From owner-doc-jp-work@jp.FreeBSD.org Fri Mar 19 03:02:59 2004
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id i2II2xa46623;
	Fri, 19 Mar 2004 03:02:59 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from smtp.eos.ocn.ne.jp (eos.ocn.ne.jp [211.6.83.117])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id i2II2u746600
	for <doc-jp-work@jp.FreeBSD.org>; Fri, 19 Mar 2004 03:02:56 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from delta.allbsd.org (p32146-adsao12honb4-acca.tokyo.ocn.ne.jp [219.161.175.146])
	by smtp.eos.ocn.ne.jp (Postfix) with ESMTP id 814071869
	for <doc-jp-work@jp.FreeBSD.org>; Fri, 19 Mar 2004 03:02:54 +0900 (JST)
Received: from localhost (alph.allbsd.org [192.168.0.10])
	by delta.allbsd.org (8.12.9p2/8.12.9) with ESMTP id i2II2YA2056991
	for <doc-jp-work@jp.FreeBSD.org>; Fri, 19 Mar 2004 03:02:35 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Message-Id: <20040319.030113.15184093.hrs@eos.ocn.ne.jp>
To: doc-jp-work@jp.FreeBSD.org
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
In-Reply-To: <20040309.011535.85395435.hrs@eos.ocn.ne.jp>
References: <20040308.073548.133830425.hrs@eos.ocn.ne.jp>
	<20040308.224844.74747362.rushani@bl.mmtr.or.jp>
	<20040309.011535.85395435.hrs@eos.ocn.ne.jp>
X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530  FFD7 4F2C D3D8 2793 CF2D
X-Mailer: Mew version 4.0.62 on Emacs 21.3.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Multipart/Signed; protocol="application/pgp-signature";
 micalg=pgp-sha1;
 boundary="--Security_Multipart0(Fri_Mar_19_03_01_13_2004_372)--"
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
Date: Fri, 19 Mar 2004 03:01:13 +0900
X-Sequence: doc-jp-work 845
Subject: [doc-jp-work 845] Re: [FreeBSD-Announce] FreeBSD Security
 Advisory FreeBSD-SA-04:04.tcp
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: hrs@eos.ocn.ne.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+040307

----Security_Multipart0(Fri_Mar_19_03_01_13_2004_372)--
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Fri_Mar_19_03_01_13_2004_247)--"
Content-Transfer-Encoding: 7bit

----Next_Part(Fri_Mar_19_03_01_13_2004_247)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 $B$9$_$^$;$s!"$A$g$C$HK;$7$/$FCY$/$J$j$^$7$?!#(B
 04:04 $B2~D{HG$H(B 04:05 $B?75,$G$9!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B


----Next_Part(Fri_Mar_19_03_01_13_2004_247)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="04:04"

FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-04:04.tcp (2004-03-02)
 * many out-of-sequence TCP packets denial-of-service
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-04:04.tcp
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Tue, 2 Mar 2004 11:55:44 -0800
  Message-Id: <200403021955.i22Jti60024050@freefall.freebsd.org>
  X-Sequence: announce-jp 1213

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r$*$3$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-04:04.tcp                                      Security Advisory
                                                          The FreeBSD Project

$B%H%T%C%/(B:	$B=g=x$N68$C$?B??t$N(B TCP $B%Q%1%C%H$r;H$C$?%5!<%S%9K832(B
		(many out-of-sequence TCP packets denial-of-service)

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	kernel
$B9pCNF|(B:		2004-03-02
$B%/%l%8%C%H(B:	iDEFENSE
$B1F6AHO0O(B:	$B$9$Y$F$N(B FreeBSD $B%j%j!<%9(B
$B=$@5F|(B:		2004-03-02 17: 19:18 UTC (RELENG_4)
                2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1)
                2004-03-02 17:26:33 UTC (RELENG_4_9, 4.9-RELEASE-p3)
                2004-03-02 17:27:47 UTC (RELENG_4_8, 4.8-RELEASE-p16)
CVE Name:       CAN-2004-0171
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service.  When network packets making up a TCP stream (``TCP
segments'') are received out-of-sequence, they are maintained in a
reassembly queue by the destination system until they can be re-ordered
and re-assembled.

