OpenSSL version string format changed

In my first OpenSolaris blog post, I explained why we decided to add some additional information into the default OpenSSL version string. In the current OpenSolaris 2008.11 release it says:
$ openssl version
OpenSSL 0.9.8a 11 Oct 2005 (+ security patches to 2007-10-13)

With the bold part added by us. The date was the day of the last OpenSSL security advisory, as explained in that first blog entry mentioned above. It served fairly well in that customers got information that the OpenSSL version shipped with Solaris was not an unpatched 0.9.8a.

The problem we realized later was that if those fixes get backported into Solaris 10 out of order because more OpenSSL advisories were released in a short time (that happened), the date itself is not enough. So, we decided what we already thought about when changing the version string for the first time, to include Common Vulnerabilities and Exposures (CVE) numbers directly into the version string. With my push into Nevada today, that happened. The version string looks like this now:

$ openssl version
OpenSSL 0.9.8a 11 Oct 2005 (+ security fixes for: CVE-2006-2937
CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343
CVE-2007-3108 CVE-2007-4995 CVE-2007-5135 CVE-2008-5077)

Note that the whole output is actually on the same line. It might seem too long but remember that normally it's not used much. What's more important it contains all the important security information now. We didn't want to insert any line breaks since we were afraid some Configure scripts that check the OpenSSL version might get confused if we changed a one-liner into a multi-liner.

As to that we wouldn't have to do that if we upgraded to a current version of OpenSSL, that's true. However, the problem is that OpenSSL in Solaris is now part of ON consolidation and it's quite complicated to upgrade it there. I don't want to go into details but the plan is to move it to the SFW consoliation soon(TM) which should make it more easier for us to upgrade OpenSSL in a timely manner.

Comments:

hope that happen soon.

Posted by Derek Wang on February 09, 2009 at 01:38 AM CET #

this went to Nevada 107 so it will be part of the next OpenSolaris release. If you need it for S10, patches should be soon released. If you need those now, please contact the support.

Posted by Jan on February 11, 2009 at 04:12 AM CET #

Speaking of the patches for CVE-2008-5077 (which also deliver the version string change), there will be patches for S10 as well as OpenSolaris SRUs (Service Repository Updates). I am going to test the S10 T-patches (produced as a result of my integration of the fix to S10 gates) today so they should be out real soon (tm).

Posted by Vladimir Kotal on February 11, 2009 at 04:33 AM CET #

Is there a patch coming for CVE-2009-0590? Is Solaris 10 w/current patches vulnerable to CVE-2009-0590, 0591, or 0789?

Posted by akgr on April 20, 2009 at 12:15 PM CEST #

@akgr: As always, every vulnerability which affects Solaris will be addressed by a patch and a SunAlert will be released (do you know the cool SunAlert RSS feed by the way ? http://blogs.sun.com/security/feed/entries/rss). I am working on the fix for CVE-2009-0590 for S10u8. Solaris is not vulnerable to 0591 and 0789 (being reasonably paranoid, this makes me think about how trustworthy is posting unauthenticated content with claims about vulnerabilities into comments section of blog entries where everyone can post).

I should add that security-discuss-AT-opensolaris.org is probably better forum to ask this kind of questions in general. For S10, the definitive source is your support channel.

Posted by Vladimir Kotal on April 20, 2009 at 12:39 PM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jan Pechanec

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today