Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl

From: Colin Percival (cperciva_at_freebsd.org)
Date: 10/11/05

  • Next message: jimmy_at_inet-solutions.be: "Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl" 
    Date: Tue, 11 Oct 2005 09:26:46 -0700
To: Ian G <iang@iang.org>

    Ian G wrote:
    > FreeBSD Security Advisories wrote:
    >> Applications which do not support SSLv2, have been configured to not
    >> permit the use of SSLv2, or do not use the SSL_OP_MSIE_SSLV2_RSA_PADDING
    >> or SSL_OP_ALL options are not affected.
    >>
    >> IV. Workaround
    >>
    >> No workaround is available.
    >
    > Isn't the workaround obviously to switch off V2?

    Disabling applications to not permit use of SSLv2 is a
    workaround. However, this is something which needs to
    be done on an application-by-application basis, and it
    is likely that there will be some applications will do
    not have any option for doing this.

    > In the phishing world - where users are being
    > exposed to losses in the billion dollar range
    > or so - we are crying out for the removal of v2.
    > Can this be done?

    SSL is supposed to negotiate the use of SSLv3 if it is
    supported by both the client and the server, so I don't
    see why disabling SSLv2 entirely would be useful aside
    from protecting against this vulnerability.

    Colin Percival
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: jimmy_at_inet-solutions.be: "Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl"

    Relevant Pages

    • Re: [kde] Help: have system bell as root, but not as user
      ... the workaround for the konsole does not fix other ... they are both in System Bell. ... Right now, I am happy with this workaround, this sound is nicer than the ... Maybe it can affect other applications as well... ...
      (KDE)
    • Re: sata, libata, modules.pata
      ... release notes is one way to go that I could live with but I'd like to be able to count on this workaround not getting written out of future versions and being available in other distros as well, ... and I'd vote for it being fixed before it too becomes a huge immovable legacy issue like the number of primaries. ... It's difficult to say which distro will keep on having a million different ways to name a device, they will drop legacy methods as soon as the majority of applications will use other methods, but you can always edit your /etc/udev stuff. ...
      (alt.os.linux)
    • [Full-disclosure] More on the workaround for the unpatched Oracle PLSQL Gateway flaw
      ... According to Oracle, the workaround I posted, that prevents exploitation of a critical vulnerability that Oracle has so far failed to fix, breaks certain applications that sits atop their PLSQL Gateway. ... RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack ... if the value of a query string parameter contains a bracket the workaround will trigger. ...
      (Full-Disclosure)
    • More on the workaround for the unpatched Oracle PLSQL Gateway flaw
      ... According to Oracle, the workaround I posted, that prevents exploitation of a critical vulnerability that Oracle has so far failed to fix, breaks certain applications that sits atop their PLSQL Gateway. ... RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack ... if the value of a query string parameter contains a bracket the workaround will trigger. ...
      (Bugtraq)
    • Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
      ... > That sounds like a good workaround. ... > looked through the documentation and can't find any reference to a ... > runtime OpenSSL configuration file that would let me do this. ... SSLv2 for each of your SSL/TLS applications. ...
      (FreeBSD-Security)