Miller, Vincent (Rick | 4 May 20:30 2015
Picon

Verisign Announces vBSDcon 2015

Following the success of the inaugural vBSDcon, Verisign has elected to host a second vBSDcon in Reston, Va
at the Sheraton Reston hotel the weekend of September 11, 2015.  vBSDcon is a technical conference focused
on the BSD family of operating systems including, but not limited to, FreeBSD, OpenBSD, NetBSD, and
others.  Any user, developer, engineer, or innovator involved with any of the BSD family of operating
systems will want to mark these dates.  vBSDcon will feature plenary talks, Birds of a Feather
discussions, lightning talks, and much more.  Full details are available at http://www.vBSDcon.com/.

Additionally, While vBSDcon currently does not operate an “official” call for presentations,
proposals will be accepted until June.  Anyone wishing to submit a talk is invited to do so by emailing
vBSDcon <at> verisign.com.  The event agenda is expected to be finalized and published in mid-June.

We look forward to seeing you September 11, 2015!

--
Vincent (Rick) Miller
Systems Engineer
vmiller <at> verisign.com

t: 703-948-4395  m: 703-581-3068
12061 Bluemont Way, Reston, VA  20190

http://www.vbsdcon.com
http://www.verisigninc.com

“This message (including any attachments) is intended only for the use of the individual or entity to
which it is addressed, and may contain information that is non-public, proprietary, privileged,
confidential and exempt from disclosure under applicable law or may be constituted as attorney work
product. If you are not the intended recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited. If you have received this
message in error, notify sender immediately and delete this message immediately.”
(Continue reading)

Theo de Raadt | 1 May 07:05 2015
Picon

5.7 CDs delayed

Sorry, 5.7 CDs will be delayed because of an error at the production
plant.

We all hoped it would be resolved before release day, or at most a day
or so after.  It has dragged on.

First delay in nearly 20 years.  That is kind of crazy, isn't it.

Of course the online release is out like clockwork.

Stefan Sperling | 1 May 00:06 2015
Picon

OpenBSD 5.7 Released

May 1, 2015.

We are pleased to announce the official release of OpenBSD 5.7.
This is our 37th release on CD-ROM (and 38th via FTP/HTTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.7 provides significant improvements,
including new features, in nearly all areas of the system:

 - Improved hardware support, including:
    o New xhci(4) driver for USB 3.0 host controllers.
    o New umcs(4) driver for MosChip Semiconductor 78x0 USB multiport
      serial adapters.
    o New skgpio(4) driver for Soekris net6501 GPIO and LEDs.
    o New uslhcom(4) driver for Silicon Labs CP2110 USB HID based UART.
    o New nep(4) driver for Sun Neptune 10Gb Ethernet devices.
    o New iwm(4) driver for Intel 7260, 7265, and 3160 wifi cards.
    o The rtsx(4) driver now supports RTS5227 and RTL8411B card readers.
    o The bge(4) driver now supports jumbo frames on various additional
      BCM57xx chipsets.
    o The ciss(4) driver now supports HP Gen9 Smart Array/Smart HBA
      devices.
    o The mpi(4) and mfi(4) drivers now have mpsafe interrupt handlers
      running without the big lock.
    o The ppb(4) driver now supports PCI bridges that support
      subtractive decoding (fixes PCMCIA behind the ATI SB400 PCI
      bridge), and devices with 64-bit BARs behind PCI-PCI bridges as
      seen on SPARC T5-2 systems.
    o The puc(4) driver now supports Winchiphead CH382 devices.
(Continue reading)

Philip Guenther | 30 Apr 22:38 2015
Picon

tar/pax/cpio patch available

Patches are now available for 5.6 and 5.7 which fix security issues
in the combined tar, pax, and cpio program's handling of malicious
archives, as well as archives with large pax extension headers.

Our thanks to Daniel Cegielka for reporting this.

Note that the patches for 5.6 and 5.7 have several differences, so be
sure to download the correct version.

Links:

http://www.openbsd.org/errata56.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/024_tar.patch.sig

and

http://www.openbsd.org/errata57.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/007_tar.patch.sig

OpenBSD 5.7 errata 7, Apr 30, 2015:

tar/pax/cpio had multiple issues:
 * extracting a malicious archive could create files outside of the
   current directory without using pre-existing symlinks to 'escape',
   and could change the timestamps and modes on preexisting files

 * tar without -P would permit extraction of paths with ".." components

 * there was a buffer overflow in the handling of pax extension headers,

(Continue reading)

Philip Guenther | 30 Apr 22:38 2015
Picon

kernel patch available

Patches are now available for 5.6 and 5.7 which fix local security
issues in the kernel's handling of malformed ELF executables, which
could be used to panic the kernel or view some kernel memory.

Our thanks to Alejandro Hernandez for test cases and Maxime Villard
for providing the basis for one of the changes.

Links:

http://www.openbsd.org/errata56.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/023_elf.patch.sig

and

http://www.openbsd.org/errata57.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/006_elf.patch.sig

untrusted comment: signature from openbsd 5.7 base secret key
RWSvUZXnw9gUby4OBLM0n2MCFo9TM/FWZlryKfa4mLnPMEgi87dSLa8HTEXN15Z0YumeDyfsnFVHyQHjtL6106R1LxIOtJ/6pww=

OpenBSD 5.7 errata 6, Apr 30, 2015:

Missing validity checks in the kernel ELF loader meant malformed binaries
could trigger kernel panics or view kernel memory.

