BSDSec

deadsimple BSD Security Advisories and Announcements

Oct 15 OpenBSD errata and LibreSSL releases

16 October, 2015 by tedu@tedunangst.com | openbsd 

The OBJ_obj2txt function in libcrypto contains a one byte buffer overrun
and memory leak, as reported by Qualys Security. This can be abused by an
attacker to cause a denial of service in some cases.

Patches are now available for OpenBSD as well as new releases of LibreSSL
portable. 5.6, 5.7, and 5.8 are affected, as well as all releases of LibreSSL.

Note that in addition to the instructions to rebuild libcrypto in the patch,
some binaries may link statically with libcrypto (isakmpd, iked, ...) and need
rebuilding as well. And services restarted.

OpenBSD patches:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/033_obj2txt.patch.sig
http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/019_obj2txt.patch.sig
http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/007_obj2txt.patch.sig

LibreSSL releases:
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.0.6.tar.gz
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.8.tar.gz
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.4.tar.gz

There will be a libressl-2.3.1 release coming, but as a reminder it's still a
development branch. (The OpenBSD patches should apply to 2.3.0 as well.)

With the release of OpenBSD 5.8 in a few days, 5.6 will be officially retired
from support, and along with it LibreSSL 2.0. Hopefully, this will be the last
release in that line.