Damien Miller | 8 Apr 04:53 2009
Picon

OpenSSL CVE-2009-0590 and CVE-2009-0789: ASN.1 invalid memory access


A number of exploitable flaws in OpenSSL's ASN.1 handling code have been
found. These errors permit denial-of-service (crashing) of applications
that use OpenSSL's libcrypto to parse or print ASN.1 objects.

The vulnerabilities have been designated CVE-2009-0590 and CVE-2009-0789
and are described in more detail in OpenSSL's security advisory:

    http://www.openssl.org/news/secadv_20090325.txt

Please note that the other, more serious issue described in the OpenSSL
advisory "Incorrect Error Checking During CMS verification" does not
affect OpenBSD as we have not enabled the offending code.

Source code patches are available for OpenBSD 4.3, 4.4 and 4.5. OpenBSD
-current has been updated to OpenSSL 0.9.8k, which is not vulnerable.

Patch for OpenBSD 4.5:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_openssl.patch

Patch for OpenBSD 4.4:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/012_openssl.patch

Patch for OpenBSD 4.3:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/012_openssl.patch

These patches are also available in the OPENBSD_4_5, OPENBSD_4_4 and
OPENBSD_4_3 patch branches.

(Continue reading)

Damien Miller | 8 Apr 09:21 2009

Correction: OpenSSL CVE-2009-0590 and CVE-2009-0789: ASN.1 invalid memory access

On Wed, 8 Apr 2009, Damien Miller wrote:

> Patch for OpenBSD 4.5:
>     ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_openssl.patch

Correction, this should be:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/001_openssl.patch

Joel Sing | 12 Apr 01:46 2009
Picon

OpenBSD patch: pf nat/rdr of crafted datagram panics kernel

When pf attempts to perform translation on a specially crafted IP datagram
a null pointer dereference will occur, resulting in a kernel panic.
In certain configurations this may be triggered by a remote attacker.

Restricting translation rules to protocols that are specific to the IP version
in use is an effective workaround until the patch can be installed. As an
example, for IPv4 nat/binat/rdr rules you can use:

nat/rdr ... inet proto { tcp udp icmp } ...

Or for IPv6 nat/binat/rdr rules you can use:

nat/rdr ... inet6 proto { tcp udp icmp6 } ...

This issue has been fixed in -current. Source code patches are available for
OpenBSD 4.3, 4.4 and 4.5.

Patch for OpenBSD 4.5:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_pf.patch

Patch for OpenBSD 4.4:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/013_pf.patch

Patch for OpenBSD 4.3:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/013_pf.patch

These patches are also available in the OPENBSD_4_5, OPENBSD_4_4 and
OPENBSD_4_3 patch branches.

(Continue reading)

Bob Beck | 30 Apr 19:21 2009
Picon

[deraadt <at> cvs.openbsd.org: Re: I would like to send this to misc <at> and security-announce <at> , from me.]


	Users are cautioned about rogue ftp sites claiming to have OpenBSD.

	The best place to get OpenBSD is from an official CD set, produced in
a secured location

	It has come to our attention that some ftp sites (ftp.kd85.com) which
are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5
at this time. We have noted that what is actually present in the 4.5
directory is not 4.5, but rather a late development cycle snapshot which
they have moved into place claiming it is 4.5. 

 	While we have no problem with anyone mirroring OpenBSD for the good 
of the user community, we do believe that people who offer up the wrong
thing are being deceptive and will hurt the userbase - particularly when
the packages being offered up are not the release versions. 

 	please ensure you look at http://www.openbsd.org/ftp.html when
choosing to do an ftp install, and don't be fooled by someone "phishing"
for your ftp traffic.


Gmane