from:"Juha Saarinen"

Re: OpenSSL Security Advisory

2014-06-05 Thread Juha Saarinen

Hi Steve,

That’s quite a few in one go - is this due to greater testing of OpenSSL and 
more scrutiny of the code by the community?

Of the flaws listed, which is the one of most concern?

This kind of begs the question what to do with all those embedded systems that 
run older versions of OpenSSL.

Thanks

— 
Juha



On 5/06/2014, at 11:54 pm, OpenSSL open...@openssl.org wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 OpenSSL Security Advisory [05 Jun 2014]
 
 
 Resend: first version contained characters which could cause signature 
 failure.
 
 SSL/TLS MITM vulnerability (CVE-2014-0224)
 ===
 
 An attacker using a carefully crafted handshake can force the use of weak
 keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
 by a Man-in-the-middle (MITM) attack where the attacker can decrypt and 
 modify traffic from the attacked client and server.
 
 The attack can only be performed between a vulnerable client *and*
 server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
 are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
 of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
 
 OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
 OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
 OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
 
 Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
 researching this issue.  This issue was reported to OpenSSL on 1st May
 2014 via JPCERT/CC.
 
 The fix was developed by Stephen Henson of the OpenSSL core team partly based
 on an original patch from KIKUCHI Masashi.
 
 DTLS recursion flaw (CVE-2014-0221)
 
 
 By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
 can be made to recurse eventually crashing in a DoS attack.
 
 Only applications using OpenSSL as a DTLS client are affected.
 
 OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
 OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
 OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.
 
 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.  This
 issue was reported to OpenSSL on 9th May 2014.
 
 The fix was developed by Stephen Henson of the OpenSSL core team.
 
 DTLS invalid fragment vulnerability (CVE-2014-0195)
 
 
 A buffer overrun attack can be triggered by sending invalid DTLS fragments
 to an OpenSSL DTLS client or server. This is potentially exploitable to
 run arbitrary code on a vulnerable client or server.
 
 Only applications using OpenSSL as a DTLS client or server affected.
 
 OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
 OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
 OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.
 
 Thanks to Juri Aedla for reporting this issue.  This issue was
 reported to OpenSSL on 23rd April 2014 via HP ZDI.
 
 The fix was developed by Stephen Henson of the OpenSSL core team.
 
 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
 =
 
 A flaw in the do_ssl3_write function can allow remote attackers to
 cause a denial of service via a NULL pointer dereference.  This flaw
 only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
 enabled, which is not the default and not common.
 
 OpenSSL 1.0.0 users should upgrade to 1.0.0m.
 OpenSSL 1.0.1 users should upgrade to 1.0.1h.
 
 This issue was reported in public.  The fix was developed by
 Matt Caswell of the OpenSSL development team.
 
 SSL_MODE_RELEASE_BUFFERS session injection or denial of service 
 (CVE-2010-5298)
 ===
 
 A race condition in the ssl3_read_bytes function can allow remote
 attackers to inject data across sessions or cause a denial of service.
 This flaw only affects multithreaded applications using OpenSSL 1.0.0
 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
 default and not common.
 
 OpenSSL 1.0.0 users should upgrade to 1.0.0m.
 OpenSSL 1.0.1 users should upgrade to 1.0.1h.
 
 This issue was reported in public.  
 
 Anonymous ECDH denial of service (CVE-2014-3470)
 
 
 OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
 denial of service attack.
 
 OpenSSL 0.9.8 users should upgrade to 0.9.8za
 OpenSSL 1.0.0 users should upgrade to 1.0.0m.
 OpenSSL 1.0.1 users should upgrade to 1.0.1h.
 
 Thanks to Felix Grobert and Ivan Fratric at Google for discovering this
 issue.  This issue was reported to OpenSSL on 28th May 2014.
 
 The fix was developed by Stephen Henson of the OpenSSL core team.
 
 Other issues
 
 
 OpenSSL 1.0.0m and OpenSSL 0.9.8za

RE: (HotStocks Spam) Solutions

2000-09-30 Thread Juha Saarinen


%- But, then again, after nearly 18 years of "Internet" connectivity and
%- constant urging of our fellow employees who remember the "good
%- old days", we
%- are fairly close to what one might call "zero tolerance".

Yep, and ORBS' insistence on abusing non-relaying MTAs that have never been
involved in spamming should be covered by that "zero tolerance" policy.

-- Juha

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: (HotStocks Spam) Solutions

2000-09-29 Thread Juha Saarinen


%- There probably is a way - perhaps a direct tap into orbs - BUT
%- that would
%- affect us more than them.  See - if they ISP the emails are originating
%- from is in say ORBS then all mail from that ISP will get bounced - hense

Not ORBS, thanks. It has spite-listed most of my ISP's netblocks, which is
not the way to combat spam.

-- Juha

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RPM -ta fails with 0.9.6

2000-09-27 Thread Juha Saarinen


This is as far as I get...


../certs/vsigntca.pem: OK
Generate a set of DH parameters
./dhtest
.+.++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*+
+*++*++*

p=E063DD42B2E294D3
g=5
pri 1=46C278B63CE23DAD
pub 1=C4BF8DF2FF965D66
pri 2=4DEFB8E041D68290
pub 2=6F7EA01B7586D1A3
key1 =600C3445CC6C0A46
key2 =600C3445CC6C0A46
Generate a set of DSA parameters
./dsatest
test generation of DSA parameters
.++*
...++..+...++.+..+..

+++*
seed
D5014E4B 60EF2BA8 B6211B40 62BA3224 E0427DD3
counter=105 h=2
P:
00:8d:f2:a4:94:49:22:76:aa:3d:25:75:9b:b0:68:
69:cb:ea:c0:d8:3a:fb:8d:0c:f7:cb:b8:32:4f:0d:
78:82:e5:d0:76:2f:c5:b7:21:0e:af:c2:e9:ad:ac:
32:ab:7a:ac:49:69:3d:fb:f8:37:24:c2:ec:07:36:
ee:31:c8:02:91
Q:
00:c7:73:21:8c:73:7e:c8:ee:99:3b:4f:2d:ed:30:
f4:8e:da:ce:91:5f
G:
62:6d:02:78:39:ea:0a:13:41:31:63:a5:5b:4c:b5:
00:29:9d:55:22:95:6c:ef:cb:3b:ff:10:f3:99:ce:
2c:2e:71:cb:9d:e5:fa:24:ba:bf:58:e5:b7:95:21:
92:5c:9c:c4:2e:9f:6f:46:4b:08:8c:c5:72:af:53:
e6:d7:88:02
14964:error:0A071003:dsa routines:DSA_do_verify:BN lib:dsa_ossl.c:288:
make[1]: *** [test_dsa] Error 1
make[1]: Leaving directory `/usr/src/redhat/BUILD/openssl-0.9.6/test'
make: *** [tests] Error 2
Bad exit status from /var/tmp/rpm-tmp.80732 (%build)

Kernel 2.4.0-test9-pre7, gcc 2.96.

What could be wrong?



--

Juha

"Bother," said Pooh as he struggled with sendmail.cf, "it never does quite
what I want. I wish Christopher Robin was here."

   /"\
   \ / ASCII Ribbon Campaign
X  Against HTML Mail
   / \

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL Security Advisory

RE: (HotStocks Spam) Solutions

RE: (HotStocks Spam) Solutions

RPM -ta fails with 0.9.6

4 matches

Site Navigation

Mail list logo

Footer information