On Wed, Jan 7, 2009 at 5:49 PM, Matthew Seaman < m.sea...@infracaninophile.co.uk> wrote:
> FreeBSD Security Advisories wrote: > > I. Background >> >> FreeBSD includes software from the OpenSSL Project. The OpenSSL Project >> is >> a collaborative effort to develop a robust, commercial-grade, >> full-featured >> Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) >> and Transport Layer Security (TLS v1) protocols as well as a full-strength >> general purpose cryptography library. >> >> II. Problem Description >> >> The EVP_VerifyFinal() function from OpenSSL is used to determine if a >> digital signature is valid. The SSL layer in OpenSSL uses >> EVP_VerifyFinal(), which in several places checks the return value >> incorrectly and treats verification errors as a good signature. This >> is only a problem for DSA and ECDSA keys. >> >> III. Impact >> >> For applications using OpenSSL for SSL connections, an invalid SSL >> certificate may be interpreted as valid. This could for example be >> used by an attacker to perform a man-in-the-middle attack. >> >> Other applications which use the OpenSSL EVP API may similarly be >> affected. >> > > The oCert advisory at http://ocert.org/advisories/ocert-2008-016.html > lists BIND and NTP as affected packages. Don't the base system versions > of those apps also need patching? > > Cheers, > > Matthew > > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > Kent, CT11 9PW I was told they don't but I believe they do since it's the code inside of ntp and bind don't check the return code correctly from what I can tell for the OpenSSL EVP API _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"