Ted Unangst | 1 Oct 00:18 2014

fix for nginx SSL session reuse

This issue also affects 5.4, 5.5 and 5.6. Patches available in the
respective directories.

5.5 patch follows.

http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/011_nginx.patch.sig

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N93yafiuGu4x20xhAgMsmcjCmHJrYJBolmNu2NJUqcC3s+pOmCbUPPX2GxRlEIotfwpbcVG23OoCHguJSk8FZc+Qk=

OpenBSD 5.5 errata 11, Oct 1, 2014:  Fix for the SSL session reuse
vulnerability (CVE-2014-3616).

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 011_nginx.patch.sig -m - | \
        (cd /usr/src && patch -p0)

Then build and install nginx:

    cd /usr/src/usr.sbin/nginx
    make -f Makefile.bsd-wrapper obj 
    make -f Makefile.bsd-wrapper
    make -f Makefile.bsd-wrapper install

Index: usr.sbin/nginx/src/event/ngx_event_openssl.c
===================================================================
RCS file: /cvs/src/usr.sbin/nginx/src/event/ngx_event_openssl.c,v
retrieving revision 1.12
diff -u -p -u -r1.12 ngx_event_openssl.c
(Continue reading)

Ted Unangst | 11 Aug 02:22 2014

openssl fixes backport

Some fixes from OpenSSL 1.0.1i have been backported to 5.5 and 5.4.

See http://www.openbsd.org/errata55.html

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N930/jzqCCFMfSCKMjKDSYrXSKPhnGlL2r21nCGEPw+wOEDXpQC6Zispe8gewI7duy5T76oRpvWFGyzsYxl6pWfAc=

OpenBSD 5.5 errata 10, August 9, 2014:

This patch contains backported fixes for OpenSSL issues.

Refer to https://www.openssl.org/news/secadv_20140806.txt

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 010_openssl.patch.sig \
	-m - | (cd /usr/src && patch -p0)

Then build and install libcrypto and libssl

    cd /usr/src/lib/libssl/crypto
    make obj
    make
    make install
    cd /usr/src/lib/libssl/ssl
    make obj
    make
    make install

Then restart services which depend on OpenSSL.
(Continue reading)

Brent Cook | 8 Aug 20:34 2014
Picon

LibreSSL 2.0.5 released

We have released LibreSSL 2.0.5, which should be arriving in the
LibreSSL directory of an OpenBSD mirror near you.

This version forward-ports security fixes from OpenSSL 1.0.1i,
including fixes for the following CVEs:

CVE-2014-3506
CVE-2014-3507
CVE-2014-3508 (partially vulnerable)
CVE-2014-3509
CVE-2014-3510
CVE-2014-3511

LibreSSL 2.0.4 was not found vulnerable to the following CVEs:

CVE-2014-5139
CVE-2014-3512
CVE-2014-3505

We welcome feedback and support from the community as we
continue to work on LibreSSL.

Thank you,
 Brent

Ted Unangst | 7 Aug 15:50 2014

dhcp reliability erratum

http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/009_dhcp.patch.sig

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N93/QG6Y9kGPe+DHW4eR6ZbsfLTCXCXAsEwTnx4m/bIm9T9tYjw38rAbRiQWSkDgUvlmxRil/j/ML/4NCynGtfbgU=

OpenBSD 5.5 errata 9, June 30, 2014: Packets with illegal DHCP options
can lead to memory exhaustion of dhclient(8) or dhcpd(8).  This is the
second version of this patch.

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 009_dhcp.patch.sig \
	-m - | (cd /usr/src && patch -p0)

And then rebuild and install dhclient and dhcpd:
	cd sbin/dhclient
	make obj
	make cleandir
	make depend
	make
	make install
	cd ../../usr.sbin/dhcpd
	make obj
	make cleandir
	make depend
	make
	make install

Index: sbin/dhclient/options.c
===================================================================
(Continue reading)

Bob Beck | 4 Aug 01:36 2014

LibreSSL 2.0.4 released

We have released LibreSSL 2.0.4, which should be arriving n the
LibreSSL directory of an OpenBSD mirror near you very soon.

This version includes more portability changes, as well as other work.
most noticable may be the deletion of the of the SRP code (which has
not been enabled in any LibreSSL release).

As noted before, we welcome feedback from the broader community.

Enjoy,

-Bob

Bob Beck | 22 Jul 04:01 2014
Picon

LibreSSL 2.0.3 released


We have released an update, LibreSSL 2.0.3 - which should
be arriving in the LibreSSL directory of an OpenBSD mirror near
you very soon. 

