OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
sendmail(8) Patch In -stable Fixes Local Snooping Vulnerability
Contributed by pitrh on Thu Jun 5 15:54:44 2014 (GMT)
from the love letters in the sand dept.

For those of you who are still using sendmail(8) on OpenBSD 5.4 or 5.5, it's patch and update time.

The vulnerability known as CVE-2014-3956 could allow local users to interfere with open SMTP connections, and it is strongly advised that any sendmail users out there patch their systems without undue delay.

Patches are available for OpenBSD 5.4 and OpenBSD 5.5 as patch 011 and patch 007 respectively.

It is worth noting that from OpenBSD 5.6 onwards (to be released November 1st, 2014), OpenSD's own OpenSMTPD will be the default MTA.

[ 5 comments 1166d8:57 ago ] (flat) (expanded)

OpenSSL Releases Bugfixes, Advance Notice To Some Vendors But Not OpenBSD
Contributed by pitrh on Thu Jun 5 20:09:51 2014 (GMT)
from the Bugfix Ha! Bugfix Ho! dept.

Earlier today the OpenSSL project released multiple upgrade versions with fixes for several recently reported bugs in their code base.

The most noteworthy thing is not that the OpenSSL project fixes bugs, but rather that information about the bugs had been privately communicated to a list of vendors that did not include OpenBSD. A seclist discussion reveals the full timeline, while the OpenBSD community's reaction can be gauged by this thread on misc@.

[ 12 comments 1159d1:35 ago ] (flat) (expanded)

Call for Testing: Malloc Improvements
Contributed by tbert on Tue Jun 3 08:49:29 2014 (GMT)
from the loading-the-dice dept.

Otto Moerbeek (otto@) continues his mastery of all things memory allocation, extending some of the libc malloc features to has a very basic malloc. This diff changes it to use a (somewhat stripped) libc malloc with all the randomization and other goodness.

[ 0 comments ] (flat) (expanded)

BSDNow Episode 039: The Friendly Sandbox
Contributed by tbert on Fri May 30 17:04:13 2014 (GMT)
from the where-are-the-puns-about-drunken-ghosts dept.

In this week's episode of BSDNow, the fellas interview John Anderson about capsicum sandboxing, present a tutorial about securing DNS lookups, and go over the weeks' news and events.

[ Video | HD Video | MP3 Audio | OGG Audio | Torrent ]

[ 0 comments ] (flat) (expanded)

BSDCan 2014 Videos Online (Updated)
Contributed by tbert on Tue Jun 3 20:53:21 2014 (GMT)
from the video(4)-killed-the-radio(4)-star dept.

Via the fine folks at BSDNow, videos from BSDCan are finally being made available (Updated):

[ 4 comments 1171d23:26 ago ] (flat) (expanded)

Theo de Raadt and Bob Beck to Present at the Calgary UUG
Contributed by tbert on Tue May 27 06:03:49 2014 (GMT)
from the life-is-an-information-superhighway dept.

A bit late ourselves on a late announcement, but Theo de Raadt (deraadt@) and Bob Beck (beck@) will be giving a presentation in Calgary:

I'm sorry for the late public announcement...

Tomorrow (Tuesday) Bob Beck will be hurtling down the Highway from Edmonton to Calgary.

Then in the evening, he and I will present at the local calgary unix group meeting about recent changes in LibreSSL, OpenBSD, and how the OpenBSD Foundation fits into this.

Anyone in the area who is able to attend probably should.

[ 4 comments 1173d15:29 ago ] (flat) (expanded)

How to block traffic by country-IPs?
Contributed by tbert on Sat Jun 7 01:00:12 2014 (GMT)
from the blocking the blockable blockheads dept.

Stefan Wollny wrote in with this blocking by regions article:

Every now and then the same question arises on the mailing-lists: "How to block traffic from a country altogether?" While this is a "no-go" in a business-minded environment this question may be valid for a private network. If you have not the slightest doubt that there has never been and will never be any contact to servers located e.g. in Belarus ever it might rightfully assumed that blocking IPs related to Belarus should not only do no harm but will a little bit improve the security of your home network.

[ 15 comments 192d13:25 ago ] (flat) (expanded)

Preventing the next Heartbleed
Contributed by tbert on Mon May 26 08:01:02 2014 (GMT)
from the keys-to-the-kingdom dept.

An Anonymous Coward writes in to tell us about sightings of secrets-related privsep in the wild:

The developer known by the pseudonym insane coder, who authored the popular pro-LibreSSL review LibreSSL: The good and the bad, has presented a solution for preventing common coding mistakes resulting in another Heartbleed:

To protect against exploiting such bugs, one should ensure that buffer overflows do not have access to memory containing private data. The memory containing private keys and similar kinds of data should be protected, meaning nothing should be allowed to read from them, not even the web server itself.

He then talks about using memory protection and process separation to isolate a server's private keys from anything which can be exploited to send them over the network.

This technique has already been utilized in an stunnel-like server, and it remains to be seen when others will follow.

Thanks for the tip, Anonymous Coward!

Astute readers will note that this technique has already been utilized in relayd(8) and smtpd(8).

[ 1 comment 1177d3:50 ago ] (flat) (expanded)

5.5 Errata #006: X Font Service Protocol Erratum
Contributed by phessler on Mon May 26 07:55:46 2014 (GMT)
from the accidentally-weaponized-comic-sans dept.

As described in an email from Errata-meister Tedu on OpenBSD-Announce, from

X Font Service Protocol & Font metadata file handling issues in libXfont
    CVE-2014-0209: integer overflow of allocations in font metadata file parsing
    CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
    CVE-2014-0211: integer overflows calculating memory needs for xfs replies

Please see the advisory for more information.
Check out the build details after the break.

[ 0 comments ] (flat) (expanded)

Support OpenBSD!

Donate to OpenBSD

Buy OpenBSD products


We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

Older Stuff
Monday, May 26
05:14 OpenBSD Developer Bob Beck Interviewed on BSDTalk (6)
Friday, May 23
18:11 BSDNow Episode 38: A BUG's life (2)
Wednesday, May 21
10:02 OpenBSD Webcast on O'Reilly (3)
08:07 EuroBSDCon 2014 submissions deadline extended until June 2nd, 2014 (0)
Tuesday, May 20
10:10 OpenBSD Presentations from BSDCan Online (1)
07:01 BSDNow interview with bcallah@ and abieber@ (0)
Monday, May 19
16:39 Conference Report: BSDCan 2014 (0)
Saturday, May 17
17:04 BSDCan 2014 Day 2: LibreSSL, mandoc (1)
11:56 The First Ever LibreSSL Status Report (the first 30 days) (5)

Older Stuff...
Yesterday's Edition...

OpenBSD Errata

OpenBSD Resources

Users wishing RSS/RDF summary files of OpenBSD Journal, can retrieve: [xml]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. Some icons from used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]