Brent Cook | 25 Mar 03:11 2015

OpenNTPD 5.7p4 released

OpenNTPD 5.7p4 has just been released. It will be available from the mirrors
listed at shortly.

OpenNTPD is a FREE, secure, and easy to use implementation of the Network Time
Protocol. It provides the ability to sync the local clock to remote NTP servers
and can act as NTP server itself, redistributing the local clock.

Changes since OpenNTPD 5.7p3
* Added support for using HTTPS time constraints to validate NTP responses.

  You can find a detailed description of the feature and how it works here:
  See the man page and example config file for configuration details.

  The libtls library, as shipped with LibreSSL 2.1.4 or later, is
  required to use the HTTPS constraint feature, though it is not
  required to use OpenNTPD.

* Workaround a bug in the Solaris adjtime call that caused the olddelta to
  never reach 0, leading to continual sync/unsync messages from ntpd.

* Workaround an overflow on systems with 32-bit time_t. This can result in a
  failure to set the time if the initial clock is set later than early 2036.
  Systems with a 32-bit time_t should upgrade well in advance of this date, but
  today this helps with systems that boot with an invalid initial time.

This marks the last release based on the OpenBSD 5.7 tree.
The next release will be OpenNTPD 5.8p1.

(Continue reading)

Brent Cook | 19 Mar 16:23 2015

LibreSSL 2.1.6 released

We have released LibreSSL 2.1.6, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release primarily addresses a number of security issues in
coordination with the OpenSSL project.

  Fixes for the following issues are integrated into LibreSSL 2.1.6:

     * CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
     * CVE-2015-0287 - ASN.1 structure reuse memory corruption
     * CVE-2015-0289 - PKCS7 NULL pointer dereferences
     * CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
     * CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref

  The patch for this issue is integrated in LibreSSL 2.1.6:

     * CVE-2015-0207 - Segmentation fault in DTLSv1_listen
         LibreSSL is not vulnerable, but the fix was safe to merge.

  The following issues were addressed in earlier LibreSSL releases:

     * CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
	  Fixed in LibreSSL 2.1.2 - reclassifed from low to high,
     * CVE-2015-0292 - Fault processing Base64 decode
          Fixed in LibreSSL 2.0.0
     * CVE-2015-1787 - Empty CKE with client auth and DHE
          Fixed in LibreSSL 2.0.1

  The following issues did not apply to LibreSSL 2.1.6:

(Continue reading)

Ted Unangst | 19 Mar 15:26 2015

libre/openssl patches available

Patches are now available to fix a variety of issues in libcrypto and libssl.

For 5.6 and the forthcoming 5.7 release:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
CVE-2015-0289 - PKCS7 NULL pointer dereferences

For 5.5:
CVE-2015-0286 - Apply fix from OpenSSL for ASN1_TYPE_cmp.
CVE-2015-0292 - Backport existing fix for Base64 decoding.

Several other issues did not apply or were already fixed.
Refer to

Thanks to the OpenSSL team for providing patches.

5.5 patch:

5.6 patch:

untrusted comment: signature from openbsd 5.6 base private key

OpenBSD 5.6 errata 20, March 19, 2015

Fix several crash causing defects from OpenSSL.
(Continue reading)

Ted Unangst | 18 Mar 09:06 2015

libxfont errata

Patches are now available to fix buffer overflows in libXfont. This issue
affects 5.5, 5.6, and the forthcoming 5.7 release.

For more details, refer to the advisory:

5.5 patch:

5.6 patch:

untrusted comment: signature from openbsd 5.6 base private key

OpenBSD 5.6 errata 19, March 18, 2015

More BDF file parsing issues in libXfont

Afer IOActive's Ilja van Sprundel who found a number of issues in
2014, additional testing by Alan Coopersmith and William Robinet with
the American Fuzzy Lop (afl) tool uncovered two more issues in the
parsing of BDF font files.

Apply patch using:

    signify -Vep /etc/signify/ -x 019_libxfont.patch.sig \
        -m - | (cd /usr/xenocara && patch -p0)

Then build and install a new libXfont:
(Continue reading)

Brent Cook | 17 Mar 01:54 2015

LibreSSL 2.1.5 released

We have released LibreSSL 2.1.5, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release is relatively small, focused on bug fixes before 2.2.x
development begins along-side OpenBSD 5.8.

This or earlier LibreSSL releases may also address issues that are to be
revealed by The OpenSSL Project Team on the 19th of March, 2015.

The LibreSSL team is not typically apprised of OpenSSL-related security
issues in advance. We will address any previously-unknown issues that
are found to affect LibreSSL in future releases.

Issues addressed since 2.1.4:

* Fix incorrect comparison function in openssl(1) certhash command.
  Thanks to Christian Neukirchen / Void Linux.

* Windows port improvements and bug fixes.
  - Removed a dependency on libgcc in 32-bit dynamic libraries.
  - Correct a hang in openssl(1) reading from stdin on an connection.
  - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
    any other network-related commands to function properly.

* Reject all server DH keys smaller than 1024 bits.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.
(Continue reading)

Ted Unangst | 11 Mar 21:43 2015

libssl patch available

When CVE-2015-0204 (RSA silently downgrades to EXPORT_RSA) was announced, 
it was labeled "Severity: Low". Our assessment at the time was that export
ciphers had already been removed prior to the release of 5.6, and that the 
fix was not worth backporting to 5.5.

