libcrypto errata update

2016-05-29 Thread Brent Cook
A bug in the previous libcrypto errata caused an error when reading ASN.1 elements over 16kb. Patches for OpenBSD are available. Updated LibreSSL-portable releases will be available later. http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/009_crypto.patch.sig http://ftp.openbsd.org/pub

Re: libcrypto errata

2016-05-03 Thread Ted Unangst
Ted Unangst wrote: > http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/005_crypto.patch.sig There is an additional chunk in this diff, for s3_pkt.c, that should have not been included. It adds a memset that will zero a buffer after libssl is done using it to prevent info leaks. As far as I kno

libcrypto errata

2016-05-03 Thread Ted Unangst
OpenSSL announced several issues today that also affect LibreSSL. - Memory corruption in the ASN.1 encoder (CVE-2016-2108) - Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) - EVP_EncodeUpdate overflow (CVE-2016-2105) - EVP_EncryptUpdate overflow (CVE-2016-2106) - ASN.1 BIO excessive memory