[Ach] Issue with OpenSSL >0.9.8l

Jan jan at jan-hill.com
Fri Apr 25 18:33:07 CEST 2014


Is there nobody on the list who can
1 ) open a ticket @openssl
2 ) take a look in the relevant openssl commit 0.9.7m ( and write a patch)

I am on holidays and far away of a keyboard, so I only took a look in the commit with my phone.

Cheers Jan

On 25. April 2014 18:24:15 MESZ, Leon Letto <leon at vectronic.ca> wrote:
>Hi Everyone,
>
>Sorry to ask for clarification but I am a bit confused about this
>vulnerability.  Is it something I should be sending out to my coworkers
>since almost all of them use Mac computers?
>
>I prepared an e-mail piecing together what I think I should tell them
>but
>if this is totally off base then I should not send it until there is
>something official I guess.   Please take a look and see if this makes
>sense to send out?
>
>Leon
>
>___  Message Start ____
>
>The following is from multiple e-mails which were sent out this morning
>from the guys at bettercrypto.org and others.  All versions of OSX are
>affected (as well as debian and EL5 Linux) unless you have updated to
>1.0.1g which is the latest version.
>
>I didn’t send it out to everyone because it only affects people who are
>using OpenSSL on their systems I think (not sure) like developers or
>others’s who are playing with crypto and servers running affected OS's.
> I
>think IT needs to evaluate how many people it affects and if its worth
>getting everyone to do the fix (install Homebrew and install the latest
>OpenSSL. - instructions are at the bottom / Compile from Source)  or
>wait
>for Apple?
>
>Leon
>
>
>This is an Issue with missing cypher suites in OpenSSL all the way back
>to
>0.9.8 and all newer.
>
>https://github.com/puppetlabs/puppet/pull/2494#issuecomment-41351666
>
>The OpenSSL 0.9.8 tree is entirely affected as are 0.9.7 versions that
>appeared later than 0.9.7m.
>
>This has been reproduced on debian squeeze and affects EL5 as well as
>ALL
>versions of OS X up to and including the current Mavericks.
>
>Eg.
>
>$ /usr/bin/openssl version
>
>OpenSSL 0.9.8y 5 Feb 2013
>
>
>Expanding Ciphersuite B results in:
>
>$ /usr/bin/openssl ciphers
>'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
>
>AES256-SHA:AES128-SHA
>
>Unexpectedly, DHE ciphers are missing.
>
>
>This is the latest version:
>
>$ /opt/local/bin/openssl version
>
>OpenSSL 1.0.1g 7 Apr 2014
>
>$ /opt/local/bin/openssl ciphers
>'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
>>
>DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
>
>
>PROBABLE FIX:
>
>If one is using homebrew, the existing OS X openssl lib can be
>overwritten:
>
>$ openssl version
>
>OpenSSL 0.9.8y 5 Feb 2013
>
>$ brew install openssl
>
>$ brew link --force openssl
>
>open a new terminal (tab)
>
>$ openssl version
>
>OpenSSL 1.0.1g 7 Apr 2014
>
>For sure it should be fixed by Apple, but that can take time …
>
>____  Message End ______
>
>
>-- 
>Leon Letto
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Ach mailing list
>Ach at lists.cert.at
>http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140425/47060a4d/attachment.html>


More information about the Ach mailing list