headers
owner-security-announce | 3 Dec 2011 01:11
Picon
Favicon

Welcome to the security-announce list!

Welcome to the security-announce mailing list!
Your password at OpenBSD Mailing List Server is

Azeqqk

To leave this mailing list, send the following command in the body
of a message to majordomo <at> openbsd.org:

approve Azeqqk unsubscribe security-announce goosa-security-announce <at> lo.gmane.org

This command will work even if your address changes.  For that reason,
among others, it is important that you keep a copy of this message.

To post a message to the mailing list, send it to
  security-announce <at> openbsd.org

If you need help or have questions about the mailing list, please
contact the people who manage the list by sending a message to
  owner-security-announce <at> openbsd.org

You can manage your subscription by visiting the following WWW location:
  <http://lists.openbsd.org/cgi-bin/mj_wwwusr/domain=openbsd.org/goosa-security-announce%40lo.gmane.org>
Permalink | Reply | 0 comments |
headers
Stuart Henderson | 26 Nov 2009 10:41
Picon
Favicon

CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability

The SSL/TLS protocol is subject to man-in-the-middle attacks
related to renegotiation (described in draft-ietf-tls-renegotiation-00)
allowing a MITM to inject chosen plaintext to the beginning of the
application data. Practical attacks exist against HTTPS and possibly
other protocols.

In -current, OpenSSL's ability to accept renegotiations has been
disabled by default. Patches are available for OpenBSD 4.6 and 4.5:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/010_openssl.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.6/common/004_openssl.patch

These are also available in the 4.5 and 4.6 -stable branches.
Permalink | Reply | 0 comments |
headers
Joel Sing | 5 Oct 2009 13:21
Picon
Favicon

OpenBSD patch: XMM exceptions incorrectly handled in i386 kernel

XMM exceptions are incorrectly handled in the OpenBSD/i386 kernel, resulting
in a kernel panic that can be triggered by a local user.

This issue has been fixed in -current. Source code patches are available for
OpenBSD 4.4, 4.5 and 4.6.

Patch for OpenBSD 4.6:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.6/i386/002_xmm.patch

Patch for OpenBSD 4.5:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/i386/008_xmm.patch

Patch for OpenBSD 4.4:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/i386/015_xmm.patch

These patches are also available in the OPENBSD_4_6, OPENBSD_4_5 and
OPENBSD_4_4 patch branches.

Thanks to Slava Pestov for reporting this issue.
Permalink | Reply | 0 comments |
headers
Bob Beck | 30 Apr 2009 19:21
Picon
Favicon

[deraadt <at> cvs.openbsd.org: Re: I would like to send this to misc <at> and security-announce <at> , from me.]


	Users are cautioned about rogue ftp sites claiming to have OpenBSD.

	The best place to get OpenBSD is from an official CD set, produced in
a secured location

	It has come to our attention that some ftp sites (ftp.kd85.com) which
are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5
at this time. We have noted that what is actually present in the 4.5
directory is not 4.5, but rather a late development cycle snapshot which
they have moved into place claiming it is 4.5. 

 	While we have no problem with anyone mirroring OpenBSD for the good 
of the user community, we do believe that people who offer up the wrong
thing are being deceptive and will hurt the userbase - particularly when
the packages being offered up are not the release versions. 

 	please ensure you look at http://www.openbsd.org/ftp.html when
choosing to do an ftp install, and don't be fooled by someone "phishing"
for your ftp traffic.
Permalink | Reply | 0 comments |
headers
Joel Sing | 12 Apr 2009 01:46
Picon
Favicon

OpenBSD patch: pf nat/rdr of crafted datagram panics kernel

When pf attempts to perform translation on a specially crafted IP datagram
a null pointer dereference will occur, resulting in a kernel panic.
In certain configurations this may be triggered by a remote attacker.

Restricting translation rules to protocols that are specific to the IP version
in use is an effective workaround until the patch can be installed. As an
example, for IPv4 nat/binat/rdr rules you can use:

nat/rdr ... inet proto { tcp udp icmp } ...

Or for IPv6 nat/binat/rdr rules you can use:

nat/rdr ... inet6 proto { tcp udp icmp6 } ...

This issue has been fixed in -current. Source code patches are available for
OpenBSD 4.3, 4.4 and 4.5.

Patch for OpenBSD 4.5:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_pf.patch

Patch for OpenBSD 4.4:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/013_pf.patch

Patch for OpenBSD 4.3:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/013_pf.patch

These patches are also available in the OPENBSD_4_5, OPENBSD_4_4 and
OPENBSD_4_3 patch branches.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Damien Miller | 8 Apr 2009 04:53
Picon
Favicon

OpenSSL CVE-2009-0590 and CVE-2009-0789: ASN.1 invalid memory access


A number of exploitable flaws in OpenSSL's ASN.1 handling code have been
found. These errors permit denial-of-service (crashing) of applications
that use OpenSSL's libcrypto to parse or print ASN.1 objects.

The vulnerabilities have been designated CVE-2009-0590 and CVE-2009-0789
and are described in more detail in OpenSSL's security advisory:

    http://www.openssl.org/news/secadv_20090325.txt

Please note that the other, more serious issue described in the OpenSSL
advisory "Incorrect Error Checking During CMS verification" does not
affect OpenBSD as we have not enabled the offending code.

