Ted Unangst | 10 Dec 21:36 2014

three December 10 errata

Three new errata to announce.

Malicious DNS servers could cause a denial of service with an endless
series of delegations. This affects named (BIND) and unbound. There is
a patch for unbound in 5.6. (unbound wasn't built in 5.5.) We don't have
patches for BIND at this time.

Missing memory barriers (and other bugs) made virtio devices unreliable.
Patches available for 5.5 and 5.6.

Lots and lots of security bugs in the X server have finally been fixed.
Patches are available for 5.5 and 5.6.

For 5.6: http://www.openbsd.org/errata56.html

For 5.5: http://www.openbsd.org/errata55.html

Brent Cook | 9 Dec 02:43 2014

LibreSSL 2.1.2 released

We have released LibreSSL 2.1.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release greatly improves performance, interoperability and portability,
while continuing to be easy to build and integrate into your software projects.

This release includes:

 * Two important cipher suites, GOST and Camellia, have been reworked or
   reenabled, providing better interoperability with systems around the world.

 * A preview version of the libtls library, a modern and simplified interface
   for secure client and server communications, is now packaged and can be
   built optionally for testing. Feedback welcome.

 * Initial support for Microsoft Windows 32-bit and 64-bit flavors
   has been added for mingw-w64 targets. This can be used to generate native
   libraries that are usable in other Windows development environments as

 * Assembly acceleration of various algorithms for ELF (Linux, BSD, Solaris)
   and OS X systems are enabled for x86_64 CPUs. More optimizations may be
   enabled in later releases. These optimizations are disabled with the
   --disable-asm configure flag.

 * The arc4random_buf(3) calls on FreeBSD and OS X are now replaced with
   the OpenBSD versions. This fixes current problems with seeding and fork
   safety until these OS's built-in implementations can be improved.
   See these code commits for details:

(Continue reading)

Ted Unangst | 5 Dec 04:15 2014

two new kernel errata

Patches are now available for 5.5 and 5.6 which fix two kernel errata.

5.5 errata 16 and 5.6 errata 10:
Several bugs were fixed that allowed a crash from remote when an active
pipex session exists.

5.5 errata 17 and 5.6 errata 11:
An incorrect memcpy call would result in corrupted MAC addresses when
using PPPOE.

Users who don't use don't use PPPOE or PIPEX are not affected, but can
still apply the patches.





Reyk Floeter | 19 Nov 20:59 2014

httpd errata

Many people want to test the new httpd in OpenBSD 5.6; so we decided
to provide various improvements from -current for 5.6.
See the description below for more details.

untrusted comment: signature from openbsd 5.6 base private key

OpenBSD 5.6 errata 9, Nov 18, 2014:  httpd was developed very rapidly
in the weeks before 5.6 release, and it has a few flaws.  It would be
nice to get these flaws fully remediated before the next release, and
that requires the community to want to use it.  Therefore here is a
"jumbo" patch that brings in the most important fixes.

Apply patch using:

    signify -Vep /etc/signify/openbsd-56-base.pub -x 009_httpd.patch.sig \
        -m - | (cd /usr/src && patch -p0)

Then build and install httpd:

    cd /usr/src/usr.sbin/httpd
    make obj
    make install

Index: usr.sbin/httpd/config.c
RCS file: /cvs/src/usr.sbin/httpd/config.c,v
retrieving revision 1.21
(Continue reading)

Ted Unangst | 17 Nov 21:20 2014

gethostbyname errata

Due to a bug in the libc asr resolver, querying an invalid hostname can
cause a crash. Patches are available for 5.5 and 5.6.

untrusted comment: signature from openbsd 5.6 base private key

OpenBSD 5.6 errata 8, Nov 17, 2014:  Querying an invalid hostname with
gethostbyname(3) could cause a NULL deref.

Apply patch using:

    signify -Vep /etc/signify/openbsd-56-base.pub -x 008_asr.patch.sig \
        -m - | (cd /usr/src && patch -p0)

Then build and install libc

    cd /usr/src/lib/libc
    make obj
    make depend
    make install

Also recompile any statically-linked binaries:

    cd /usr/src/bin
    make obj
    make depend
    make install

(Continue reading)

Stuart Henderson | 17 Nov 21:16 2014

pfctl errata Nov 17

Patches are now available for 5.5 and 5.6 to fix an issue with pfctl
and certain rules combining IPv4 and IPv6 addresses (in that order) with
a dynamic interface address using the "(interface)" format. The patch
for 5.6 follows.

This problem can be worked around by reversing the order of addresses
(listing IPv6 first, then IPv4).

untrusted comment: signature from openbsd 5.6 base private key

OpenBSD 5.6 errata 7, Nov 17, 2014:  A PF rule using an IPv4 address
followed by an IPv6 address and then a dynamic address, e.g. "pass
from { 2001:db8::1} to (pppoe0)", will have an incorrect /32
mask applied to the dynamic address.

