.
: :
: : I. Background
: :
: : FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
: : a collaborative effort to develop a robust, commercial-grade, full-featured
: : Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
: : and Transport Layer Security (TLS v1) protocols as well as a full-strength
: : general purpose cryptography library.
: :
: : The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the
: : usage of keep-alive functionality without performing a renegotiation and a
: : basis for path MTU (PMTU) discovery for DTLS.
: :
: : Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the
: : Digital Signature Algorithm (DSA) which uses Elliptic Curve Cryptography.
: : OpenSSL uses the Montgomery Ladder Approach to compute scalar multiplication
: : in a fixed amount of time, which does not leak any information through timing
: : or power.
: :
: : II. Problem Description
: :
: : The code used to handle the Heartbeat Extension does not do sufficient boundary
: : checks on record length, which allows reading beyond the actual payload.
: : [CVE-2014-0160]. Affects FreeBSD 10.0 only.
: :
: : A flaw in the implementation of Montgomery Ladder Approach would create a
: : side-channel that leaks sensitive timing information. [CVE-2014-0076]
: :
: : III. Impact
: :
: : An attacker who can send a specifically crafted packet to TLS server or client
: : with an established connection can reveal up to 64k of memory of the remote
: : system. Such memory might contain sensitive information, including key
: : material, protected content, etc. which could be directly useful, or might
: : be leveraged to obtain elevated privileges. [CVE-2014-0160]
: :
: : A local attacker might be able to snoop a signing process and might recover
: : the signing key from it. [CVE-2014-0076]
: :
: : IV. Workaround
: :
: : No workaround is available, but systems that do not use OpenSSL to implement
: : the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
: : protocols implementation and do not use the ECDSA implementation from OpenSSL
: : are not vulnerable.
: :
: : V. Solution
: :
: : Perform one of the following:
: :
: : 1) Upgrade your vulnerable system to a supported FreeBSD stable or
: : release / security branch (releng) dated after the correction date.
: :
: : 2) To update your vulnerable system via a source code patch:
: :
: : The following patches have been verified to apply to the applicable
: : FreeBSD release branches.
: :
: : a) Download the relevant patch from the location below, and verify the
: : detached PGP signature using your PGP utility.
: :
: : [FreeBSD 8.x and FreeBSD 9.x]
: : # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl.patch
: : # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl.patch.asc
: : # gpg --verify openssl.patch.asc
: :
: : [FreeBSD 10.0]
: : # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl-10.patch
: : # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl-10.patch.asc
: : # gpg --verify openssl-10.patch.asc
: :
: : Recompile the operating system using buildworld and installworld as
