FreeBSD Security Advisories (openssl & lukemftpd)

FreeBSD LogoThe FreeBSD Team has issued 2 security warnings:


I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

II. Problem Description

The EVP_VerifyFinal() function from OpenSSL is used to determine if a digital signature is valid. The SSL layer in OpenSSL uses EVP_VerifyFinal(), which in several places checks the return value incorrectly and treats verification errors as a good signature. This is only a problem for DSA and ECDSA keys.

III. Impact

For applications using OpenSSL for SSL connections, an invalid SSL certificate may be interpreted as valid. This could for example be used by an attacker to perform a man-in-the-middle attack.

Other applications which use the OpenSSL EVP API may similarly be affected.

For a workaround, solution and patch etc go here



I. Background

lukemftpd(8) is a general-purpose implementation of File Transfer Protocol (FTP) server that is shipped with the FreeBSD base system. It is not enabled in default installations but can be enabled as either an inetd(8) server,
or a standard-alone server.

A cross-site request forgery attack is a type of malicious exploit that is mainly targeted to a web browser, by tricking a user trusted by the site into visiting a specially crafted URL, which in turn executes a command which performs some privileged operations on behalf of the trusted user on the victim site.

II. Problem Description

The lukemftpd(8) server splits long commands into several requests. This may result in the server executing a command which is hidden inside another very long command.

III. Impact

This could, with a specifically crafted command, be used in a cross-site request forgery attack.

FreeBSD systems running lukemftpd(8) server could act as a point of privilege escalation in an attack against users using web browser to access trusted FTP sites.

For a workaround, solution and patch etc go here


For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit


  1. says

    Would have been nicer had they find those out Prior to 7.1-RELEASE.

    I was hoping this year 2009 would be a Bug free year for FreeBSD

Leave a Reply

Your email address will not be published. Required fields are marked *