Apply patch using:

    signify -Vep /etc/signify/openbsd-56-base.pub -x 007.pfctl.patch.sig \
        -m - | (cd /usr/src && patch -p0)

Then build and install pfctl:
    cd /usr/src/sbin/pfctl
    make obj
    make install

Index: sbin/pfctl/parse.y
RCS file: /cvs/src/sbin/pfctl/parse.y,v
(Continue reading)

Florian Obser | 17 Nov 19:02 2014

relayd errata Nov 17

This patch fixes a relayd crash for the 5.6 release.

untrusted comment: signature from openbsd 5.6 base private key

OpenBSD 5.6 errata 6, Nov 17, 2014:  Fix for relayd crash

Apply patch using:

    signify -Vep /etc/signify/openbsd-56-base.pub -x 006_relayd.patch.sig -m - | \
        (cd /usr/src && patch -p0)

Then build and install relayd:

    cd /usr/src/usr.sbin/relayd
    make obj
    make install

Index: usr.sbin/relayd/relay_http.c
RCS file: /cvs/src/usr.sbin/relayd/relay_http.c,v
retrieving revision 1.32
diff -u -p -r1.32 relay_http.c
--- usr.sbin/relayd/relay_http.c	17 Jul 2014 11:35:26 -0000	1.32
+++ usr.sbin/relayd/relay_http.c	4 Nov 2014 22:24:48 -0000
 <at>  <at>  -291,18 +291,20  <at>  <at>  relay_read_http(struct bufferevent *bev,
 				goto fail;
 			desc->http_version = strchr(desc->http_path, ' ');
(Continue reading)

Antoine Jacoutot | 1 Nov 18:21 2014

OpenBSD 5.6 Released

November 1, 2014.

We are pleased to announce the official release of OpenBSD 5.6.
This is our 36th release on CD-ROM (and 37th via FTP/HTTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.6 provides significant improvements,
including new features, in nearly all areas of the system:

 - LibreSSL:
    o This release forks OpenSSL into LibreSSL, a version of the
      TLS/crypto stack with goals of modernizing the codebase, improving
      security, and applying best practice development processes.
    o No support for legacy MacOS, Netware, OS/2, VMS and Windows
      platforms, as well as antique compilers.
    o Removal of the IBM 4758, Broadcom ubsec, Sureware, Nuron, GOST,
      GMP, CSwift, CHIL, CAPI, Atalla and AEP engines, either because
      the hardware is irrelevant, or because they require external
      non-free libraries to work.
    o No support for FIPS-140 compliance.
    o No EBCDIC support.
    o No support for big-endian i386 and amd64 platforms.
    o Use standard routines from the C library (malloc, strdup,
      snprintf...) instead of rolling our own, sometimes badly.
    o Remove the old OpenSSL PRNG, and rely upon arc4random_buf from
      libc for all the entropy needs.
    o Remove the MD2 and SEED algorithms.
    o Remove J-PAKE, PSK and SRP (mis)features.
(Continue reading)

Ted Unangst | 21 Oct 20:20 2014

errata patch to disble sslv3

This patch disables the SSLv3 protocol for the forthcoming 5.6 release.

untrusted comment: signature from openbsd 5.6 base private key

OpenBSD 5.6 errata 5, Oct 20, 2014

This patch disables the SSLv3 protocol by default.

Applications depending on SSLv3 may need to be recompiled with
    SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3);
but we recommend against the continued use of this obsolete protocol.

Apply patch using:

    signify -Vep /etc/signify/openbsd-56-base.pub -x 005_nosslv3.patch.sig \
	-m - | (cd /usr/src && patch -p0)

Then build and install libssl

    cd /usr/src/lib/libssl/ssl
    make obj
    make install

Index: lib/libssl/src/ssl/ssl_lib.c
RCS file: /cvs/src/lib/libssl/src/ssl/ssl_lib.c,v
retrieving revision 1.78
diff -u -p -r1.78 ssl_lib.c
(Continue reading)

Ted Unangst | 19 Oct 22:57 2014

kernexec errata Oct 20

Patches are now available to fix a localhost kernel crash reported by
Alejandro Hernandez. This issue affects 5.4, 5.5, and the forthcoming
5.6 release.

The patch for 5.5 follows.

untrusted comment: signature from openbsd 5.5 base secret key

OpenBSD 5.5 errata 13, Oct 20, 2014:

Executable headers with an unaligned address will trigger a kernel panic.

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 013_kernexec.patch.sig \
        -m - | (cd /usr/src && patch -p0)

Then build and install a new kernel.

Index: sys/kern/kern_exec.c
RCS file: /cvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.137
diff -u -p -r1.137 kern_exec.c
--- sys/kern/kern_exec.c	21 Jan 2014 01:48:44 -0000	1.137
+++ sys/kern/kern_exec.c	19 Oct 2014 16:58:19 -0000
 <at>  <at>  -428,10 +428,12  <at>  <at>  sys_execve(struct proc *p, void *v, regi

 	vm = p->p_vmspace;
(Continue reading)

Ted Unangst | 19 Oct 22:55 2014

OpenSSL errata Oct 20

Patches are now available to fix two remotely triggerable memory leaks
in the OpenSSL libssl library. This issue affects 5.4 and 5.5. These
issues were originally fixed in forthcoming 5.6 release (it's not

The patch for 5.5 follows.

untrusted comment: signature from openbsd 5.5 base secret key

OpenBSD 5.5 errata 12, Oct 20, 2014

Two remotely triggerable memory leaks in OpenSSL can lead to a denial of
service in server applications.

Apply patch using:

    signify -Vep /etc/signify/openbsd-55-base.pub -x 012_openssl.patch.sig \
	-m - | (cd /usr/src && patch -p0)

Then build and install libssl

    cd /usr/src/lib/libssl/ssl
    make obj
    make install

Index: lib/libssl/src/ssl/d1_srtp.c
RCS file: /cvs/src/lib/libssl/src/ssl/d1_srtp.c,v
(Continue reading)