TCP/IP $B%W%m%H%3%k%9%$!<%H$K4^$^$l$k(B TCP (Transmission Control Protocol) $B$O!"(B
$B@\B37?$G?.Mj@-$,9b$/!"E~Ce=g$,J]B8$5$l$k%G!<%?%9%H%j!<%`%5!<%S%9$r(B
$BDs6!$9$k$b$N$G$9!#%7%9%F%`$,(B TCP $B%9%H%j!<%`$r9=@.$9$k%M%C%H%o!<%/%Q%1%C%H(B (TCP
$B%;%0%a%s%H(B) $B$r$P$i$P$i$N=g=x$G<u?.$7$?>l9g!"$=$l$i$N%Q%1%C%H$O!"%Q%1%C%H=g$N(B
$B@0Ns$H:F9=@.$,40N;$9$k$^$G!"$=$N%7%9%F%`$N:F9=@.%-%e!<(B(reassembly queue) $B$K(B
$B3JG<$5$l$^$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

FreeBSD does not limit the number of TCP segments that may be held in a
reassembly queue.

FreeBSD $B$K$*$1$k:F9=@.%-%e!<$K$O!"3JG<2DG=$J(B TCP $B%;%0%a%s%H?t$K@)8B$,(B
$BHw$o$C$F$$$^$;$s!#(B


III. $B1F6AHO0O(B - Impact

A remote attacker may conduct a low-bandwidth denial-of-service attack
against a machine providing services based on TCP (there are many such
services, including HTTP, SMTP, and FTP).  By sending many
out-of-sequence TCP segments, the attacker can cause the target machine
to consume all available memory buffers (``mbufs''), likely leading to
a system crash.

$B%j%b!<%H$N967b<T$O!"(BTCP $B$r;H$C$?%5!<%S%9(B (HTTP, SMTP, FTP $B$J$I!"(BTCP
$B$r;H$C$?%5!<%S%9$O?tB?$/$"$j$^$9(B) $B$rDs6!$7$F$$$k%^%7%s$KBP$7$F!"(B
$B$"$k<o$NBS0hHsK0OB7?%5!<%S%9K832967b(B (low-bandwidth denial-of-service
attack) $B$r$*$3$J$($k2DG=@-$,$"$j$^$9!#%Q%1%C%H=g$,$P$i$P$i$N(B TCP
$B%;%0%a%s%H$rB??tAw$jIU$1$k$3$H$G!"967b<T$O967bBP>]$N%^%7%s$N(B
$BMxMQ2DG=$J%a%b%j%P%C%U%!(B (mbuf) $B$r$9$Y$F>CHq$5$;!"%7%9%F%`$r(B
$B%/%i%C%7%e$5$;$k$3$H$,2DG=$G$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

It may be possible to mitigate some denial-of-service attacks by
implementing timeouts at the application level.

$B%"%W%j%1!<%7%g%s%l%Y%k$G%?%$%`%"%&%H$r<BAu$7$F$$$l$P!"(B
$B%5!<%S%9K832967b$r$"$kDxEY4KOB$9$k$3$H$,$G$-$k$+$bCN$l$^$;$s!#(B


V.   $B2r7h:v(B - Solution

Do one of the following:
$B<!$N$$$:$l$+$R$H$D$K=>$C$F$/$@$5$$!#(B

1) Upgrade your vulnerable system to 4-STABLE, or to the RELENG_5_2,
RELENG_4_9, or RELENG_4_8 security branch dated after the correction
date.
1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r:G?7$N(B 4-STABLE,
   $B$b$7$/$O=$@5F|0J9_$N(B RELENG_5_2, RELENG_4_9, RELENG_4_8
   $B%;%-%e%j%F%#%V%i%s%A$N$$$:$l$+$K%"%C%W%0%l!<%I$9$k!#(B

OR
$B$"$k$$$O!"(B

2) Patch your present system:
2) $B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k!#(B

The following patch has been verified to apply to FreeBSD 4.x and 5.x
systems.

