Contributed by phessler on from the it-must-be-tuesday dept.
OpenSSL announced several issues today that also affect LibreSSL. - Memory corruption in the ASN.1 encoder (CVE-2016-2108) - Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) - EVP_EncodeUpdate overflow (CVE-2016-2105) - EVP_EncryptUpdate overflow (CVE-2016-2106) - ASN.1 BIO excessive memory allocation (CVE-2016-2109) Thanks to OpenSSL for providing information and patches. Refer to https://www.openssl.org/news/secadv/20160503.txt Patches for OpenBSD are available: http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/005_crypto.patch.sig http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/013_crypto.patch.sig
(Comments are closed)
By foo (151.67.35.51) on
I am tracking OPENBSD_5_9 with anoncvs, but I don't know how to discover what has been updated. For example, I got this SSL patch with anoncvs but if I don't read the errata I don't know what is changed and needs to be rebuilt!
Is there a place to find all the update to the 5.9-stable branch?
I mean a website or log in the src tree...
How do you track -stable?
Comments
By Anonymous Coward (84.170.132.130) on
> I am tracking OPENBSD_5_9 with anoncvs, but I don't know how to discover what has been updated. For example, I got this SSL patch with anoncvs but if I don't read the errata I don't know what is changed and needs to be rebuilt!
>
> Is there a place to find all the update to the 5.9-stable branch?
> I mean a website or log in the src tree...
>
> How do you track -stable?
>
What I do is I 1. start with the release sources, then 2. download 5.9.tar.gz from ftp.eu.openbsd.org in the /pub/OpenBSD/patches directory. This contains all patches for the tree and gives commands at the top on how to apply the patches. There is also a signify string at the top of each patch that will fail if the signature for release is not right. So I usually go through each patch one round doing the signify for each applied patch this is a copy/paste effort. Then I go through each patch again doing the make install commands that are listed. Another copy/paste effort. At the end of the patches that I've done I sometimes do a touch DONE_005 to indicate that I've done up to patch 005 so that when I download 5.9.tar.gz again and there is new patches in it I know which one to start with. Hope that helps.
Comments
By foo (151.67.112.203) on
Comments
By loreb (87.15.27.78) on
>
Right after you update your source,
run something along the lines of "find /usr/src -mtime -1 | something",
where "something" is supposed to filter out spurious results.
I can't test it right now, but iirc you'll need to filter at least
CVS/Entries.
By Anonymous Coward (84.170.140.164) on
>
AFAIK -stable branch is just these errata patches and nothing more. If you're looking for new code it's probably in -current. However you can use cvs with the diff and -r arguments to see what exactly has changed since you updated the -stable. If you look at http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/ at the bottom there is tags of the development. I'd do 'cvs diff -r OPENBSD_5_9_BASE -u' if you were on 5.9-stable (which is really OPENBSD_5_9 tag) do this at /usr/src and it will recursively find all changes afaik. Save that to a file and then you can go through it and see what changes were made. Perhaps you need a little bit of instinct what part is which in the cvs tree so perhaps learning the source tree is of help here.
Hope that helps.
Comments
By rjc (rjc) on
No, it is *not* - http://www.openbsd.org/stable.html
> Hope that helps.
No, you spread misinformation :^)
Raf
Comments
By Anonymous Coward (84.170.140.164) on
>
> No, it is *not* - http://www.openbsd.org/stable.html
>
> > Hope that helps.
>
> No, you spread misinformation :^)
>
> Raf
I'm sorry Raf, you got me! I prefer calling it a half truth, since I thought I was productive hinting at the cvs diff. I will however crawl under a rock now.
By Otto Moerbeek (otto) on http://www.drijf.net
>
You can follow the src-changes mailing list and make some filer for the stable branches, or on twitter @OpenBSD_stable, which only mentions -stable commits.
Comments
By Anonymous Coward (151.67.68.131) on
Thanks for the info about the twitter profile!
In the meantime I am rebuilding the whole system every time there is a patch...
By foo (151.67.119.21) on
On the twitter profile I see a lot of activity on ports... do you build updated packages as well, or should I rebuild the updated ports after cvs-ing -stable?