Contributed by tbert on from the get-your-FREAK-on dept.
When CVE-2015-0204 (RSA silently downgrades to EXPORT_RSA) was announced, it was labeled "Severity: Low". Our assessment at the time was that export ciphers had already been removed prior to the release of 5.6, and that the fix was not worth backporting to 5.5.
Then CVE-2015-0204 was renamed the FREAK attack. Now it has a fancy name so you know it's important.
Unfortunately, our original assessment was not entirely correct. Some of the features exploited by FREAK were not deleted until after 5.6, although this was not known until testing tools became available. We've corrected libssl by backporting the necessary changes to 5.6.
The patch below includes the fix for CVE-2015-0204 as well as some other "low severity" fixes for similar downgrade issues relating to ECDHE.
Statement regarding 5.5: SSL/TLS is hooped. There have been too many changes, large and small, that make backporting and testing indvidual fixes difficult. Additionally, many small fixes get overlooked.
Thanks to Florian Riehm for pointing out that 5.6 was still vulnerable to FREAK.
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/017_openssl.patch.sig
untrusted comment: signature from openbsd 5.6 base private key RWR0EANmo9nqhpxHVrEZWmf2qAA9zblsetB0gpcMFrkMumxjVXGdcaRNHc7TS+IkdiYNDncAU2qjYSaM8bDI+nQp9HUayjp3RQQ=
OpenBSD 5.6 errata 17, Mar 13, 2015:
Don't permit TLS client connections to be downgraded to weak keys.
Apply by doing:
cd /usr/src signify -Vep /etc/signify/openbsd-56-base.pub -x 017_openssl.patch.sig -m - | \ patch -p0And then rebuild and install libssl:
cd lib/libssl/ssl make obj make depend make make install
(Comments are closed)
By Anonymous Coward (72.95.160.22) on
> OpenBSD 5.6 errata 17, Mar 13, 2015:
>
This patch appears to be from the future!
>
> cd lib/libssl/ssl
> make obj
> make depend
> make
> make install
>
I thought that "make depend" wasn't needed anymore. Is that line necessary?
Comments
By brynet (Brynet) on http://brynet.biz.tm/
That's for the kernel.
Comments
By Anonymous Coward (72.95.160.22) on
> > I thought that "make depend" wasn't needed anymore.
>
> That's for the kernel.
But then why didn't the previous LibSSl patch
include a "make depend"?
By Anonymous Coward (174.141.67.42) on
Or am I reading it wrong?
Comments
By Anonymous Coward (62.224.111.40) on
> Or am I reading it wrong?
From TFA: "Statement regarding 5.5: SSL/TLS is hooped."
It appears that you are not reading it wrong. Time to perform a security-related upgrade for you, it seems :)