Bob Beck | 22 Jul 04:01 2014
Picon

LibreSSL 2.0.3 released


We have released an update, LibreSSL 2.0.3 - which should
be arriving in the LibreSSL directory of an OpenBSD mirror near
you very soon. 

This release includes a number of portability fixes based on the
the feedback we have received from the community. It also includes
some improvements to the fork detection support. 

As noted before, we welcome feedback from the broader community.                

Enjoy,                                                                          

-Bob                                                                            

Bob Beck | 16 Jul 05:40 2014
Picon

LibreSSL portable 2.0.2 released.

We have release an update, LibreSSL 2.0.2

This release addresses the Linux forking and pid wrap issue reported recently in
the press.

As noted before, we welcome feedback from the broader community.

Enjoy

-Bob

Bob Beck | 13 Jul 13:07 2014
Picon

LibreSSL 2.0.1 released

We have released an update, LibreSSL 2.0.1

This release includes a number of portability fixes based on the
initial feedback
we have received from the community.  This includes among other things
two new configure options to set OPENSSLDIR and ENGINESDIR. We have
removed a few hardcoded compiler options that were problematic on some
systems as well as -Werror. We have also re-synced with the latest OpenBSD
sources as a number of issues were fixed upstream. This release also includes
pkg-config support.

As noted before, we welcome feedback from the broader community.

Enjoy,

-Bob

Bob Beck | 11 Jul 20:21 2014
Picon

First release of LibreSSL portable is available.

The first release of LibreSSL portable has been released. LibreSSL
can be found in the LibreSSL directory of your favorite OpenBSD mirror.

http://ftp.openbsd.org/pub/OpenBSD/LibreSSL has it, and other mirrors
will soon.

libressl-2.0.0.tar.gz has been tested to build on various versions of
Linux, Solaris, Mac OSX, and FreeBSD.

This is intended as an initial release to allow the community to start
using and providing feedback. We will be adding support for
other platforms as time and resources permit.

As always, donations (http://www.openbsdfoundation.org/donations.html)
are appreciated to assist in our efforts.

Enjoy,

-Bob

Ted Unangst | 6 Jun 17:08 2014

openssl errata, June 5

Please note that we're having an issue with cvsync and some of the
mirrors at this time, so cvs up -rOPENBSD_5_5 may not be a reliable
way to update. Sorry about that. Please use the patches on ftp.

There is also a patch available for 5.4.

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N939QYTQR4ilQz+ggyJYBEh6xvD6rJcSISM/QUbENAddngkyz+IjPEgoOTHunuFB0BDIYMvHVfBlUx5xCjibXJ8Ao=

OpenBSD 5.5 errata 8, June 5, 2014:

This patch contains fixes for the following issues:

CVE-2014-0195 - Buffer overflow with crafted DTLS fragments
CVE-2014-0221 - DTLS infinite recursion flaw with "Hello Request"s
CVE-2014-0224 - SSL/TLS MITM vulnerability (Early ChangeCipherSpec Attack)
CVE-2014-3470 - Anonymous ECDH denial of service (null session certs)

Other issues in https://www.openssl.org/news/secadv_20140605.txt

CVE-2010-5298 - SSL_MODE_RELEASE_BUFFERS session injection or denial of service
This issue was fixed in 004_openssl.patch.sig and subsequently in OpenSSL.

CVE-2014-0198 - SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
This issue was fixed in 005_openssl.patch.sig and subsequently in OpenSSL.

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 008_openssl.patch.sig \
        -m - | (cd /usr/src && patch -p0)
(Continue reading)

Ted Unangst | 6 Jun 17:06 2014

sendmail erratum, June 6, 2014

Please note that we're having an issue with cvsync and some of the
mirrors at this time, so cvs up -rOPENBSD_5_5 may not be a reliable
way to update. Sorry about that. Please use the patches on ftp.

OpenBSD 5.4 is also affected. 

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N934pTioJ2iLNiNPkO7oWbSptmBgAwU7cFTb+E8QPTRyYo02PCCJS0RFJcb4TObp6JZ+fCMoCs5KSXEhjmVzVgmwk=

OpenBSD 5.5 errata 7, June 6, 2014: Sendmail was not properly closing file
descriptions before executing programs. This could enable local users to
interfere with an open SMTP connection.

