Ted Unangst | 17 Nov 21:20 2014

gethostbyname errata

Due to a bug in the libc asr resolver, querying an invalid hostname can
cause a crash. Patches are available for 5.5 and 5.6.

untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhl31oIXbJYtUWXNHHNzHGhJ+v2XZAAlwH5TwYDkTp2NHqjhnrJayp37glapQejDsm/LDGm1M5bnpkmHh7FGNGQ4=

OpenBSD 5.6 errata 8, Nov 17, 2014:  Querying an invalid hostname with
gethostbyname(3) could cause a NULL deref.

Apply patch using:

    signify -Vep /etc/signify/openbsd-56-base.pub -x 008_asr.patch.sig \
        -m - | (cd /usr/src && patch -p0)

Then build and install libc

    cd /usr/src/lib/libc
    make obj
    make depend
    make
    make install

Also recompile any statically-linked binaries:

    cd /usr/src/bin
    make obj
    make depend
    make
    make install

(Continue reading)

Stuart Henderson | 17 Nov 21:16 2014
Picon

pfctl errata Nov 17

Patches are now available for 5.5 and 5.6 to fix an issue with pfctl
and certain rules combining IPv4 and IPv6 addresses (in that order) with
a dynamic interface address using the "(interface)" format. The patch
for 5.6 follows.

This problem can be worked around by reversing the order of addresses
(listing IPv6 first, then IPv4).

untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhlxzEl3gBOqqoVrDRpZgSYhTqFK031hbFJ9tX84ZYqS72CcubFWty11KDc7YCvei+VSQu1PdYPo/MU/nReUdBQU=

OpenBSD 5.6 errata 7, Nov 17, 2014:  A PF rule using an IPv4 address
followed by an IPv6 address and then a dynamic address, e.g. "pass
from {192.0.2.1 2001:db8::1} to (pppoe0)", will have an incorrect /32
mask applied to the dynamic address.

Apply patch using:

    signify -Vep /etc/signify/openbsd-56-base.pub -x 007.pfctl.patch.sig \
        -m - | (cd /usr/src && patch -p0)

Then build and install pfctl:
    cd /usr/src/sbin/pfctl
    make obj
    make
    make install

Index: sbin/pfctl/parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
(Continue reading)

Florian Obser | 17 Nov 19:02 2014
Picon

relayd errata Nov 17

This patch fixes a relayd crash for the 5.6 release.

untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhgFKMGabOlUXoxAuey9xQyKcm0OULFMOSkyd3ReQHQjwA1psSBbqu1ex9j28D/nyEh6U8uj8f2oFZtXoHA7njAg=

OpenBSD 5.6 errata 6, Nov 17, 2014:  Fix for relayd crash

Apply patch using:

    signify -Vep /etc/signify/openbsd-56-base.pub -x 006_relayd.patch.sig -m - | \
        (cd /usr/src && patch -p0)

Then build and install relayd:

    cd /usr/src/usr.sbin/relayd
    make obj
    make
    make install

Index: usr.sbin/relayd/relay_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relay_http.c,v
retrieving revision 1.32
diff -u -p -r1.32 relay_http.c
--- usr.sbin/relayd/relay_http.c	17 Jul 2014 11:35:26 -0000	1.32
+++ usr.sbin/relayd/relay_http.c	4 Nov 2014 22:24:48 -0000
 <at>  <at>  -291,18 +291,20  <at>  <at>  relay_read_http(struct bufferevent *bev,
 				goto fail;
 			}
 			desc->http_version = strchr(desc->http_path, ' ');
(Continue reading)

Antoine Jacoutot | 1 Nov 18:21 2014
Picon

OpenBSD 5.6 Released


November 1, 2014.

We are pleased to announce the official release of OpenBSD 5.6.
This is our 36th release on CD-ROM (and 37th via FTP/HTTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.6 provides significant improvements,
including new features, in nearly all areas of the system:

 - LibreSSL:
    o This release forks OpenSSL into LibreSSL, a version of the
      TLS/crypto stack with goals of modernizing the codebase, improving
      security, and applying best practice development processes.
    o No support for legacy MacOS, Netware, OS/2, VMS and Windows
      platforms, as well as antique compilers.
    o Removal of the IBM 4758, Broadcom ubsec, Sureware, Nuron, GOST,
      GMP, CSwift, CHIL, CAPI, Atalla and AEP engines, either because
      the hardware is irrelevant, or because they require external
      non-free libraries to work.
    o No support for FIPS-140 compliance.
    o No EBCDIC support.
    o No support for big-endian i386 and amd64 platforms.
    o Use standard routines from the C library (malloc, strdup,
      snprintf...) instead of rolling our own, sometimes badly.
    o Remove the old OpenSSL PRNG, and rely upon arc4random_buf from
      libc for all the entropy needs.
    o Remove the MD2 and SEED algorithms.
    o Remove J-PAKE, PSK and SRP (mis)features.
(Continue reading)

Ted Unangst | 21 Oct 20:20 2014

errata patch to disble sslv3

This patch disables the SSLv3 protocol for the forthcoming 5.6 release.

untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhqNRnZqpfGyXZORy+gN++chhlgejO0bmLmp81bJL1+Dhl3iP0bL1NnRopcGECX4QoUbsCCcnMOxkXAYeMYkmMgw=

OpenBSD 5.6 errata 5, Oct 20, 2014

This patch disables the SSLv3 protocol by default.

Applications depending on SSLv3 may need to be recompiled with
    SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3);
but we recommend against the continued use of this obsolete protocol.

