Hi,
maybe i'm overlooking something, but in the rebuild and install
instructions,
shouldn't it say
cd /usr/src/lib/libcrypto
instead of
cd src/lib/libcrypto
Best,
André Schneider
Am 16.10.2015 02:29 schrieb Ted Unangst:
The OBJ_obj2txt function in libcrypto contains a one byte buffer
overrun
and memory leak, as reported by Qualys Security. This can be abused by
an
attacker to cause a denial of service in some cases.
Patches are now available for OpenBSD as well as new releases of
LibreSSL
portable. 5.6, 5.7, and 5.8 are affected, as well as all releases of
LibreSSL.
Note that in addition to the instructions to rebuild libcrypto in the
patch,
some binaries may link statically with libcrypto (isakmpd, iked, ...)
and need
rebuilding as well. And services restarted.
OpenBSD patches:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/033_obj2txt.patch.sig
http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/019_obj2txt.patch.sig
http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/007_obj2txt.patch.sig
LibreSSL releases:
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.0.6.tar.gz
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.8.tar.gz
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.4.tar.gz
There will be a libressl-2.3.1 release coming, but as a reminder it's
still a
development branch. (The OpenBSD patches should apply to 2.3.0 as
well.)
With the release of OpenBSD 5.8 in a few days, 5.6 will be officially
retired
from support, and along with it LibreSSL 2.0. Hopefully, this will be
the last
release in that line.
