BSDSec

deadsimple BSD Security Advisories and Announcements

OpenBSD errata, Dec 3, 2015

4 December, 2015 by beck@openbsd.org | openbsd 

Four new OpenSSL CVE's were released today, which OpenSSL deemed to be
not of sufficient severity to warrant advance disclosure.

OpenBSD/LibreSSL is not vulnerable to two of these CVE's.

CVE-2015-1393: Recently introduced in OpenSSL only. We did not merge
this because it gave miod@ a bad feeling.

CVE-2015-1394: NULL pointer dereference in client side certificate
validation. It was reported to OpenSSL on Aug 27, 2015, and kept
secret from the community until Dec 3, 2015 by OpenSSL and the
reporter of the bug.

CVE-2015-1395: Memory leak in PKCS7 - not reachable from TLS/SSL

CVE-2015-1396: String handling bug in code we deleted long ago, using
a function that all uses of which were flensed from LibreSSL shortly
after it's creation.

Fixes have been commited for both CVE-2015-1394 and CVE-2015-1395.
CVE-2015-1394 warrants an errata.

The errata for CVE-2015-1394 is available for OpenBSD 5.8 and OpenBSD
5.7 from the master site as well as the mirrors:

http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/009_clientcert.patch.sig
http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/021_clientcert.patch.sig