Then CVE-2015-0204 was renamed the FREAK attack. Now it has a fancy name so
you know it's important.

Unfortunately, our original assessment was not entirely correct. Some of the
features exploited by FREAK were not deleted until after 5.6, although this
was not known until testing tools became available. We've corrected libssl
by backporting the necessary changes to 5.6.

The patch below includes the fix for CVE-2015-0204 as well as some other "low
severity" fixes for similar downgrade issues relating to ECDHE.

Statement regarding 5.5: SSL/TLS is hooped. There have been too many changes,
large and small, that make backporting and testing indvidual fixes difficult.
Additionally, many small fixes get overlooked.

Thanks to Florian Riehm for pointing out that 5.6 was still vulnerable to

untrusted comment: signature from openbsd 5.6 base private key

OpenBSD 5.6 errata 17, Mar 13, 2015:

(Continue reading)

Ted Unangst | 11 Mar 21:20 2015

freetype patches available

FreeType 2.5.5 contained more fixes for malformed font buffer overflows.
Thanks to David Coppa for extracting the necessary patches from the Ubuntu

Patches are available for OpenBSD 5.5 and 5.6. The forthcoming 5.7 release
already includes FreeType 2.5.5.

The 5.6 patch also includes some fixes for CJK hinting.

untrusted comment: signature from openbsd 5.6 base private key

OpenBSD 5.6 errata 18, Mar 13, 2015:

Another fix for buffer overflows in malformed fonts.

Apply patch using:

    signify -Vep /etc/signify/ -x 018_freetype.patch.sig \
        -m - | (cd /usr/xenocara && patch -p0)

Then build and install a new libfreetype:

    cd /usr/xenocara/lib/freetype
    make obj
    make build
(Continue reading)

Kenneth Westerback | 4 Mar 15:32 2015

OpenBSD Foundation GSOC 2015

The OpenBSD Foundation is pleased to announce that we have been
accepted as a mentoring organization for Google Summer of Code 2015.
As such if you are a student who qualifies to apply for GSOC, you will
be able to find us in Google's Summer of Code Application process.For
details on the application process and the relevant timelines please see

We have an ideas page which is located at

I will repeat my usual disclaimer here on behalf of the foundation -
doing anything with GSOC does *not* guarantee the result will end up
in OpenBSD or any related project. That having been said
we hope to be able to put some mentors together with students to
accomplish things that may become useful to the community at large.

.... Ken Westerback, The OpenBSD Foundation ....

Brent Cook | 4 Mar 03:29 2015

LibreSSL 2.1.4 released

We have released LibreSSL 2.1.4, which will be arriving in the LibreSSL
directory of your local OpenBSD mirror soon.

This release adds a number of new security features, makes building
privilege-separated programs simpler, and improves the libtls API.

This release also includes a binary package for convenience integrating
LibreSSL on Windows platforms, and the latest source tarball is signed
with GPG and signify for easier integration into existing build systems.

Feedback is welcome. Bugs, patches, and features requests can be
reported to tech <at> or at

As the OpenBSD 5.7 development effort comes to a close, so does the
LibreSSL 2.1.x branch. The next release will begin the 2.2.x development

User-visible features:

  * Improvements to libtls:
    - a new API for loading CA chains directly from memory instead of a
      file, allowing verification with privilege separation in a chroot
      without direct access to CA certificate files.

    - Ciphers default to TLSv1.2 with AEAD and PFS.

    - Improved error handling and message generation

    - New APIs and improved documentation
(Continue reading)

Ted Unangst | 4 Mar 01:34 2015

errata for X server infoleak

Patches are now available to fix an information leak in the XkbSetGeometry
request of X servers. For more information, see the advisory.

We experienced a slight delay getting patches out, as you can see from the
date in the patch. This is a comparatively minor issue so we didn't rush
things until correctly signed patches were available.

untrusted comment: signature from openbsd 5.6 base private key

OpenBSD 5.6 errata 16, February 20, 2015:

Information leak in the XkbSetGeometry request of X servers

Olivier Fourdan from Red Hat has discovered a protocol handling issue
in the way the X server code base handles the XkbSetGeometry request.

Apply patch using:

    signify -Vep /etc/signify/ -x 016_xserver.patch.sig \
        -m - | (cd /usr/xenocara && patch -p0)

Then build and install a new xserver:

(Continue reading)

Kenneth R Westerback | 25 Feb 18:19 2015

OpenBSD Foundation 2014/2015 News & Fund Raising

2014 was the most successful year to date for the OpenBSD Foundation.
Both in the amount of money we raised and in the support we provided
for the OpenBSD and related projects. We are extremely grateful for
the support shown by our contributers large and small.

A detailed summary of the Foundation's activities in 2014 can be seen at

But here are some highpoints.

We received $397,000 in new donations and paid out $129,000 to support the
activities of the OpenBSD and related projects.

Some of the things the $129,000 made happen were higher speed network
links to the project's machine room; new servers, UPSs, network
switches, serial consoles and network monitoring equipment for the
machine room; development machines for several developers; participation
in GSOC 2014; and hackathons in Lujbljana, Dunedin, Berlin, and

As you can see, 2014 was a very good year for the Foundation. This
can be attributed to a number of unique events. A very public
finanical crisis at the start of the year generated extensive
community support, and the releases of LibreSSL generated significant
interest and support.

But it is important for us not to rely on one time events for our
(Continue reading)