Damien Miller | 15 Mar 22:41 2014

Announce: OpenSSH 6.6 released


OpenSSH 6.6 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

Changes since OpenSSH 6.6
=========================

This is primarily a bugfix release.

Security:

 * sshd(8): when using environment passing with a sshd_config(5)
   AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be
   tricked into accepting any enviornment variable that contains the
   characters before the wildcard character.

New / changed features:

 * ssh(1), sshd(8): this release removes the J-PAKE authentication code.
   This code was experimental, never enabled and had been unmaintained
   for some time.
(Continue reading)

Damien Miller | 30 Jan 07:39 2014

Announce: OpenSSH 6.5 released

OpenSSH 6.5 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

Changes since OpenSSH 6.4
=========================

This is a feature-focused release.

New features:

 * ssh(1), sshd(8): Add support for key exchange using elliptic-curve
   Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange
   method is the default when both the client and server support it.

 * ssh(1), sshd(8): Add support for Ed25519 as a public key type.
   Ed25519 is a elliptic curve signature scheme that offers
   better security than ECDSA and DSA and good performance. It may be
   used for both user and host keys.

 * Add a new private key format that uses a bcrypt KDF to better
   protect keys at rest. This format is used unconditionally for
(Continue reading)

owner-security-announce | 3 Dec 01:11 2011
Picon

Welcome to the security-announce list!

Welcome to the security-announce mailing list!
Your password at OpenBSD Mailing List Server is

Azeqqk

To leave this mailing list, send the following command in the body
of a message to majordomo <at> openbsd.org:

approve Azeqqk unsubscribe security-announce goosa-security-announce <at> lo.gmane.org

This command will work even if your address changes.  For that reason,
among others, it is important that you keep a copy of this message.

To post a message to the mailing list, send it to
  security-announce <at> openbsd.org

If you need help or have questions about the mailing list, please
contact the people who manage the list by sending a message to
  owner-security-announce <at> openbsd.org

You can manage your subscription by visiting the following WWW location:
  <http://lists.openbsd.org/cgi-bin/mj_wwwusr/domain=openbsd.org/goosa-security-announce%40lo.gmane.org>

Stuart Henderson | 26 Nov 10:41 2009
Picon

CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability

The SSL/TLS protocol is subject to man-in-the-middle attacks
related to renegotiation (described in draft-ietf-tls-renegotiation-00)
allowing a MITM to inject chosen plaintext to the beginning of the
application data. Practical attacks exist against HTTPS and possibly
other protocols.

In -current, OpenSSL's ability to accept renegotiations has been
disabled by default. Patches are available for OpenBSD 4.6 and 4.5:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/010_openssl.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.6/common/004_openssl.patch

These are also available in the 4.5 and 4.6 -stable branches.

Joel Sing | 5 Oct 13:21 2009
Picon

OpenBSD patch: XMM exceptions incorrectly handled in i386 kernel

XMM exceptions are incorrectly handled in the OpenBSD/i386 kernel, resulting
in a kernel panic that can be triggered by a local user.

This issue has been fixed in -current. Source code patches are available for
OpenBSD 4.4, 4.5 and 4.6.

Patch for OpenBSD 4.6:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.6/i386/002_xmm.patch

Patch for OpenBSD 4.5:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/i386/008_xmm.patch

Patch for OpenBSD 4.4:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/i386/015_xmm.patch

These patches are also available in the OPENBSD_4_6, OPENBSD_4_5 and
OPENBSD_4_4 patch branches.

Thanks to Slava Pestov for reporting this issue.

Bob Beck | 30 Apr 19:21 2009
Picon

[deraadt <at> cvs.openbsd.org: Re: I would like to send this to misc <at> and security-announce <at> , from me.]


	Users are cautioned about rogue ftp sites claiming to have OpenBSD.

	The best place to get OpenBSD is from an official CD set, produced in
a secured location

	It has come to our attention that some ftp sites (ftp.kd85.com) which
are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5
at this time. We have noted that what is actually present in the 4.5
directory is not 4.5, but rather a late development cycle snapshot which
they have moved into place claiming it is 4.5. 

 	While we have no problem with anyone mirroring OpenBSD for the good 
of the user community, we do believe that people who offer up the wrong
thing are being deceptive and will hurt the userbase - particularly when
the packages being offered up are not the release versions. 

 	please ensure you look at http://www.openbsd.org/ftp.html when
choosing to do an ftp install, and don't be fooled by someone "phishing"
for your ftp traffic.

Joel Sing | 12 Apr 01:46 2009
Picon

OpenBSD patch: pf nat/rdr of crafted datagram panics kernel

When pf attempts to perform translation on a specially crafted IP datagram
a null pointer dereference will occur, resulting in a kernel panic.
In certain configurations this may be triggered by a remote attacker.