$B0J2<$N=$@5%Q%C%A$O!"(BFreeBSD 4.x $B$H(B FreeBSD 5.x $B$N%7%9%F%`$K(B
$BE,MQ2DG=$J$3$H$,3NG'$5$l$F$$$^$9!#(B

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
a) $B0J2<$N>l=j$+$i=$@5%Q%C%A$r%@%&%s%m!<%I$7!"(BPGP $B%f!<%F%#%j%F%#$r;H$C$F(B
   PGP $B=pL>$r3NG'$7$^$9!#(B

[FreeBSD 5.2]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch.asc

[FreeBSD 4.8, 4.9]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch.asc

b) Apply the patch.
b) $B=$@5%Q%C%A$rE,MQ$7$^$9!#(B

# cd /usr/src
# patch < /path/to/patch

 ($BLuCm(B: /path/to/patch $B$NItJ,$O=$@5%Q%C%A$N%Q%9L>$KCV$-49$($F$/$@$5$$(B)

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.
c) <URL:http://www.freebsd.org/handbook/kernelconfig.html> $B$K5-:\$5$l$F(B
   $B$$$k<j=g$G%+!<%M%k$r:F9=C[$7!"%7%9%F%`$r:F5/F0$7$^$9!#(B


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

FreeBSD $B$K$*$$$F:#2s=$@5$5$l$?3F%U%!%$%k$N%j%S%8%g%sHV9f$O!"0J2<$N$H$*$j$G$9!#(B

Branch                                                           Revision
$B%V%i%s%A(B                                                         $B%j%S%8%g%s(B
  Path
  $B%Q%9L>(B
- -------------------------------------------------------------------------
RELENG_4
  src/UPDATING                                                  1.73.2.90
  src/sys/conf/newvers.sh                                       1.44.2.33
  src/sys/netinet/tcp_input.c                                  1.107.2.40
  src/sys/netinet/tcp_subr.c                                    1.73.2.33
  src/sys/netinet/tcp_var.h                                     1.56.2.15
RELENG_5_2
  src/UPDATING                                                  1.282.2.9
  src/sys/conf/newvers.sh                                        1.56.2.8
  src/sys/netinet/tcp_input.c                                   1.217.2.2
  src/sys/netinet/tcp_subr.c                                    1.169.2.4
  src/sys/netinet/tcp_var.h                                      1.93.2.2
RELENG_4_9
  src/UPDATING                                              1.73.2.89.2.4
  src/sys/conf/newvers.sh                                   1.44.2.32.2.4
  src/sys/netinet/tcp_input.c                              1.107.2.38.2.1
  src/sys/netinet/tcp_subr.c                                1.73.2.31.4.1
  src/sys/netinet/tcp_var.h                                 1.56.2.13.4.1
RELENG_4_8
  src/UPDATING                                             1.73.2.80.2.19
  src/sys/conf/newvers.sh                                  1.44.2.29.2.17
  src/sys/netinet/tcp_input.c                              1.107.2.37.2.1
  src/sys/netinet/tcp_subr.c                                1.73.2.31.2.1
  src/sys/netinet/tcp_var.h                                 1.56.2.13.2.1
- -------------------------------------------------------------------------


VII. $B;29M;qNA(B - References

<URL:http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities>


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html ($B1QJ8(B)
 http://www.FreeBSD.org/doc/ja_JP.eucJP/books/handbook/mirrors.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/04:04,v 1.5 2004/03/18 17:59:26 hrs Exp $