: : described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
: :
: : Restart all deamons using the library, or reboot the system.
: :
: : 3) To update your vulnerable system via a binary patch:
: :
: : Systems running a RELEASE version of FreeBSD on the i386 or amd64
: : platforms can be updated via the freebsd-update(8) utility:
: :
: : # freebsd-update fetch
: : # freebsd-update install
: :
: : IMPORTANT: the update procedure above does not update OpenSSL from the
: : Ports Collection or from a package, known as security/openssl, which
: : has to be updated separately via ports or package. Users who have
: : installed security/openssl should update to at least version 1.0.1_10.
: :
: : VI. Correction details
: :
: : The following list contains the correction revision numbers for each
: : affected branch.
: :
: : Branch/path Revision
: : - -------------------------------------------------------------------------
: : stable/8/ r264285
: : releng/8.3/ r264284
: : releng/8.4/ r264284
: : stable/9/ r264285
: : releng/9.1/ r264284
: : releng/9.2/ r264284
: : stable/10/ r264266
: : releng/10.0/ r264267
: : - -------------------------------------------------------------------------
: :
: : To see which files were modified by a particular revision, run the
: : following command, replacing NNNNNN with the revision number, on a
: : machine with Subversion installed:
: :
: : # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
: :
: : Or visit the following URL, replacing NNNNNN with the revision number:
: :
: : <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
: :
: : VII. References
: :
: : <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076>
: : <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160>
: :
: : <URL:http://www.openssl.org/news/secadv_20140407.txt>
: : <URL:http://eprint.iacr.org/2014/140.pdf>
: :
: : The latest revision of this advisory is available at
: : <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:06.openssl.asc>
: : -----BEGIN PGP SIGNATURE-----
: : Version: GnuPG v2.0.22 (FreeBSD)
: :
: : iQIcBAEBCgAGBQJTRISyAAoJEO1n7NZdz2rnwdgP/RFT6HsugPJZeIKX2Rn36Mat
: : qgAET7gotiU1Y7G/647BiSCOn/BQs9Z1yTLE7wKdgiVDDTZOHJCJxssXav/+Cqli
: : G1Cyoi2Rv9R77sno0wdj62YguTg0EKnU52CYpHVmF2NA0H/zexXDrCgiQtyvnU62
: : ZtM2TO76qhKFXwNtIQ1EQYmu+qsxLbp65ryyu9Tq7rXlc52JYTa0QdWDcKoPtcBO
: : U85HzJwQglX2lEmipv63s0vwur5eSTtlWSmUSpFzE1jsjYiRl7xFHQKdXxA5Ifw0
: : qO7LYrYK7b4EyEq9TcQQKvh05IgorjRcA4i0mSQFpc0HINtgv3bYlHyQL+tyN1+k
: : /4uzdDFB27j8EuKZzEg6aF1JLNq9/zMvx+E0iykPodb5i+n5BzPzWc4rogHvj7rU
: : mfSeABG3m/SifTewy1258V3TRfTKLNU8EPX2CTnJI9WjYX83GO7sM1vtaGQUOAFK
: : gff2tFfeSmDpyCmp+RwnmIr5IefIG2y8s/0iJM/wLF3rW8ZrwP1zX+cot5KRCWfT
: : FpdhHHLRcsCLM7frxmSgRdN+iuXIAcdfbj1EN7z1ryHLk2vRsm2n66kojt4BCnig
: : 7JcStOjMSz843+1L3eCZubHIxVxxjKBGwqVfQ9OWbgeIro0+bapYLJIavuAa9BM6
: : 1T0hWKFh59zAxyGPqX49
: : =X7Qk
: : -----END PGP SIGNATURE-----
: :
: : --
: :
: : ※ 修改:・delphij 于 Apr 9 09:10:55 2014 修改本文・[FROM: 24.5.244.*]
: : ※ 来源:・水木社区 newsmth.net・[FROM: 24.5.244.*]
:
:
: --
: 我的车间： http://www.intron.ac/
: 
:
:
: ※ 来源:・水木社区 newsmth.net・[FROM: 222.128.157.*]


