Ted Unangst | 15 Jul 03:12 2016

other usermount bugs

In addition to the patched bugs, several panics were discovered by NCC that
can be triggered by root or users with the usermount option set. These bugs
are not getting patched because we believe they are only the tip of the
iceberg. The mount system call exposes too much code to userland to be
considered secure.

As remediation, it's recommended to disable usermount. For the forthcoming 6.0
release, the usermount option will be removed.

Ted Unangst | 15 Jul 02:49 2016

multiple patches available

Several patches are available to fix kernel errata.

Please refer to http://www.openbsd.org/errata59.html and errata58.html for
details and patches.

Patches for 5.9 include:

 013: RELIABILITY FIX: July 14, 2016   All architectures
 Splicing sockets in a loop could cause a kernel spin.

 014: RELIABILITY FIX: July 14, 2016   All architectures
 Multiple processes exiting with a fd-passing control message on a shared
 socket could crash the system.

 015: RELIABILITY FIX: July 14, 2016   All architectures
 ufs_readdir failed to limit size of memory allocation, leading to panics.

 016: SECURITY FIX: July 14, 2016   All architectures
 The mmap extension __MAP_NOFAULT could overcommit resources and crash the

 017: RELIABILITY FIX: July 14, 2016   All architectures
 A race occuring in the unlocked ARP input path can lead to a kernel NULL

 018: RELIABILITY FIX: July 14, 2016   All architectures
 Tick counting overflows could cause a kernel crash.

 019: RELIABILITY FIX: July 14, 2016   All architectures
 Invalid file descriptor use with kevent(2) could lead to a kernel crash.
(Continue reading)

Bob Beck | 27 Jun 21:53 2016

OpenBSD 5.9 Errata for OCSP available

This errata fixes several issues in the OCSP code that could result in
the incorrect generation and parsing of OCSP requests. This remediates
a lack of error checking on time parsing in these functions, and
ensures that only
GENERALIZEDTIME formats are accepted for OCSP, as per RFC 6960.

Issues reported, and fixes provided by Kazuki Yamaguchi <k <at> rhe.jp>
and Kinichiro Inoguchi <kinichiro.inoguchi <at> gmail.com>

Patches for OpenBSD 5.9 are available at:

and have been committed to -current.

Portable LibreSSL releases will appear shortly.

La Empresa Familiar - En Línea

En línea y en Vivo / Para todo su Equipo con una sola Conexión 

La Empresa Familiar: Pros y cómo manejar los Contras
30 de junio - Online en Vivo - 10:00 a 13:00 y de 15:00 a 18:00Hrs       

Cuando usted piensa en una empresa familiar, ¿piensa en empresas pequeñas, regionales? ¿O en
consorcios internacionales como Walmart, Televisa o Bimbo? Los Walton, los Azcárraga y los Servige son
familias reales detrás de corporaciones que ahora cuentan a millones de colaboradores en todo el mundo,
y son la prueba de que la empresa que usted y su familia han creado puede llegar tan lejos como lo desee 

- Características de la empresa familiar

- Los conflictos en la empresa familiar

- Decisiones trascendentes

- Profesionalización de la empresa 

- Y mucho más.

¿Requiere la información a la Brevedad?
responda este email con la palabra: 
Info - Empresa familiar.
centro telefónico: 018002129393

Lic. Lic. Cinthya Santos
Líder de Proyecto
(Continue reading)

Bob Beck | 6 Jun 12:00 2016

libcrypto patch available for DSA security issue

Fixes are available to correct a problem that prevents the DSA signing
algorithm from running in constant time even if the flag

This issue was reported by Cesar Pereida (Aalto University), Billy
Brumley (Tampere University of Technology), and Yuval Yarom (The
University of Adelaide and NICTA). The fix was developed by Cesar

Patches are available for 5.8 and 5.9 at:


and have been commmitted to -current. 

Portably LibreSSL releases will appear shortly. 