----Next_Part(Fri_Mar_19_03_01_13_2004_247)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="04:04.diff"

Index: 04:04
===================================================================
RCS file: /home/cvs/private/hrs/announce-jp/FreeBSD-SA/04:04,v
retrieving revision 1.3
retrieving revision 1.5
diff -d -u -I\$FreeBSD:.*\$ -I\$NetBSD:.*\$ -I\$OpenBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.3 -r1.5
--- 04:04	7 Mar 2004 22:35:44 -0000	1.3
+++ 04:04	18 Mar 2004 17:59:26 -0000	1.5
@@ -56,10 +56,10 @@
 
 TCP/IP $B%W%m%H%3%k%9%$!<%H$K4^$^$l$k(B TCP (Transmission Control Protocol) $B$O!"(B
 $B@\B37?$G?.Mj@-$,9b$/!"E~Ce=g$,J]B8$5$l$k%G!<%?%9%H%j!<%`%5!<%S%9$r(B
-$BDs6!$7$^$9!#(BTCP $B%9%H%j!<%`$r9=@.$9$k%M%C%H%o!<%/%Q%1%C%H(B (TCP $B%;%0%a%s%H(B) $B$,(B
-$B$P$i$P$i$N=g=x$G<u?.$5$l$?>l9g!"$=$l$i$N%Q%1%C%H$O!"%Q%1%C%H=g$N@0Ns$H(B
-$B:F9=@.$,40N;$9$k$^$G!"<u?.$5$l$?%7%9%F%`B&$N:F9=@.%-%e!<(B (reassembly
-queue) $B$K3JG<$5$l$^$9!#(B
+$BDs6!$9$k$b$N$G$9!#%7%9%F%`$,(B TCP $B%9%H%j!<%`$r9=@.$9$k%M%C%H%o!<%/%Q%1%C%H(B (TCP
+$B%;%0%a%s%H(B) $B$r$P$i$P$i$N=g=x$G<u?.$7$?>l9g!"$=$l$i$N%Q%1%C%H$O!"%Q%1%C%H=g$N(B
+$B@0Ns$H:F9=@.$,40N;$9$k$^$G!"$=$N%7%9%F%`$N:F9=@.%-%e!<(B(reassembly queue) $B$K(B
+$B3JG<$5$l$^$9!#(B
 
 
 II.  $BLdBj$N>\:Y(B - Problem Description
@@ -82,10 +82,11 @@
 
 $B%j%b!<%H$N967b<T$O!"(BTCP $B$r;H$C$?%5!<%S%9(B (HTTP, SMTP, FTP $B$J$I!"(BTCP
 $B$r;H$C$?%5!<%S%9$O?tB?$/$"$j$^$9(B) $B$rDs6!$7$F$$$k%^%7%s$KBP$7$F!"(B
-$B$"$k<o$NDcB.%5!<%S%9K832967b$r$*$3$J$&$3$H$,$G$-$^$9!#(B
-$B%Q%1%C%H=g$,$P$i$P$i$N(B TCP $B%;%0%a%s%H$rB??tAw$jIU$1$k$3$H$G!"(B
-$B967b<T$O967bBP>]$N%^%7%s$NMxMQ2DG=$J%a%b%j%P%C%U%!(B (mbuf) $B$r(B
-$B$9$Y$F>CHq$5$;!"%7%9%F%`$r%/%i%C%7%e$5$;$k$3$H$,2DG=$G$9!#(B
+$B$"$k<o$NBS0hHsK0OB7?%5!<%S%9K832967b(B (low-bandwidth denial-of-service
+attack) $B$r$*$3$J$($k2DG=@-$,$"$j$^$9!#%Q%1%C%H=g$,$P$i$P$i$N(B TCP
+$B%;%0%a%s%H$rB??tAw$jIU$1$k$3$H$G!"967b<T$O967bBP>]$N%^%7%s$N(B
+$BMxMQ2DG=$J%a%b%j%P%C%U%!(B (mbuf) $B$r$9$Y$F>CHq$5$;!"%7%9%F%`$r(B
+$B%/%i%C%7%e$5$;$k$3$H$,2DG=$G$9!#(B
 
