Ted Unangst | 19 Oct 22:57 2014

kernexec errata Oct 20

Patches are now available to fix a localhost kernel crash reported by
Alejandro Hernandez. This issue affects 5.4, 5.5, and the forthcoming
5.6 release.

The patch for 5.5 follows.

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N93+CyZ3HPzmlkYc+DX80XHguS4MVaRRRK53ZyfwuOFKvvKgrM6UO3yUJVfSkHRh7X6SaD17yDUck9m+kWScQy7Q0=

OpenBSD 5.5 errata 13, Oct 20, 2014:

Executable headers with an unaligned address will trigger a kernel panic.

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 013_kernexec.patch.sig \
        -m - | (cd /usr/src && patch -p0)

Then build and install a new kernel.

Index: sys/kern/kern_exec.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.137
diff -u -p -r1.137 kern_exec.c
--- sys/kern/kern_exec.c	21 Jan 2014 01:48:44 -0000	1.137
+++ sys/kern/kern_exec.c	19 Oct 2014 16:58:19 -0000
 <at>  <at>  -428,10 +428,12  <at>  <at>  sys_execve(struct proc *p, void *v, regi

 	vm = p->p_vmspace;
(Continue reading)

Ted Unangst | 19 Oct 22:55 2014

OpenSSL errata Oct 20

Patches are now available to fix two remotely triggerable memory leaks
in the OpenSSL libssl library. This issue affects 5.4 and 5.5. These
issues were originally fixed in forthcoming 5.6 release (it's not
affected).

The patch for 5.5 follows.

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N93z0uERun06gnUvsfcC1KpQB7tmX6DIhpmLZG9J7BRtekstcTAujL+VXaTpreU58UMTDACvJT4LRjREzVnZWcoA0=

OpenBSD 5.5 errata 12, Oct 20, 2014

Two remotely triggerable memory leaks in OpenSSL can lead to a denial of
service in server applications.

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 012_openssl.patch.sig \
	-m - | (cd /usr/src && patch -p0)

Then build and install libssl

    cd /usr/src/lib/libssl/ssl
    make obj
    make
    make install

Index: lib/libssl/src/ssl/d1_srtp.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/d1_srtp.c,v
(Continue reading)

Bob Beck | 16 Oct 15:15 2014
Picon

LibreSSL 2.1.1 released.

We have released LibreSSL 2.1.1- which should be arriving in the
LIbreSSL directory of an OpenBSD mirror near you very soon.

This release includes:

* Address POODLE attack by disabling SSLv3 by default
* Fix Eliptical Curve cipher selection bug
 (https://github.com/libressl-portable/portable/issues/35)

As well as continued ongoing fixes as we proactively change the
codebase to reflect modern safe programming practices. The success of
this is reflected in the fact that LibreSSL was not vulnerable to the
two memory leak issues released on "OpenSSL Tuesday" - They were in
fact initially
fixed in LibreSSL.

As noted before, we welcome feedback from the broader community.

Enjoy,

-Bob

Bob Beck | 12 Oct 19:36 2014
Picon

LibreSSL 2.1.0 released.

We have released LibreSSL 2.1.0 - which should be arriving in the
LIbreSSL directory of an OpenBSD mirror near you very soon.

This release continues on with further work from after OpenBSD 5.6
code freeze. Our intention is to finalize LibreSSL 2.1 with OpenBSD
5.7

As noted before, we welcome feedback from the broader community.

Enjoy,

-Bob

Todd C. Miller | 9 Oct 13:52 2014

mailing list server downtime

The machine room that lists.openbsd.org will be undergoing maintenance
this Saturday (October 9th).  As a reasult, the list server will
be taken down at 5:30am MDT and brought back up in the early
afternoon.

This also affects ftp.usa.openbsd.org and anoncvs3.usa.openbsd.org
which are located in the same machine room.

 - todd

Ted Unangst | 1 Oct 00:18 2014

fix for nginx SSL session reuse

This issue also affects 5.4, 5.5 and 5.6. Patches available in the
respective directories.

5.5 patch follows.

http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/011_nginx.patch.sig

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N93yafiuGu4x20xhAgMsmcjCmHJrYJBolmNu2NJUqcC3s+pOmCbUPPX2GxRlEIotfwpbcVG23OoCHguJSk8FZc+Qk=

OpenBSD 5.5 errata 11, Oct 1, 2014:  Fix for the SSL session reuse
vulnerability (CVE-2014-3616).