Brent Cook | 1 Jun 04:37 2016

LibreSSL 2.4.0/2.3.5/2.2.8 Released

We have released a first development snapshot of LibreSSL 2.4.0 along
with two stable builds, 2.3.5 and 2.2.8. These should be arriving in
the LibreSSL directory of your local OpenBSD mirror soon.

The 2.3.5 and 2.2.8 releases contain a reliability fix, correcting an
error when parsing certain ASN.1 elements over 16k in size.

The 2.4.0 release contains the following additional changes:

    * Implemented the IETF ChaCha20-Poly1305 cipher suites.

    * Changed default EVP_aead_chacha20_poly1305() implementation to the
      IETF version, which is now the default.

    * Many improvements to the CMake build infrastructure, including
      Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
      Inoguchi for this work.

    * Reworked error handling in libtls so that configuration errors are
      more visible.

    * Added missing error handling around bn_wexpand() calls.

    * Added explicit_bzero calls for freed ASN.1 objects.

    * Fixed X509_*set_object functions to return 0 on allocation failure.

    * Fixed password prompts from openssl(1) to properly handle ^C.

    * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
(Continue reading)

Brent Cook | 31 May 02:04 2016

OpenNTPD 6.0p1 available

OpenNTPD 6.0p1 has just been released. It will be available from the mirrors
listed at http://www.openntpd.org/ shortly.

OpenNTPD is a FREE, secure, and easy to use implementation of the Network Time
Protocol. It provides the ability to sync the local clock to remote NTP servers
and can act as NTP server itself, redistributing the local clock.

Changes since OpenNTPD 5.9p1

    * Fixed a link failure on older Linux distributions and a build
      failure on FreeBSD.
    * Set MOD_MAXERROR to avoid unsynced time status when using
    * Fixed HTTP Timestamp header parsing to use strptime in a more
      portable fashion.
    * Hardened TLS for ntpd constraints, enabling server name
      verification. Thanks to Luis M. Merino.

The libtls library, as shipped with LibreSSL 2.3.2 or later, is
required to use the HTTPS constraint feature, though it is not
required to use OpenNTPD.

For detailed changes, see the changes either in the OpenBSD CVS repository or
the GitHub mirror.


SHA256 (openntpd-6.0p1.tar.gz) = b1ab80094788912adb12b33cb1f251cc58db39294c1b5c6376972f5f7ba577e8
(Continue reading)

Brent Cook | 30 May 05:18 2016

libcrypto errata update

A bug in the previous libcrypto errata caused an error when reading
ASN.1 elements over 16kb.

Patches for OpenBSD are available. Updated LibreSSL-portable releases
will be available later.



Kenneth R Westerback | 4 May 01:05 2016

DuckDuckGo is 2016 Gold Level Contributor to the OpenBSD Foundation

The OpenBSD Foundation is happy to announce that DuckDuckGo has
become the first Gold level contributor to the Foundation's 2016
fundraising campaign.

This donation is part DuckDuckGo's annual initiative to help fund
free and open source projects based on nominations from their

Donations to the Foundation can be made on our Donations Page at


We can be contacted regarding corporate sponsorship at

fundraising <at> openbsdfoundation.org.

Ted Unangst | 3 May 16:32 2016

libcrypto errata

OpenSSL announced several issues today that also affect LibreSSL.

- Memory corruption in the ASN.1 encoder (CVE-2016-2108)
- Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
- EVP_EncodeUpdate overflow (CVE-2016-2105)
- EVP_EncryptUpdate overflow (CVE-2016-2106)
- ASN.1 BIO excessive memory allocation (CVE-2016-2109)

Thanks to OpenSSL for providing information and patches.

Refer to https://www.openssl.org/news/secadv/20160503.txt

Patches for OpenBSD are available:



Stuart Henderson | 1 May 15:37 2016

OpenBSD 5.9 errata 004

A problem in m_dup_pkt() can result in kernel crashes with carp(4).
Only 5.9 is affected.

A patch is available: