On Thu, Oct 15, 2015 at 08:29:25PM -0400, Ted Unangst wrote: > The OBJ_obj2txt function in libcrypto contains a one byte buffer overrun > and memory leak, as reported by Qualys Security. This can be abused by an > attacker to cause a denial of service in some cases. > > Patches are now available for OpenBSD as well as new releases of LibreSSL > portable. 5.6, 5.7, and 5.8 are affected, as well as all releases of LibreSSL. > > Note that in addition to the instructions to rebuild libcrypto in the patch, > some binaries may link statically with libcrypto (isakmpd, iked, ...) and need > rebuilding as well. And services restarted.
Ted, what exactly binaries need to be rebuilded? isakmpd, iked, ftp(?) something else? > > OpenBSD patches: > http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/033_obj2txt.patch.sig > http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/019_obj2txt.patch.sig > http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/007_obj2txt.patch.sig > > LibreSSL releases: > http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.0.6.tar.gz > http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.8.tar.gz > http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.4.tar.gz > > There will be a libressl-2.3.1 release coming, but as a reminder it's still a > development branch. (The OpenBSD patches should apply to 2.3.0 as well.) > > With the release of OpenBSD 5.8 in a few days, 5.6 will be officially retired > from support, and along with it LibreSSL 2.0. Hopefully, this will be the last > release in that line. > >