Apply patch using:

    signify -Vep /etc/signify/openbsd-56-base.pub -x 005_nosslv3.patch.sig \
	-m - | (cd /usr/src && patch -p0)

Then build and install libssl

    cd /usr/src/lib/libssl/ssl
    make obj
    make
    make install

Index: lib/libssl/src/ssl/ssl_lib.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/ssl_lib.c,v
retrieving revision 1.78
diff -u -p -r1.78 ssl_lib.c
(Continue reading)

Ted Unangst | 19 Oct 22:57 2014

kernexec errata Oct 20

Patches are now available to fix a localhost kernel crash reported by
Alejandro Hernandez. This issue affects 5.4, 5.5, and the forthcoming
5.6 release.

The patch for 5.5 follows.

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N93+CyZ3HPzmlkYc+DX80XHguS4MVaRRRK53ZyfwuOFKvvKgrM6UO3yUJVfSkHRh7X6SaD17yDUck9m+kWScQy7Q0=

OpenBSD 5.5 errata 13, Oct 20, 2014:

Executable headers with an unaligned address will trigger a kernel panic.

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 013_kernexec.patch.sig \
        -m - | (cd /usr/src && patch -p0)

Then build and install a new kernel.

Index: sys/kern/kern_exec.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.137
diff -u -p -r1.137 kern_exec.c
--- sys/kern/kern_exec.c	21 Jan 2014 01:48:44 -0000	1.137
+++ sys/kern/kern_exec.c	19 Oct 2014 16:58:19 -0000
 <at>  <at>  -428,10 +428,12  <at>  <at>  sys_execve(struct proc *p, void *v, regi

 	vm = p->p_vmspace;
(Continue reading)

Ted Unangst | 19 Oct 22:55 2014

OpenSSL errata Oct 20

Patches are now available to fix two remotely triggerable memory leaks
in the OpenSSL libssl library. This issue affects 5.4 and 5.5. These
issues were originally fixed in forthcoming 5.6 release (it's not
affected).

The patch for 5.5 follows.

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N93z0uERun06gnUvsfcC1KpQB7tmX6DIhpmLZG9J7BRtekstcTAujL+VXaTpreU58UMTDACvJT4LRjREzVnZWcoA0=

OpenBSD 5.5 errata 12, Oct 20, 2014

Two remotely triggerable memory leaks in OpenSSL can lead to a denial of
service in server applications.

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 012_openssl.patch.sig \
	-m - | (cd /usr/src && patch -p0)

Then build and install libssl

    cd /usr/src/lib/libssl/ssl
    make obj
    make
    make install

Index: lib/libssl/src/ssl/d1_srtp.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/d1_srtp.c,v
(Continue reading)

Bob Beck | 16 Oct 15:15 2014
Picon

LibreSSL 2.1.1 released.

We have released LibreSSL 2.1.1- which should be arriving in the
LIbreSSL directory of an OpenBSD mirror near you very soon.

This release includes:

* Address POODLE attack by disabling SSLv3 by default
* Fix Eliptical Curve cipher selection bug
 (https://github.com/libressl-portable/portable/issues/35)

As well as continued ongoing fixes as we proactively change the
codebase to reflect modern safe programming practices. The success of
this is reflected in the fact that LibreSSL was not vulnerable to the
two memory leak issues released on "OpenSSL Tuesday" - They were in
fact initially
fixed in LibreSSL.

As noted before, we welcome feedback from the broader community.

Enjoy,

-Bob

Bob Beck | 12 Oct 19:36 2014
Picon

LibreSSL 2.1.0 released.

We have released LibreSSL 2.1.0 - which should be arriving in the
LIbreSSL directory of an OpenBSD mirror near you very soon.

This release continues on with further work from after OpenBSD 5.6
code freeze. Our intention is to finalize LibreSSL 2.1 with OpenBSD
5.7

As noted before, we welcome feedback from the broader community.

Enjoy,

-Bob

Todd C. Miller | 9 Oct 13:52 2014

mailing list server downtime

The machine room that lists.openbsd.org will be undergoing maintenance
this Saturday (October 9th).  As a reasult, the list server will
be taken down at 5:30am MDT and brought back up in the early
afternoon.

This also affects ftp.usa.openbsd.org and anoncvs3.usa.openbsd.org
which are located in the same machine room.

 - todd

Ted Unangst | 1 Oct 00:18 2014

fix for nginx SSL session reuse

This issue also affects 5.4, 5.5 and 5.6. Patches available in the
respective directories.

5.5 patch follows.

http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/011_nginx.patch.sig

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N93yafiuGu4x20xhAgMsmcjCmHJrYJBolmNu2NJUqcC3s+pOmCbUPPX2GxRlEIotfwpbcVG23OoCHguJSk8FZc+Qk=

OpenBSD 5.5 errata 11, Oct 1, 2014:  Fix for the SSL session reuse
vulnerability (CVE-2014-3616).

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 011_nginx.patch.sig -m - | \
        (cd /usr/src && patch -p0)

Then build and install nginx:

    cd /usr/src/usr.sbin/nginx
    make -f Makefile.bsd-wrapper obj 
    make -f Makefile.bsd-wrapper
    make -f Makefile.bsd-wrapper install

Index: usr.sbin/nginx/src/event/ngx_event_openssl.c
===================================================================
RCS file: /cvs/src/usr.sbin/nginx/src/event/ngx_event_openssl.c,v
retrieving revision 1.12
diff -u -p -u -r1.12 ngx_event_openssl.c
(Continue reading)


Gmane