Doug Hogan | 12 Jun 01:20 2015

LibreSSL errata

Patches are now available to fix a few issues in LibreSSL's libcrypto.

CVE-2015-1788 - Malformed ECParameters causes infinite loop
CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
CVE-2015-1792 - CMS verify infinite loop with unknown hash function

Note that CMS was already disabled in LibreSSL.

Several other issues did not apply or were already fixed and one low
severity issue is under review.  For more information, see
https://www.openssl.org/news/secadv_20150611.txt

Thanks to the OpenSSL team for providing patches.

5.7 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/009_openssl.patch.sig
http://www.openbsd.org/errata57.html

5.6 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/026_openssl.patch.sig
http://www.openbsd.org/errata56.html

Gilles Chehade | 11 Jun 21:41 2015

smtpd errata

Patches are now available for 5.6 and 5.7 which fix an smtpd errata.

5.6 errata 25 and 5.7 errata 8:
Fix multiple reliability issues in smtpd:
a local user can cause smtpd to fail by writing an invalid imsg to control socket.
a local user can prevent smtpd from serving new requests by exhausting descriptors.

Links:

http://www.openbsd.org/errata56.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/025_smtpd.patch.sig

http://www.openbsd.org/errata57.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/008_smtpd.patch.sig

--

-- 
Gilles Chehade

https://www.poolp.org                                           <at> poolpOrg

Brent Cook | 11 Jun 18:35 2015
Picon

LibreSSL 2.1.7 and 2.2.0 released

We have released LibreSSL 2.2.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release is the first from the OpenBSD 5.8 development tree and
features mainly on build system improvements and new OS support.

We have also released LibreSSL 2.1.7, which contains additional security
fixes.

  * AIX Support - thanks to Michael Felt

  * Cygwin Support - thanks to Corinna Vinschen

  * Refactored build macros, support packaging libtls independently.
    There are more pieces required to support building and using OpenSSL
    with libtls, but this is an initial start at providing an
    independent package for people to start hacking on.

  * Removal of OPENSSL_issetugid and all library getenv calls.
    Applications can and should no longer rely on environment variables
    for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
    supported with the openssl(1) command.

  * libtls API and documentation additions

  * Various bug fixes and simplifications to libssl and libcrypto

  * Fixes for the following issues are integrated into LibreSSL 2.1.7
    and LibreSSL 2.2.0:
    - CVE-2015-1788 - Malformed ECParameters causes infinite loop
(Continue reading)

Miller, Vincent (Rick | 4 May 20:30 2015
Picon

Verisign Announces vBSDcon 2015

Following the success of the inaugural vBSDcon, Verisign has elected to host a second vBSDcon in Reston, Va
at the Sheraton Reston hotel the weekend of September 11, 2015.  vBSDcon is a technical conference focused
on the BSD family of operating systems including, but not limited to, FreeBSD, OpenBSD, NetBSD, and
others.  Any user, developer, engineer, or innovator involved with any of the BSD family of operating
systems will want to mark these dates.  vBSDcon will feature plenary talks, Birds of a Feather
discussions, lightning talks, and much more.  Full details are available at http://www.vBSDcon.com/.

Additionally, While vBSDcon currently does not operate an “official” call for presentations,
proposals will be accepted until June.  Anyone wishing to submit a talk is invited to do so by emailing
vBSDcon <at> verisign.com.  The event agenda is expected to be finalized and published in mid-June.

We look forward to seeing you September 11, 2015!

--
Vincent (Rick) Miller
Systems Engineer
vmiller <at> verisign.com

t: 703-948-4395  m: 703-581-3068
12061 Bluemont Way, Reston, VA  20190

http://www.vbsdcon.com
http://www.verisigninc.com

“This message (including any attachments) is intended only for the use of the individual or entity to
which it is addressed, and may contain information that is non-public, proprietary, privileged,
confidential and exempt from disclosure under applicable law or may be constituted as attorney work
product. If you are not the intended recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited. If you have received this
message in error, notify sender immediately and delete this message immediately.”
(Continue reading)

Theo de Raadt | 1 May 07:05 2015
Picon

5.7 CDs delayed

Sorry, 5.7 CDs will be delayed because of an error at the production
plant.

We all hoped it would be resolved before release day, or at most a day
or so after.  It has dragged on.

First delay in nearly 20 years.  That is kind of crazy, isn't it.

Of course the online release is out like clockwork.

Stefan Sperling | 1 May 00:06 2015
Picon

OpenBSD 5.7 Released

May 1, 2015.

We are pleased to announce the official release of OpenBSD 5.7.
This is our 37th release on CD-ROM (and 38th via FTP/HTTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.7 provides significant improvements,
including new features, in nearly all areas of the system:

 - Improved hardware support, including:
    o New xhci(4) driver for USB 3.0 host controllers.
    o New umcs(4) driver for MosChip Semiconductor 78x0 USB multiport
      serial adapters.
    o New skgpio(4) driver for Soekris net6501 GPIO and LEDs.
    o New uslhcom(4) driver for Silicon Labs CP2110 USB HID based UART.
    o New nep(4) driver for Sun Neptune 10Gb Ethernet devices.
    o New iwm(4) driver for Intel 7260, 7265, and 3160 wifi cards.
    o The rtsx(4) driver now supports RTS5227 and RTL8411B card readers.
    o The bge(4) driver now supports jumbo frames on various additional
      BCM57xx chipsets.
    o The ciss(4) driver now supports HP Gen9 Smart Array/Smart HBA
      devices.
    o The mpi(4) and mfi(4) drivers now have mpsafe interrupt handlers
      running without the big lock.
    o The ppb(4) driver now supports PCI bridges that support
      subtractive decoding (fixes PCMCIA behind the ATI SB400 PCI
      bridge), and devices with 64-bit BARs behind PCI-PCI bridges as
      seen on SPARC T5-2 systems.
    o The puc(4) driver now supports Winchiphead CH382 devices.
(Continue reading)

Philip Guenther | 30 Apr 22:38 2015
Picon

tar/pax/cpio patch available

Patches are now available for 5.6 and 5.7 which fix security issues
in the combined tar, pax, and cpio program's handling of malicious
archives, as well as archives with large pax extension headers.

Our thanks to Daniel Cegielka for reporting this.

Note that the patches for 5.6 and 5.7 have several differences, so be
sure to download the correct version.

Links:

http://www.openbsd.org/errata56.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/024_tar.patch.sig

and

http://www.openbsd.org/errata57.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/007_tar.patch.sig

OpenBSD 5.7 errata 7, Apr 30, 2015:

tar/pax/cpio had multiple issues:
 * extracting a malicious archive could create files outside of the
   current directory without using pre-existing symlinks to 'escape',
   and could change the timestamps and modes on preexisting files

 * tar without -P would permit extraction of paths with ".." components

 * there was a buffer overflow in the handling of pax extension headers,

(Continue reading)

Philip Guenther | 30 Apr 22:38 2015
Picon

kernel patch available

Patches are now available for 5.6 and 5.7 which fix local security
issues in the kernel's handling of malformed ELF executables, which
could be used to panic the kernel or view some kernel memory.

Our thanks to Alejandro Hernandez for test cases and Maxime Villard
for providing the basis for one of the changes.

Links:

http://www.openbsd.org/errata56.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/023_elf.patch.sig

and

http://www.openbsd.org/errata57.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/006_elf.patch.sig

untrusted comment: signature from openbsd 5.7 base secret key
RWSvUZXnw9gUby4OBLM0n2MCFo9TM/FWZlryKfa4mLnPMEgi87dSLa8HTEXN15Z0YumeDyfsnFVHyQHjtL6106R1LxIOtJ/6pww=

OpenBSD 5.7 errata 6, Apr 30, 2015:

Missing validity checks in the kernel ELF loader meant malformed binaries
could trigger kernel panics or view kernel memory.

Apply by doing:
    cd /usr/src
    signify -Vep /etc/signify/openbsd-57-base.pub -x 006_elf.patch.sig -m - | \
        patch -p0

(Continue reading)

Todd C. Miller | 16 Apr 17:32 2015

reminder: mailing list server downtime

The machine room that lists.openbsd.org will be undergoing maintenance
Saturday April 18th.  As a reasult, the list server will be taken
down at 5:30am MDT.  The current estimate is that everything will
be back up between 3-5pm MDT.

This also affects ftp.usa.openbsd.org and anoncvs3.usa.openbsd.org
which are located in the same machine room.

Todd C. Miller | 31 Mar 13:36 2015

mailing list server downtime

The machine room that lists.openbsd.org will be undergoing maintenance
Saturday April 18th.  As a reasult, the list server will be taken
down at 5:30am MDT and brought back up in the early afternoon.

This also affects ftp.usa.openbsd.org and anoncvs3.usa.openbsd.org
which are located in the same machine room.

 - todd

Brent Cook | 25 Mar 03:11 2015
Picon

OpenNTPD 5.7p4 released

OpenNTPD 5.7p4 has just been released. It will be available from the mirrors
listed at http://www.openntpd.org/ shortly.

OpenNTPD is a FREE, secure, and easy to use implementation of the Network Time
Protocol. It provides the ability to sync the local clock to remote NTP servers
and can act as NTP server itself, redistributing the local clock.

Changes since OpenNTPD 5.7p3
============================
* Added support for using HTTPS time constraints to validate NTP responses.

  You can find a detailed description of the feature and how it works here:
    http://marc.info/?l=openbsd-tech&m=142356166731390&w=2
  See the man page and example config file for configuration details.

  The libtls library, as shipped with LibreSSL 2.1.4 or later, is
  required to use the HTTPS constraint feature, though it is not
  required to use OpenNTPD.

* Workaround a bug in the Solaris adjtime call that caused the olddelta to
  never reach 0, leading to continual sync/unsync messages from ntpd.

* Workaround an overflow on systems with 32-bit time_t. This can result in a
  failure to set the time if the initial clock is set later than early 2036.
  Systems with a 32-bit time_t should upgrade well in advance of this date, but
  today this helps with systems that boot with an invalid initial time.

This marks the last release based on the OpenBSD 5.7 tree.
The next release will be OpenNTPD 5.8p1.

(Continue reading)


Gmane