Contributed by phessler on from the only-a-few-empty-stomachs dept.
We have released LibreSSL 2.0.5, which should be arriving in the LibreSSL directory of an OpenBSD mirror near you. This version forward-ports security fixes from OpenSSL 1.0.1i, including fixes for the following CVEs: CVE-2014-3506
CVE-2014-3507
CVE-2014-3508 (partially vulnerable)
CVE-2014-3509
CVE-2014-3510
CVE-2014-3511
LibreSSL 2.0.4 was not found vulnerable to the following CVEs: CVE-2014-5139
CVE-2014-3512
CVE-2014-3505
We welcome feedback and support from the community as we continue to work on LibreSSL. Thank you, Brent
(Comments are closed)
By Sum Yung Gai (156.33.241.9) sumgai@cmosnetworks.com on
By Anonymous Coward (2601:b:be00:aa0:f02e:29c1:c4f:3846) on
Comments
By Anonymous Coward (2601:6:51c0:e1:f80f:d9c8:f83c:55d1) on
Really? That's your characterization of the work they've been doing?
Comments
By Anonymous Coward (2601:b:be00:aa0:f02e:29c1:c4f:3846) on
>
> Really? That's your characterization of the work they've been doing?
>
>
>
>
>
Not all their work of course. Sure sounds like it for some parts though.
Comments
By Anonymous Coward (47.20.47.225) on
> >
> > Really? That's your characterization of the work they've been doing?
> >
> >
> >
> >
> >
>
>
> Not all their work of course. Sure sounds like it for some parts though.
>
Hey, they ripped out alot of shit that wouldn't pass real code audits in a fit of rage.
Comments
By Anonymous Coward (2601:6:51c0:e1:d115:e67b:2b3f:e04e) on
> > >
> > > Really? That's your characterization of the work they've been doing?
> > >
> > >
> > >
> > >
> > >
> >
> >
> > Not all their work of course. Sure sounds like it for some parts though.
> >
>
> Hey, they ripped out alot of shit that wouldn't pass real code audits in a fit of rage.
I guess I have a differing definition of the word "rage". ;)
By phessler (phessler) on http://www.openbsdfoundation.org/donations.html
>
> Really? That's your characterization of the work they've been doing?
>
>
>
>
>
I've seen them do the work. Some of it was glee. Some of it was disgust. And some of it was "who the hell let these people near a compiler?!?"
By Shawn Lesniak (208.87.217.74) on https://twitter.com/shawnlesniak
CVE-2014-5139 and CVE-2014-3512, affects SRP code which was AFAIK removed. Relevant commit: https://github.com/libressl-portable/openbsd/commit/45a6be50c3f81557a4a58e0d4ae470954a5247ab
The commit log mentions that there is a bug that they can't talk about so they may have had advanced warning about it.
CVE-2014-3505 refers to a double-free in DTLS which seems to have been fixed rather than removed entirely.
CVE-2014-3508 is a pretty printing bug. I know there was a lot of asprintf conversions and other error printing cleanups, so I believe that was audited/enhanced rather than removed but I haven't looked at the exact vulnerable codepath.
Comments
By Philip Guenther (76.253.0.176) guenther@openbsd.org on
>
> CVE-2014-5139 and CVE-2014-3512, affects SRP code which was AFAIK removed. Relevant commit: https://github.com/libressl-portable/openbsd/commit/45a6be50c3f81557a4a58e0d4ae470954a5247ab
>
> The commit log mentions that there is a bug that they can't talk about so they may have had advanced warning about it.
>
> CVE-2014-3505 refers to a double-free in DTLS which seems to have been fixed rather than removed entirely.
>
> CVE-2014-3508 is a pretty printing bug. I know there was a lot of asprintf conversions and other error printing cleanups, so I believe that was audited/enhanced rather than removed but I haven't looked at the exact vulnerable codepath.
Yes, exactly. (Nice summary)
For -3508, one of the involved paths had been converted to snprintf() and could no longer leave the buffer unterminated, but we hadn't changed the other. Darn.
By journeysquid (Tor) on http://www.bsdnow.tv/
https://secure.freshbsd.org/commit/openbsd/1e7c252ae16682a34d488bfe39c499fcda6086ee
https://secure.freshbsd.org/commit/openbsd/98185a5338304870e47c812b6f62d56be7b9ab84