A bug in the previous libcrypto errata caused an error when reading
ASN.1 elements over 16kb.
Patches for OpenBSD are available. Updated LibreSSL-portable releases
will be available later.
http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/009_crypto.patch.sig
http://ftp.openbsd.org/pub
Ted Unangst wrote:
> http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/005_crypto.patch.sig
There is an additional chunk in this diff, for s3_pkt.c, that should have not
been included. It adds a memset that will zero a buffer after libssl is done
using it to prevent info leaks. As far as I kno
OpenSSL announced several issues today that also affect LibreSSL.
- Memory corruption in the ASN.1 encoder (CVE-2016-2108)
- Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
- EVP_EncodeUpdate overflow (CVE-2016-2105)
- EVP_EncryptUpdate overflow (CVE-2016-2106)
- ASN.1 BIO excessive memory
