Mitigating CVE-2014-0160 on FreeBSD

1. Mitigating CVE-2014-0160 on FreeBSD
2. ===================================
3.  
4. Vulnerable versions (http://pastebin.com/HVk5FTJc, compiled by koobs@)
5.  
6. Not Vulnerable:
7.  
8. FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
9. FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
10. FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
11.  
12. Vulnerable (At 8 Apr 14:22 2014 UTC):
13.  
14. FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
15. FreeBSD 11.0 - OpenSSL 1.0.1f 6 Jan 2014
16. FreeBSD Ports - OpenSSL 1.0.1f (any port/pkg install before 7 Apr 21:46:40 2014 UTC)
17.  
18. # PUT WITH_OPENSSL_PORT=yes into /etc/make.conf
19.  
20. This will override the (compromitted but not yet fixed) base OpenSSL version on FreeBSD 10.0 or higher.
21.  
22. ===
23.  
24. * IF you were using security/openssl (from ports or packages):
25.  
26. # REBUILD security/openssl and everything dependent on it
27.  
28. ```
29. # portmaster -rf security/openssl
30. ```
31. OR
32. ```
33. # portupgrade -fr security/openssl
34. ```
35.  
36. # REBUILD all ports dependent on openssl but not rebuilt above
37.  
38. * IF you were using OpenSSL from base instead:
39.  
40. # REBUILD all services that are using OpenSSL.
41. Candidates: (not limited to) Web-, Mail-, IRC-, LDAP-, ... Servers
42.  
43. * IF you were using OpenSSL from base *and* ports:
44.  
45. Do everything as listed above.
46.  
47. ===
48.  
49. # RECREATE all private keys and certificates of all services affected
50. =====================================================================
51. Note: This step is required and the whole operation is moot otherwise.
52.  
53.  
54. # RESTART all your servers using openssl.
55.  
56. something like this might work:
57. ```
58. # lsof |grep ssl |awk '{print $1}' |sort |uniq |xargs -I{} service {} restart
59. # lsof |grep crypto |awk '{print $1}' |sort |uniq |xargs -I{} service {} restart
60.  
61. ```