This release includes a number of portability fixes based on the
the feedback we have received from the community. It also includes
some improvements to the fork detection support. 

As noted before, we welcome feedback from the broader community.                

Enjoy,                                                                          

-Bob                                                                            

Bob Beck | 16 Jul 05:40 2014
Picon

LibreSSL portable 2.0.2 released.

We have release an update, LibreSSL 2.0.2

This release addresses the Linux forking and pid wrap issue reported recently in
the press.

As noted before, we welcome feedback from the broader community.

Enjoy

-Bob

Bob Beck | 13 Jul 13:07 2014
Picon

LibreSSL 2.0.1 released

We have released an update, LibreSSL 2.0.1

This release includes a number of portability fixes based on the
initial feedback
we have received from the community.  This includes among other things
two new configure options to set OPENSSLDIR and ENGINESDIR. We have
removed a few hardcoded compiler options that were problematic on some
systems as well as -Werror. We have also re-synced with the latest OpenBSD
sources as a number of issues were fixed upstream. This release also includes
pkg-config support.

As noted before, we welcome feedback from the broader community.

Enjoy,

-Bob

Bob Beck | 11 Jul 20:21 2014
Picon

First release of LibreSSL portable is available.

The first release of LibreSSL portable has been released. LibreSSL
can be found in the LibreSSL directory of your favorite OpenBSD mirror.

http://ftp.openbsd.org/pub/OpenBSD/LibreSSL has it, and other mirrors
will soon.

libressl-2.0.0.tar.gz has been tested to build on various versions of
Linux, Solaris, Mac OSX, and FreeBSD.

This is intended as an initial release to allow the community to start
using and providing feedback. We will be adding support for
other platforms as time and resources permit.

As always, donations (http://www.openbsdfoundation.org/donations.html)
are appreciated to assist in our efforts.

Enjoy,

-Bob

Ted Unangst | 6 Jun 17:08 2014

openssl errata, June 5

Please note that we're having an issue with cvsync and some of the
mirrors at this time, so cvs up -rOPENBSD_5_5 may not be a reliable
way to update. Sorry about that. Please use the patches on ftp.

There is also a patch available for 5.4.

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N939QYTQR4ilQz+ggyJYBEh6xvD6rJcSISM/QUbENAddngkyz+IjPEgoOTHunuFB0BDIYMvHVfBlUx5xCjibXJ8Ao=

OpenBSD 5.5 errata 8, June 5, 2014:

This patch contains fixes for the following issues:

CVE-2014-0195 - Buffer overflow with crafted DTLS fragments
CVE-2014-0221 - DTLS infinite recursion flaw with "Hello Request"s
CVE-2014-0224 - SSL/TLS MITM vulnerability (Early ChangeCipherSpec Attack)
CVE-2014-3470 - Anonymous ECDH denial of service (null session certs)

Other issues in https://www.openssl.org/news/secadv_20140605.txt

CVE-2010-5298 - SSL_MODE_RELEASE_BUFFERS session injection or denial of service
This issue was fixed in 004_openssl.patch.sig and subsequently in OpenSSL.

CVE-2014-0198 - SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
This issue was fixed in 005_openssl.patch.sig and subsequently in OpenSSL.

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 008_openssl.patch.sig \
        -m - | (cd /usr/src && patch -p0)
(Continue reading)

Ted Unangst | 6 Jun 17:06 2014

sendmail erratum, June 6, 2014

Please note that we're having an issue with cvsync and some of the
mirrors at this time, so cvs up -rOPENBSD_5_5 may not be a reliable
way to update. Sorry about that. Please use the patches on ftp.

OpenBSD 5.4 is also affected. 

untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N934pTioJ2iLNiNPkO7oWbSptmBgAwU7cFTb+E8QPTRyYo02PCCJS0RFJcb4TObp6JZ+fCMoCs5KSXEhjmVzVgmwk=

OpenBSD 5.5 errata 7, June 6, 2014: Sendmail was not properly closing file
descriptions before executing programs. This could enable local users to
interfere with an open SMTP connection.

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 007_sendmail.patch.sig \
	-m - | (cd /usr/src && patch -p0)

And then rebuild and install sendmail:
	cd gnu/usr.sbin/sendmail
	make obj
	make depend
	make
	make install

Index: gnu/usr.sbin/sendmail/sendmail/conf.c
===================================================================
RCS file: /cvs/src/gnu/usr.sbin/sendmail/sendmail/conf.c,v
retrieving revision 1.37
diff -u -p -r1.37 conf.c
(Continue reading)


Gmane