OpenBSD Journal

libcrypto errata - May 2016

Contributed by phessler on from the it-must-be-tuesday dept.

Ted Unangst just sent an announcement of LibreSSL patches

OpenSSL announced several issues today that also affect LibreSSL.

- Memory corruption in the ASN.1 encoder (CVE-2016-2108)
- Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
- EVP_EncodeUpdate overflow (CVE-2016-2105)
- EVP_EncryptUpdate overflow (CVE-2016-2106)
- ASN.1 BIO excessive memory allocation (CVE-2016-2109)

Thanks to OpenSSL for providing information and patches.

Refer to https://www.openssl.org/news/secadv/20160503.txt

Patches for OpenBSD are available:

http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/005_crypto.patch.sig

http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/013_crypto.patch.sig

(Comments are closed)


Comments
  1. By foo (151.67.35.51) on


    I am tracking OPENBSD_5_9 with anoncvs, but I don't know how to discover what has been updated. For example, I got this SSL patch with anoncvs but if I don't read the errata I don't know what is changed and needs to be rebuilt!

    Is there a place to find all the update to the 5.9-stable branch?
    I mean a website or log in the src tree...

    How do you track -stable?

    Comments
    1. By Anonymous Coward (84.170.132.130) on

      >
      > I am tracking OPENBSD_5_9 with anoncvs, but I don't know how to discover what has been updated. For example, I got this SSL patch with anoncvs but if I don't read the errata I don't know what is changed and needs to be rebuilt!
      >
      > Is there a place to find all the update to the 5.9-stable branch?
      > I mean a website or log in the src tree...
      >
      > How do you track -stable?
      >

      What I do is I 1. start with the release sources, then 2. download 5.9.tar.gz from ftp.eu.openbsd.org in the /pub/OpenBSD/patches directory. This contains all patches for the tree and gives commands at the top on how to apply the patches. There is also a signify string at the top of each patch that will fail if the signature for release is not right. So I usually go through each patch one round doing the signify for each applied patch this is a copy/paste effort. Then I go through each patch again doing the make install commands that are listed. Another copy/paste effort. At the end of the patches that I've done I sometimes do a touch DONE_005 to indicate that I've done up to patch 005 so that when I download 5.9.tar.gz again and there is new patches in it I know which one to start with. Hope that helps.

      Comments
      1. By foo (151.67.112.203) on

        OK, but this is just to apply patches... what about all the little improvements of -stable ? ;-)

        Comments
        1. By loreb (87.15.27.78) on

          > OK, but this is just to apply patches... what about all the little improvements of -stable ? ;-)
          >

          Right after you update your source,
          run something along the lines of "find /usr/src -mtime -1 | something",
          where "something" is supposed to filter out spurious results.

          I can't test it right now, but iirc you'll need to filter at least
          CVS/Entries.

        2. By Anonymous Coward (84.170.140.164) on

          > OK, but this is just to apply patches... what about all the little improvements of -stable ? ;-)
          >

          AFAIK -stable branch is just these errata patches and nothing more. If you're looking for new code it's probably in -current. However you can use cvs with the diff and -r arguments to see what exactly has changed since you updated the -stable. If you look at http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/ at the bottom there is tags of the development. I'd do 'cvs diff -r OPENBSD_5_9_BASE -u' if you were on 5.9-stable (which is really OPENBSD_5_9 tag) do this at /usr/src and it will recursively find all changes afaik. Save that to a file and then you can go through it and see what changes were made. Perhaps you need a little bit of instinct what part is which in the cvs tree so perhaps learning the source tree is of help here.

          Hope that helps.

          Comments
          1. By rjc (rjc) on

            > AFAIK -stable branch is just these errata patches and nothing more.

            No, it is *not* - http://www.openbsd.org/stable.html

            > Hope that helps.

            No, you spread misinformation :^)

            Raf

            Comments
            1. By Anonymous Coward (84.170.140.164) on

              > > AFAIK -stable branch is just these errata patches and nothing more.
              >
              > No, it is *not* - http://www.openbsd.org/stable.html
              >
              > > Hope that helps.
              >
              > No, you spread misinformation :^)
              >
              > Raf

              I'm sorry Raf, you got me! I prefer calling it a half truth, since I thought I was productive hinting at the cvs diff. I will however crawl under a rock now.

        3. By Otto Moerbeek (otto) on http://www.drijf.net

          > OK, but this is just to apply patches... what about all the little improvements of -stable ? ;-)
          >

          You can follow the src-changes mailing list and make some filer for the stable branches, or on twitter @OpenBSD_stable, which only mentions -stable commits.

          Comments
          1. By Anonymous Coward (151.67.68.131) on


            Thanks for the info about the twitter profile!

            In the meantime I am rebuilding the whole system every time there is a patch...

          2. By foo (151.67.119.21) on

            > You can follow the src-changes mailing list and make some filer for the stable branches, or on twitter @OpenBSD_stable, which only mentions -stable commits.


            On the twitter profile I see a lot of activity on ports... do you build updated packages as well, or should I rebuild the updated ports after cvs-ing -stable?

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]