Apply by doing:
    cd /usr/src
    signify -Vep /etc/signify/openbsd-57-base.pub -x 006_elf.patch.sig -m - | \
        patch -p0

(Continue reading)

Todd C. Miller | 16 Apr 17:32 2015

reminder: mailing list server downtime

The machine room that lists.openbsd.org will be undergoing maintenance
Saturday April 18th.  As a reasult, the list server will be taken
down at 5:30am MDT.  The current estimate is that everything will
be back up between 3-5pm MDT.

This also affects ftp.usa.openbsd.org and anoncvs3.usa.openbsd.org
which are located in the same machine room.

Todd C. Miller | 31 Mar 13:36 2015

mailing list server downtime

The machine room that lists.openbsd.org will be undergoing maintenance
Saturday April 18th.  As a reasult, the list server will be taken
down at 5:30am MDT and brought back up in the early afternoon.

This also affects ftp.usa.openbsd.org and anoncvs3.usa.openbsd.org
which are located in the same machine room.

 - todd

Brent Cook | 25 Mar 03:11 2015
Picon

OpenNTPD 5.7p4 released

OpenNTPD 5.7p4 has just been released. It will be available from the mirrors
listed at http://www.openntpd.org/ shortly.

OpenNTPD is a FREE, secure, and easy to use implementation of the Network Time
Protocol. It provides the ability to sync the local clock to remote NTP servers
and can act as NTP server itself, redistributing the local clock.

Changes since OpenNTPD 5.7p3
============================
* Added support for using HTTPS time constraints to validate NTP responses.

  You can find a detailed description of the feature and how it works here:
    http://marc.info/?l=openbsd-tech&m=142356166731390&w=2
  See the man page and example config file for configuration details.

  The libtls library, as shipped with LibreSSL 2.1.4 or later, is
  required to use the HTTPS constraint feature, though it is not
  required to use OpenNTPD.

* Workaround a bug in the Solaris adjtime call that caused the olddelta to
  never reach 0, leading to continual sync/unsync messages from ntpd.

* Workaround an overflow on systems with 32-bit time_t. This can result in a
  failure to set the time if the initial clock is set later than early 2036.
  Systems with a 32-bit time_t should upgrade well in advance of this date, but
  today this helps with systems that boot with an invalid initial time.

This marks the last release based on the OpenBSD 5.7 tree.
The next release will be OpenNTPD 5.8p1.

(Continue reading)

Brent Cook | 19 Mar 16:23 2015
Picon

LibreSSL 2.1.6 released

We have released LibreSSL 2.1.6, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release primarily addresses a number of security issues in
coordination with the OpenSSL project.

  Fixes for the following issues are integrated into LibreSSL 2.1.6:

     * CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
     * CVE-2015-0287 - ASN.1 structure reuse memory corruption
     * CVE-2015-0289 - PKCS7 NULL pointer dereferences
     * CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
     * CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref

  The patch for this issue is integrated in LibreSSL 2.1.6:

     * CVE-2015-0207 - Segmentation fault in DTLSv1_listen
         LibreSSL is not vulnerable, but the fix was safe to merge.

  The following issues were addressed in earlier LibreSSL releases:

     * CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
	  Fixed in LibreSSL 2.1.2 - reclassifed from low to high,
     * CVE-2015-0292 - Fault processing Base64 decode
          Fixed in LibreSSL 2.0.0
     * CVE-2015-1787 - Empty CKE with client auth and DHE
          Fixed in LibreSSL 2.0.1

  The following issues did not apply to LibreSSL 2.1.6:

(Continue reading)

Ted Unangst | 19 Mar 15:26 2015

libre/openssl patches available

Patches are now available to fix a variety of issues in libcrypto and libssl.

For 5.6 and the forthcoming 5.7 release:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
CVE-2015-0289 - PKCS7 NULL pointer dereferences

For 5.5:
CVE-2015-0286 - Apply fix from OpenSSL for ASN1_TYPE_cmp.
CVE-2015-0292 - Backport existing fix for Base64 decoding.

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

Thanks to the OpenSSL team for providing patches.

5.5 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/024_openssl.patch.sig

5.6 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/020_openssl.patch.sig

untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhs3L3uaeagbDgYSaBJ3w1MivqvATSTrquGgKHm0sNWVTudl/oumq7hVfVD+KX0LtxlkCQpA5JaPYwTO0OYHyPwE=

OpenBSD 5.6 errata 20, March 19, 2015

Fix several crash causing defects from OpenSSL.
(Continue reading)

Ted Unangst | 18 Mar 09:06 2015

libxfont errata

Patches are now available to fix buffer overflows in libXfont. This issue
affects 5.5, 5.6, and the forthcoming 5.7 release.

For more details, refer to the X.org advisory:
http://www.x.org/wiki/Development/Security/Advisory-2015-03-17/

5.5 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/023_libxfont.patch.sig

5.6 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/019_libxfont.patch.sig

untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhnSKDBy7WgkNZrLujusI8Qvntb9/tVW0P3tfc0eRZ37NLCk0qcu5lurRs5aKGI6y5kGCXgAGE6tos5xwEjWbiw8=

OpenBSD 5.6 errata 19, March 18, 2015

More BDF file parsing issues in libXfont

Afer IOActive's Ilja van Sprundel who found a number of issues in
2014, additional testing by Alan Coopersmith and William Robinet with
the American Fuzzy Lop (afl) tool uncovered two more issues in the
parsing of BDF font files.

Apply patch using:

    signify -Vep /etc/signify/openbsd-56-base.pub -x 019_libxfont.patch.sig \
        -m - | (cd /usr/xenocara && patch -p0)

Then build and install a new libXfont:
(Continue reading)


Gmane