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 007_sendmail.patch.sig \
	-m - | (cd /usr/src && patch -p0)

And then rebuild and install sendmail:
	cd gnu/usr.sbin/sendmail
	make obj
	make depend
	make
	make install

Index: gnu/usr.sbin/sendmail/sendmail/conf.c
===================================================================
RCS file: /cvs/src/gnu/usr.sbin/sendmail/sendmail/conf.c,v
retrieving revision 1.37
diff -u -p -r1.37 conf.c
(Continue reading)

Ted Unangst | 24 May 22:21 2014
Picon

X Font Service Protocol Erratum

From http://www.openbsd.org/errata55.html:

X Font Service Protocol & Font metadata file handling issues in libXfont
    CVE-2014-0209: integer overflow of allocations in font metadata file parsing
    CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
    CVE-2014-0211: integer overflows calculating memory needs for xfs replies 
Please see the advisory for more information. 
http://lists.x.org/archives/xorg-announce/2014-May/002431.html

Source code patch:

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N93+eLgi55eB+q+iJdk3vT7fqMhrHUN7dUsETsdek0CEyTtx7kXq9vjF5sYa/lCtsUIEgykH7yxDmuIuNUmE3wegc=

OpenBSD 5.5 errata 6, May 24, 2014:  X Font Service Protocol
& Font metadata file handling issues in libXfont

This is revision 2 of the patch (the first version forgot to use
signify).

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 006_libXfont.patch.sig \
	-m - | (cd /usr/xenocara && patch -p0)

Then build and install libXfont

    cd /usr/xenocara/lib/libXfont
    make -f Makefile.bsd-wrapper obj
    make -f Makefile.bsd-wrapper build
(Continue reading)

Ted Unangst | 1 May 19:10 2014

previous errata

Starting today, we're going to try sending patches out via email
so you don't miss them.

Several previous errata have also been recently published for OpenBSD
5.4 and 5.5. We won't be mailing them out individually since they
aren't new, but you should check the web site for details.

Refer to http://www.openbsd.org/errata55.html and errata54.html.

(Also note that OpenBSD 5.3 is officially end of life and will not be
receiving any more patches.)

Bob Beck | 1 May 18:54 2014
Picon

New errata released for OpenBSD 5.4/5.5

From http://www.openbsd.org/errata55.html:

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N9321DQnPP+9IApvSKgX2JT78ZuEZ9HWNUESOfE91CMPQIevj7Yrafs1Zc/KNELplMHCwmFTL8CBjPjuXfEG9y+gU=

OpenBSD 5.5 errata 5, May 1, 2014:  An attacker can trigger generation
of an SSL alert which could cause a null pointer dereference.

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 005_openssl.patch.sig \
        -m - | (cd /usr/src && patch -p0)

Then build and install libssl

    cd /usr/src/lib/libssl/ssl
    make obj
    make
    make install

Then restart services which depend on SSL.

Index: lib/libssl/src/ssl/s3_pkt.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/s3_pkt.c,v
retrieving revision 1.20.4.1
retrieving revision 1.20.4.2
diff -u -p -r1.20.4.1 -r1.20.4.2
--- lib/libssl/src/ssl/s3_pkt.c	12 Apr 2014 17:01:14 -0000	1.20.4.1
+++ lib/libssl/src/ssl/s3_pkt.c	1 May 2014 14:16:35 -0000	1.20.4.2
(Continue reading)

Philip Guenther | 1 May 17:16 2014
Picon

OpenBSD 5.5 Released

May 1, 2014.

We are pleased to announce the official release of OpenBSD 5.5.
This is our 35th release on CD-ROM (and 36th via FTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.5 provides significant improvements,
including new features, in nearly all areas of the system:

 - time_t is now 64 bits on all platforms.
    o From OpenBSD 5.5 onwards, OpenBSD is year 2038 ready and will run
      well beyond Tue Jan 19 03:14:07 2038 UTC.
    o The entire source tree (kernel, libraries, and userland programs)
      has been carefully and comprehensively audited to support 64-bit
      time_t.
    o Userland programs that were changed include arp(8), bgpd(8),
      calendar(1), cron(8), find(1), fsck_ffs(8), ifconfig(8), ksh(1),
      ld(1), ld.so(1), netstat(1), pfctl(8), ping(8), rtadvd(8), ssh(1),
      tar(1), tmux(1), top(1), and many others, including games!
    o Removed time_t from network, on-disk, and database formats.
    o Removed as many (time_t) casts as possible.
    o Format strings were converted to use %lld and (long long) casts.
    o Uses of timeval were converted to timespec where possible.
    o Parts of the system that could not use 64-bit time_t were converted
      to use unsigned 32-bit instead, so they are good till the year 2106.
    o Numerous ports throughout the ports tree received time_t fixes.

 - Releases and packages are now cryptographically signed with the
   signify(1) utility.
(Continue reading)

Todd C. Miller | 31 Mar 17:33 2014

Mailing list downtime: 4/5/2014

The OpenBSD mailing lists will be down on Saturday April 5 at 6am
MDT for machine room maintenance.  As long as things go well the
lists should be back before noon but they could be down as long as
6pm MDT.

This also affects ftp.usa.openbsd.org (aka ftp3.usa.openbsd.org)
and anoncvs3.usa.openbsd.org which reside in the same machine room.

 - todd


Gmane