 
 IV.  $B2sHrJ}K!(B - Workaround

----Next_Part(Fri_Mar_19_03_01_13_2004_247)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="04:05"

FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-04:05.openssl (2004-03-17)
 * Denial-of-service vulnerability in OpenSSL
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-04:05.openssl
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Wed, 17 Mar 2004 08:48:32 -0800
  Message-Id: <200403171648.i2HGmWu1015126@freefall.freebsd.org>
  X-Sequence: announce-jp 1218

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r$*$3$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-04:05.openssl                                    Security Advisory
                                                          The FreeBSD Project

$B%H%T%C%/(B:	$B%5!<%S%9K832$N860x$H$J$k(B OpenSSL $B$K$*$1$k%;%-%e%j%F%#>e$N<eE@(B
		(Denial-of-service vulnerability in OpenSSL)

$BJ,N`(B:		crypto
$B%b%8%e!<%k(B:	openssl
$B9pCNF|(B:		2004-03-17
$B%/%l%8%C%H(B:	OpenSSL Project <URL:http://www.openssl.org>
                Codenomicon Ltd <URL:http://www.codenomicon.com>
$B1F6AHO0O(B:	All FreeBSD 4.x and 5.x releases
$B=$@5F|(B:		2004-03-17 12:23:51 UTC (RELENG_4, 4.9-STABLE)
                2004-03-17 12:14:12 UTC (RELENG_5_2, 5.2.1-RELEASE-p3)
                2004-03-17 12:14:56 UTC (RELENG_5_1, 5.1-RELEASE-p16)
                2004-03-17 12:17:13 UTC (RELENG_4_9, 4.9-RELEASE-p4)
                2004-03-17 12:18:23 UTC (RELENG_4_8, 4.8-RELEASE-p17)
CVE Name:       CAN-2004-0079
FreeBSD $B$K8GM-$+(B:	NO

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

$B>e5-$N9`L\$d%;%-%e%j%F%#%V%i%s%A!"0J2<$N3F@a$D$$$F$N@bL@$J$I!"(B
FreeBSD $B%;%-%e%j%F%#4+9p$K$D$$$F$N0lHLE*$J>pJs$O!"(B
<URL:http://www.freebsd.org/security/> $B$r$4Mw$/$@$5$$!#(B


I.   $BGX7J(B - Background

FreeBSD includes software from the OpenSSL Project.  The OpenSSL
Project is a collaborative effort to develop a robust, commercial-
grade, full-featured, and Open Source toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography
library.

FreeBSD $B$K$O!"(BOpenSSL $B%W%m%8%'%/%H$K$h$k%=%U%H%&%'%"$,4^$^$l$F$$$^$9!#(B
OpenSSL $B%W%m%8%'%/%H$O!"(BSecure Sockets Layer (SSL v2/v3) $B$*$h$S(B
Transport Layer Security (TLS v1) $B$K2C$(!"I}9-$$0E9f6/EY$KBP1~$7$?(B
$BHFMQ$N0E9f%i%$%V%i%j$r<BAu$7$?!"6/8G$G>&IJ$H$7$FDLMQ$9$kIJ<A$r;}$A!"(B
$B==J,$J5!G=$rHw$($?%*!<%W%s%=!<%9$N%D!<%k%-%C%H$N3+H/$r!"(B
$B6(NO$7$F$*$3$J$C$F$$$k%W%m%8%'%/%H$G$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

When processing an SSL/TLS ChangeCipherSpec message, OpenSSL may fail to
check that a new cipher has been previously negotiated.  This may result
in a null pointer dereference.