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 011_nginx.patch.sig -m - | \
        (cd /usr/src && patch -p0)

Then build and install nginx:

    cd /usr/src/usr.sbin/nginx
    make -f Makefile.bsd-wrapper obj 
    make -f Makefile.bsd-wrapper
    make -f Makefile.bsd-wrapper install

Index: usr.sbin/nginx/src/event/ngx_event_openssl.c
===================================================================
RCS file: /cvs/src/usr.sbin/nginx/src/event/ngx_event_openssl.c,v
retrieving revision 1.12
diff -u -p -u -r1.12 ngx_event_openssl.c
(Continue reading)

Ted Unangst | 11 Aug 02:22 2014

openssl fixes backport

Some fixes from OpenSSL 1.0.1i have been backported to 5.5 and 5.4.

See http://www.openbsd.org/errata55.html

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N930/jzqCCFMfSCKMjKDSYrXSKPhnGlL2r21nCGEPw+wOEDXpQC6Zispe8gewI7duy5T76oRpvWFGyzsYxl6pWfAc=

OpenBSD 5.5 errata 10, August 9, 2014:

This patch contains backported fixes for OpenSSL issues.

Refer to https://www.openssl.org/news/secadv_20140806.txt

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 010_openssl.patch.sig \
	-m - | (cd /usr/src && patch -p0)

Then build and install libcrypto and libssl

    cd /usr/src/lib/libssl/crypto
    make obj
    make
    make install
    cd /usr/src/lib/libssl/ssl
    make obj
    make
    make install

Then restart services which depend on OpenSSL.
(Continue reading)

Brent Cook | 8 Aug 20:34 2014
Picon

LibreSSL 2.0.5 released

We have released LibreSSL 2.0.5, which should be arriving in the
LibreSSL directory of an OpenBSD mirror near you.

This version forward-ports security fixes from OpenSSL 1.0.1i,
including fixes for the following CVEs:

CVE-2014-3506
CVE-2014-3507
CVE-2014-3508 (partially vulnerable)
CVE-2014-3509
CVE-2014-3510
CVE-2014-3511

LibreSSL 2.0.4 was not found vulnerable to the following CVEs:

CVE-2014-5139
CVE-2014-3512
CVE-2014-3505

We welcome feedback and support from the community as we
continue to work on LibreSSL.

Thank you,
 Brent

Ted Unangst | 7 Aug 15:50 2014

dhcp reliability erratum

http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/009_dhcp.patch.sig

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N93/QG6Y9kGPe+DHW4eR6ZbsfLTCXCXAsEwTnx4m/bIm9T9tYjw38rAbRiQWSkDgUvlmxRil/j/ML/4NCynGtfbgU=

OpenBSD 5.5 errata 9, June 30, 2014: Packets with illegal DHCP options
can lead to memory exhaustion of dhclient(8) or dhcpd(8).  This is the
second version of this patch.

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 009_dhcp.patch.sig \
	-m - | (cd /usr/src && patch -p0)

And then rebuild and install dhclient and dhcpd:
	cd sbin/dhclient
	make obj
	make cleandir
	make depend
	make
	make install
	cd ../../usr.sbin/dhcpd
	make obj
	make cleandir
	make depend
	make
	make install

Index: sbin/dhclient/options.c
===================================================================
(Continue reading)

Bob Beck | 4 Aug 01:36 2014

LibreSSL 2.0.4 released

We have released LibreSSL 2.0.4, which should be arriving n the
LibreSSL directory of an OpenBSD mirror near you very soon.

This version includes more portability changes, as well as other work.
most noticable may be the deletion of the of the SRP code (which has
not been enabled in any LibreSSL release).

As noted before, we welcome feedback from the broader community.

Enjoy,

-Bob

Bob Beck | 22 Jul 04:01 2014
Picon

LibreSSL 2.0.3 released


We have released an update, LibreSSL 2.0.3 - which should
be arriving in the LibreSSL directory of an OpenBSD mirror near
you very soon. 

This release includes a number of portability fixes based on the
the feedback we have received from the community. It also includes
some improvements to the fork detection support. 

As noted before, we welcome feedback from the broader community.                

Enjoy,                                                                          

-Bob                                                                            


Gmane