--
- 我.. 是你的什么？
-你--是我的公式啊
- 啊~~ 原来我是公式 ~>_<~
-这样 我就可以把你推导了 └(^o^)┘


※ 来源:・水木社区 newsmth.net・[FROM: 212.215.236.*]

【 在 intron (内含子) 的大作中提到: 】
: FreeBSD 8.x 和 9.x 的补丁有什么用呢？

CVE-2014-0076

--

※ 来源:・水木社区 newsmth.net・[FROM: 24.5.244.*]

【 在 Immajia (库卡) 的大作中提到: 】
: 这问题太要命了。。。作为个人，只能把最重要的几个密码升级一下，其他就当啥也没发生过吧
: OpenBSD这次怎么搞的啊，他们代码审核机制不是超级严格么

OpenBSD 躺枪

--

※ 来源:・水木社区 newsmth.net・[FROM: 24.5.244.*]

【 在 cybergene (基因～也许以后～～) 的大作中提到: 】
: 不知道会导致私钥泄漏么

不一定，但没办法排除这种可能，而且大部分情况下你连日志都没有。

这种情况最保险的办法就是假定已经发生了泄密。

--

※ 来源:・水木社区 newsmth.net・[FROM: 24.5.244.*]

哈 最初我也以为 OpenSSL 这名字跟 OpenBSD 有神马关系 后来发现这是完全独立的 P
roject

OpenBSD 旗下跟日常用途比较紧密的也就是 OpenSSH 了

【 在 Immajia (库卡) 的大作中提到: 】
: 这问题太要命了。。。作为个人，只能把最重要的几个密码升级一下，其他就当啥也没发生过吧
: OpenBSD这次怎么搞的啊，他们代码审核机制不是超级严格么


--
- 我.. 是你的什么？
-你--是我的公式啊
- 啊~~ 原来我是公式 ~>_<~
-这样 我就可以把你推导了 └(^o^)┘


※ 来源:・水木社区 newsmth.net・[FROM: 211.99.222.*]

好吧，是OpenSSH，我彪了。。。。。

【 在 delphij (许可证超出一页纸，非*即盗！) 的大作中提到: 】
: OpenBSD 躺枪


--

※ 来源:・水木社区 newsmth.net・[FROM: 124.205.76.*]

OpenSSH继续躺枪...

【 在 Immajia (库卡) 的大作中提到: 】
: 好吧，是OpenSSH，我彪了。。。。。


--
C’est La Vie


※ 来源:・水木社区 newsmth.net・[FROM: 123.113.182.*]

啊？这个没说错吧，OpenSSH是OpenBSD的人干的啊

【 在 cybergene (基因～也许以后～～) 的大作中提到: 】

OpenSSH继续躺枪...

【 在 Immajia (库卡) 的大作中提到: 】
: 好吧，是OpenSSH，我彪了。。。。。


--
C’est La Vie




--

※ 来源:・水木社区 newsmth.net・[FROM: 124.205.76.*]

看到心滴血的新闻，我心里暗想，以安全著称的BSD也许能幸免遇难吧，于是今天跑来看，结果版面上一大串的‘极度高危’……唉，谁说开源的bug容易被人发现啊，这么大的受灾面积！


【 在 delphij (许可证超出一页纸，非*即盗！) 的大作中提到: 】
: 此问题 CVSS 分数高达 9.4 （最高10）。
: 仅仅修补漏洞是不够的，修正之后建议更换全部证书并撤销先前使用的证书，
: 此外通过 SSL/TLS 发送的全部敏感信息应视为已泄密。

--

※ 来源:・水木社区 http://newsmth.net・[FROM: 49.122.68.*]

这恐怕是因为 SSL 的协议比较复杂，难以被人们所学习和理解。
SSL 的另一开源实现 GNUTLS 也曾被暴出有些问题。

SSH 的协议的加密部分相对要简单得多，所以其开源实现 OpenSSH、
LibSSH、LibSSH2 都还没有在加密与认证方面暴出过大问题。
SSH 协议的复杂性主要在通道管理等方面，那些是在身份认证之后
才开始工作。所以即使这些部分出现漏洞，其危害也要小得多。


【 在 pengtu (土人・春秋) 的大作中提到: 】
: 标 题: Re: [极度高危安全公告] FreeBSD-SA-14:06.openssl
: 发信站: 水木社区 (Sun Apr 13 02:46:40 2014), 转信
:
: 看到心滴血的新闻，我心里暗想，以安全著称的BSD也许能幸免遇难吧，于是今天跑来看，结果版面上一大串的‘极度高危’……唉，谁说开源的bug容易被人发现啊，这么大的受灾面积！
:
:
: 【 在 delphij (许可证超出一页纸，非*即盗！) 的大作中提到: 】
: : 此问题 CVSS 分数高达 9.4 （最高10）。
: : 仅仅修补漏洞是不够的，修正之后建议更换全部证书并撤销先前使用的证书，
: : 此外通过 SSL/TLS 发送的全部敏感信息应视为已泄密。
:
: --
:
: ※ 来源:・水木社区 http://newsmth.net・[FROM: 49.122.68.*]


--
我的车间： http://www.intron.ac/



※ 来源:・水木社区 newsmth.net・[FROM: 221.223.234.*]