OpenSSL $B$O(B SSL/TLS ChangeCipherSpec $B%a%C%;!<%8$N=hM}$N:]!"8r>D$K$h$C$F(B
$B?7$7$$(B cipher $B$,F@$i$l$?$+$I$&$+$r%A%'%C%/$7$F$$$^$;$s!#$=$N$?$a!"(B
NULL $B%]%$%s%?$r;2>H$9$k2DG=@-$,$"$j$^$9!#(B


III. $B1F6AHO0O(B - Impact

A remote attacker could perform a specially crafted SSL/TLS handshake
with an application that utilizes OpenSSL, triggering the null pointer
dereference and causing the application to crash.  Depending upon the
specifics of the application, this may result in an effective
denial-of-service.

$B%j%b!<%H$N967b<T$O!"(BOpenSSL $B$r;H$C$F$$$k%"%W%j%1!<%7%g%s$KBP$7$F!"(B
$BFC<l$J:Y9)$r;\$7$?(B SSL/TLS $B%O%s%I%7%'%$%/$r$*$3$J$&$3$H$G(B NULL $B%]%$%s%?$N(B
$B;2>H$rH/@8$5$;!"$=$N%"%W%j%1!<%7%g%s$r%/%i%C%7%e$G$-$k2DG=@-$,$"$j$^$9!#(B
$B%"%W%j%1!<%7%g%s$N<oN`$K$b$h$j$^$9$,!"$3$N$3$H$O%5!<%S%9K832$N<jCJ$H$7$F(B
$B0-MQ$G$-$k$+$bCN$l$^$;$s!#(B


IV.  $B2sHrJ}K!(B - Workaround

No workaround is known.

$B2sHrJ}K!$OH=L@$7$F$$$^$;$s!#(B


V.   $B2r7h:v(B - Solution

Perform one of the following:

$B<!$N$$$:$l$+$R$H$D$K=>$C$F$/$@$5$$!#(B

1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_2,
RELENG_4_9, or RELENG_4_8 security branch dated after the correction
date.

1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r:G?7$N(B 4-STABLE $B%V%i%s%A!"(B
   $B$b$7$/$O=$@5F|0J9_$N(B RELENG_5_2, RELENG_4_9,
   RELENG_4_8 $B%;%-%e%j%F%#%V%i%s%A$N$$$:$l$+$K%"%C%W%0%l!<%I$9$k!#(B

2) To patch your present system:

2) $B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k!#(B

The following patches have been verified to apply to FreeBSD 4.8,
4.9, 5.1, and 5.2 systems.

$B0J2<$N=$@5%Q%C%A$O!"(BFreeBSD 4.8, FreeBSD 4.9, FreeBSD 5.1,
FreeBSD 5.2 $B$N3F%7%9%F%`$KE,MQ2DG=$J$3$H$,3NG'$5$l$F$$$^$9!#(B

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
a) $B0J2<$N>l=j$+$i=$@5%Q%C%A$r%@%&%s%m!<%I$7!"(BPGP $B%f!<%F%#%j%F%#$r;H$C$F(B
   PGP $B=pL>$r3NG'$7$^$9!#(B

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:05/openssl.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:05/openssl.patch.asc

b) Execute the following commands as root:
b) root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

# cd /usr/src
# patch < /path/to/patch

 ($BLuCm(B: /path/to/patch $B$NItJ,$O=$@5%Q%C%A$N%Q%9L>$KCV$-49$($F$/$@$5$$(B)

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html >.

c) <URL:http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html>
   $B$K=q$+$l$F$$$k<j=g$K=>$C$F%7%9%F%`$r:F9=C[$7!"%7%9%F%`$r:F5/F0$7$^$9!#(B

Note that any statically linked applications that are not part of the
base system (i.e. from the Ports Collection or other 3rd-party sources)
must be recompiled.

