Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Mitigating CVE-2014-0160 on FreeBSD
- ===================================
- Vulnerable versions (http://pastebin.com/HVk5FTJc, compiled by koobs@)
- Not Vulnerable:
- FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
- Vulnerable (At 8 Apr 14:22 2014 UTC):
- FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
- FreeBSD 11.0 - OpenSSL 1.0.1f 6 Jan 2014
- FreeBSD Ports - OpenSSL 1.0.1f (any port/pkg install before 7 Apr 21:46:40 2014 UTC)
- # PUT WITH_OPENSSL_PORT=yes into /etc/make.conf
- This will override the (compromitted but not yet fixed) base OpenSSL version on FreeBSD 10.0 or higher.
- ===
- * IF you were using security/openssl (from ports or packages):
- # REBUILD security/openssl and everything dependent on it
- ```
- # portmaster -rf security/openssl
- ```
- OR
- ```
- # portupgrade -fr security/openssl
- ```
- # REBUILD all ports dependent on openssl but not rebuilt above
- * IF you were using OpenSSL from base instead:
- # REBUILD all services that are using OpenSSL.
- Candidates: (not limited to) Web-, Mail-, IRC-, LDAP-, ... Servers
- * IF you were using OpenSSL from base *and* ports:
- Do everything as listed above.
- ===
- # RECREATE all private keys and certificates of all services affected
- =====================================================================
- Note: This step is required and the whole operation is moot otherwise.
- # RESTART all your servers using openssl.
- something like this might work:
- ```
- # lsof |grep ssl |awk '{print $1}' |sort |uniq |xargs -I{} service {} restart
- # lsof |grep crypto |awk '{print $1}' |sort |uniq |xargs -I{} service {} restart
- ```
Add Comment
Please, Sign In to add comment