Source code patches are available for OpenBSD 4.3, 4.4 and 4.5. OpenBSD
-current has been updated to OpenSSL 0.9.8k, which is not vulnerable.

Patch for OpenBSD 4.5:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_openssl.patch

Patch for OpenBSD 4.4:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/012_openssl.patch

Patch for OpenBSD 4.3:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/012_openssl.patch

These patches are also available in the OPENBSD_4_5, OPENBSD_4_4 and
OPENBSD_4_3 patch branches.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Todd C. Miller | 23 Feb 2009 21:20
Favicon

Sudo CVE 2009-0034: possible elevated access

Summary:
    A bug was introduced in Sudo's group matching code in version
    1.6.9 when support for matching based on the supplemental group
    vector was added.  This bug may allow certain users listed in
    the sudoers file to run a command as a different user than their
    access rule specifies.

Patch for OpenBSD 4.3:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/011_sudo.patch

Patch for OpenBSD 4.4:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/011_sudo.patch

These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches.  OpenBSD-current is not affected.

Details:
    Given a sudoers rule like the following:

	bob ALL=(%users) ALL

    user bob should only be able to run commands as a user that
    is a member of the Unix group users.

    However, due to the bug, if bob is himself a member of users,
    he will actually be able to run a command as any user.

Impact:
    The bug only impacts sudoers configurations where a Unix group
    is used in the RunAs list, which is (%users) in the example above.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Damien Miller | 14 Jan 2009 23:45
Favicon

bind CVE-2009-0025: incorrect DSA verification checks

Some exploitable logic errors have been found in the bind nameserver's
use of OpenSSL DSA verification functions. These errors may permit an
attacker to bypass validation of DSA DNSSEC signatures.

This vulnerability has been designated CVE-2009-0025. More information
is available from the ISC at:

  https://www.isc.org/node/373

Source code patches are available for OpenBSD 4.3 and 4.4. -current has
had an identical fix applied.

Patch for OpenBSD 4.3:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/008_bind.patch

Patch for OpenBSD 4.4:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/008_bind.patch

These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches.
Permalink | Reply | 0 comments |
headers
Damien Miller | 9 Jan 2009 14:12
Picon
Favicon

OpenSSL CVE-2008-5077: Incorrect checks for malformed signatures


Some exploitable logic errors have been discovered in OpenSSL versions
prior to 0.9.8j. These errors may permit an attacker to bypass
validation of DSA/ECDSA certificates and conduct a "man in the middle
attack" against SSL/TLS connection that use them. Fortunately, DSA and
ECDSA certificates appear to be rarely used in practice.

This vulnerability has been designated CVE-2008-5077. More information
is available from the OpenSSL project at:

  http://www.openssl.org/news/secadv_20090107.txt

Source code patches are available for OpenBSD 4.3 and 4.4. -current has
been updated to OpenSSL 0.9.8j

Patch for OpenBSD 4.3:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/007_openssl.patch

Patch for OpenBSD 4.4:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/007_openssl.patch

These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches.
Permalink | Reply | 0 comments |
headers
Damien Miller | 23 Nov 2008 22:58
Picon
Favicon

Revised: OpenSSH security advisory: cbc.adv

Hi,

There was an error in the original advisory. The estimate of 32768
attempts to carry out a successful attack is incorrect. The correct
estimate is 11356 attempts. A revised version is now available at:
http://www.openssh.com/txt/cbc.adv

The advisory and its recommendations are otherwise unchanged.

-d
Permalink | Reply | 0 comments |
headers
Damien Miller | 21 Nov 2008 11:19
Picon
Favicon

OpenSSH security advisory: cbc.adv

OpenSSH Security Advisory: cbc.adv

Regarding the "Plaintext Recovery Attack Against SSH" reported as
CPNI-957037[1]:

The OpenSSH team has been made aware of an attack against the SSH
protocol version 2 by researchers at the University of London.
Unfortunately, due to the report lacking any detailed technical
description of the attack and CPNI's unwillingness to share necessary
information, we are unable to properly assess its impact.

Based on the description contained in the CPNI report and a slightly
more detailed description forwarded by CERT this issue appears to be
substantially similar to a known weakness in the SSH binary packet
protocol first described in 2002 by Bellare, Kohno and Namprempre[2].
The new component seems to be an attack that can recover 14 bits of
plaintext with a success probability of 2^-14, though we suspect this
underestimates the work required by a practical attack.

For most SSH usage scenarios, this attack has a very low likelihood of
being carried out successfully - each attempt has a low probability
of success and each failure will cause connection termination with a
fatal error. It is therefore very unlikely for an interactive session
to be usefully attacked using this protocol weakness: an attacker would
expect around 32768 connection-killing attempts before they are likely
to succeed. This level of disruption would certainly be noticed and it
is highly unlikely that any user would retry the connection enough times
for the attack to succeed.

The usage pattern where the attack is most likely to succeed is where an
(Continue reading)

Permalink | Reply | 1 comment |

Gmane