-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2010-012
=================================
Topic: OpenSSL TLS extension parsing race condition.
Version: NetBSD-current: source prior to November 18, 2010
NetBSD 5.0.*: affected
NetBSD 5.0: affected
NetBSD 5.1: affected
NetBSD 4.0.*: not affected
NetBSD 4.0: not affected
pkgsrc: openssl package prior to 0.9.8p
Severity: Denial of Service and potential arbitrary code execution
Fixed: NetBSD-current: November 17, 2010
NetBSD-5-0 branch: November 19, 2010
NetBSD-5-1 branch: November 19, 2010
NetBSD-5 branch: November 19, 2010
pkgsrc 2010Q3: openssl-0.9.8p corrects this issue
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
A flaw has been found in the OpenSSL TLS server extension code parsing which
on affected servers can be exploited in a buffer overrun attack.
This flaw impacts neither the Apache HTTP server nor any daemon as shipped
with NetBSD.
This vulnerability has been assigned CVE-2010-3864.
Technical Details
=================
Multiple race conditions in ssl/t1_lib.c in OpenSSL, when multi-threading
and internal caching are enabled on a TLS server, might allow remote
attackers to execute arbitrary code via client data that triggers a
heap-based buffer overflow, related to (1) the TLS server name extension
and (2) elliptic curve cryptography. A binary that does not link both
against libssl and a threading library like eg libpthread is unlikely
to be affected.
See http://www.openssl.org/news/secadv_20101116.txt for the vulnerability
announcement from OpenSSL.
Solutions and Workarounds
=========================
- - Patch, recompile, and reinstall libssl.
CVS branch file revision
------------- ---------------- --------
HEAD src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c 1.2
CVS ...