$B$^$?!"%Y!<%9%7%9%F%`$K4^$^$l$F$$$J$$!"@EE*$K%j%s%/$5$l$?%P%$%J%j(B
(Ports Collection $B$d%5!<%I%Q!<%F%#@=$N%=!<%9$+$i%3%s%Q%$%k$7$?$b$N(B)
$B$b!"$9$Y$F:F%3%s%Q%$%k$9$kI,MW$,$"$k$3$H$KCm0U$7$F$/$@$5$$!#(B

All affected applications must be restarted for them to use the
corrected library.  Though not required, rebooting may be the easiest
way to accomplish this.

$B99?7$5$l$?%i%$%V%i%j$r;H$&$h$&!"1F6A$r<u$1$k%"%W%j%1!<%7%g%s$O(B
$B$9$Y$F:F5/F0$9$kI,MW$,$"$j$^$9!#I,?\$G$O$"$j$^$;$s$,!"%7%9%F%`$N:F5/F0$,(B
$B$*$=$i$/:G$b4JC1$JJ}K!$G$7$g$&!#(B


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

FreeBSD $B$K$*$$$F:#2s=$@5$5$l$?3F%U%!%$%k$N%j%S%8%g%sHV9f$O!"0J2<$N$H$*$j$G$9!#(B

Branch                                                           Revision
$B%V%i%s%A(B                                                         $B%j%S%8%g%s(B
  Path
  $B%Q%9L>(B
- -------------------------------------------------------------------------
RELENG_4
  src/crypto/openssl/crypto/opensslv.h                        1.1.1.1.2.9
  src/crypto/openssl/ssl/s3_pkt.c                             1.1.1.1.2.7
RELENG_5_2
  src/UPDATING                                                 1.282.2.11
  src/crypto/openssl/crypto/opensslv.h                       1.1.1.14.2.1
  src/crypto/openssl/ssl/s3_pkt.c                             1.1.1.8.4.1
  src/sys/conf/newvers.sh                                       1.56.2.10
RELENG_5_1
  src/UPDATING                                                 1.251.2.18
  src/crypto/openssl/crypto/opensslv.h                       1.1.1.13.2.1
  src/crypto/openssl/ssl/s3_pkt.c                             1.1.1.8.2.1
  src/sys/conf/newvers.sh                                       1.50.2.18
RELENG_4_9
  src/UPDATING                                              1.73.2.89.2.5
  src/crypto/openssl/crypto/opensslv.h                    1.1.1.1.2.8.2.1
  src/crypto/openssl/ssl/s3_pkt.c                         1.1.1.1.2.6.4.1
  src/sys/conf/newvers.sh                                   1.44.2.32.2.5
RELENG_4_8
  src/UPDATING                                             1.73.2.80.2.20
  src/crypto/openssl/crypto/opensslv.h                    1.1.1.1.2.7.2.1
  src/crypto/openssl/ssl/s3_pkt.c                         1.1.1.1.2.6.2.1
  src/sys/conf/newvers.sh                                  1.44.2.29.2.18
- -------------------------------------------------------------------------


VII. $B;29M;qNA(B - References

<URL: http://www.openssl.org/news/secadv_20040317.txt >
<URL: http://cvs.openssl.org/chngview?cn=12033 >


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html ($B1QJ8(B)
 http://www.FreeBSD.org/doc/ja_JP.eucJP/books/handbook/mirrors.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/04:05,v 1.2 2004/03/18 17:54:30 hrs Exp $

----Next_Part(Fri_Mar_19_03_01_13_2004_247)----

----Security_Multipart0(Fri_Mar_19_03_01_13_2004_372)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQBAWePsTyzT2CeTzy0RArQaAKC+THhi8cfmEIrj10YjuIy4mLipqQCdHs1J
F+fy3GWLq6fku0LMX2e8nh8=
=0/Wy
-----END PGP SIGNATURE-----

----Security_Multipart0(Fri_Mar_19_03_01_13_2004_372)----