Restricting translation rules to protocols that are specific to the IP version
in use is an effective workaround until the patch can be installed. As an
example, for IPv4 nat/binat/rdr rules you can use:

nat/rdr ... inet proto { tcp udp icmp } ...

Or for IPv6 nat/binat/rdr rules you can use:

nat/rdr ... inet6 proto { tcp udp icmp6 } ...

This issue has been fixed in -current. Source code patches are available for
OpenBSD 4.3, 4.4 and 4.5.

Patch for OpenBSD 4.5:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_pf.patch

Patch for OpenBSD 4.4:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/013_pf.patch

Patch for OpenBSD 4.3:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/013_pf.patch

These patches are also available in the OPENBSD_4_5, OPENBSD_4_4 and
OPENBSD_4_3 patch branches.

(Continue reading)

Damien Miller | 8 Apr 04:53 2009
Picon

OpenSSL CVE-2009-0590 and CVE-2009-0789: ASN.1 invalid memory access


A number of exploitable flaws in OpenSSL's ASN.1 handling code have been
found. These errors permit denial-of-service (crashing) of applications
that use OpenSSL's libcrypto to parse or print ASN.1 objects.

The vulnerabilities have been designated CVE-2009-0590 and CVE-2009-0789
and are described in more detail in OpenSSL's security advisory:

    http://www.openssl.org/news/secadv_20090325.txt

Please note that the other, more serious issue described in the OpenSSL
advisory "Incorrect Error Checking During CMS verification" does not
affect OpenBSD as we have not enabled the offending code.

Source code patches are available for OpenBSD 4.3, 4.4 and 4.5. OpenBSD
-current has been updated to OpenSSL 0.9.8k, which is not vulnerable.

Patch for OpenBSD 4.5:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_openssl.patch

Patch for OpenBSD 4.4:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/012_openssl.patch

Patch for OpenBSD 4.3:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/012_openssl.patch

These patches are also available in the OPENBSD_4_5, OPENBSD_4_4 and
OPENBSD_4_3 patch branches.

(Continue reading)

Todd C. Miller | 23 Feb 21:20 2009

Sudo CVE 2009-0034: possible elevated access

Summary:
    A bug was introduced in Sudo's group matching code in version
    1.6.9 when support for matching based on the supplemental group
    vector was added.  This bug may allow certain users listed in
    the sudoers file to run a command as a different user than their
    access rule specifies.

Patch for OpenBSD 4.3:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/011_sudo.patch

Patch for OpenBSD 4.4:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/011_sudo.patch

These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches.  OpenBSD-current is not affected.

Details:
    Given a sudoers rule like the following:

	bob ALL=(%users) ALL

    user bob should only be able to run commands as a user that
    is a member of the Unix group users.

    However, due to the bug, if bob is himself a member of users,
    he will actually be able to run a command as any user.

Impact:
    The bug only impacts sudoers configurations where a Unix group
    is used in the RunAs list, which is (%users) in the example above.
(Continue reading)

Damien Miller | 14 Jan 23:45 2009

bind CVE-2009-0025: incorrect DSA verification checks

Some exploitable logic errors have been found in the bind nameserver's
use of OpenSSL DSA verification functions. These errors may permit an
attacker to bypass validation of DSA DNSSEC signatures.

This vulnerability has been designated CVE-2009-0025. More information
is available from the ISC at:

  https://www.isc.org/node/373

Source code patches are available for OpenBSD 4.3 and 4.4. -current has
had an identical fix applied.

Patch for OpenBSD 4.3:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/008_bind.patch

Patch for OpenBSD 4.4:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/008_bind.patch

These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches.

Damien Miller | 9 Jan 14:12 2009
Picon

OpenSSL CVE-2008-5077: Incorrect checks for malformed signatures


Some exploitable logic errors have been discovered in OpenSSL versions
prior to 0.9.8j. These errors may permit an attacker to bypass
validation of DSA/ECDSA certificates and conduct a "man in the middle
attack" against SSL/TLS connection that use them. Fortunately, DSA and
ECDSA certificates appear to be rarely used in practice.

This vulnerability has been designated CVE-2008-5077. More information
is available from the OpenSSL project at:

  http://www.openssl.org/news/secadv_20090107.txt

Source code patches are available for OpenBSD 4.3 and 4.4. -current has
been updated to OpenSSL 0.9.8j

Patch for OpenBSD 4.3:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/007_openssl.patch

Patch for OpenBSD 4.4:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/007_openssl.patch

These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches.


Gmane