OpenBSD Journal

y Patch 007: ASN.1

Contributed by jose on from the super-security-fixes dept.

Daniel Tams writes: "Please put up a post about the latest two patches, 007 and 008. It's a bit of a botch that those pathces first appeared on openbsd.org/errata.html today, although they were issued four days ago. Because it is not the first time errata.html is late to inform of new patches, I usually rely on deadly.org to inform me of new patches."

The text from errata reads: The use of certain ASN.1 encodings or malformed public keys may allow an attacker to mount a denial of service attack against applications linked with ssl(3). This does not affect OpenSSH.

Patches for 3.2-stable and 3.3-stable are below:

patches/3.3/common/007_asn1.patch

patches/3.2/common/020_asn1.patch

(Comments are closed)


Comments
  1. By Z-Blocker () superspam@pi.be on mailto:superspam@pi.be

    There are to many patches these days.
    In a production environment this a bit of a hassle.
    Especially recompilling all those things.
    How do you guys handle those patches? or don't you patch it all because of the situation?

    Z

    Comments
    1. By Gerardo Santana Gómez Garrido () santana at openbsd.org.mx on http://www.openbsd.org.mx/~santana/

      Many patches in a small period of time certainly, but never too many IMO.

      I use binary patches of course ;)[http://www.openbsd.org.mx/en/projects/binpatch.html] to update my servers. I started to build them for myself, but I'm publishing them at request of some users.

      You could prefer downloading the framework instead and build binary patches in a machine you trust, and then apply them to the rest of your servers.

      BTW, I've fixed some broken links at our site. We have AnonCVS, CVSWeb and FTP service now. Thanks go to selerius [http://www.codefusionis.org] who is hosting us.

      On the other hand, I'd like to hear some feedback from binpatch users. I'm thinking of starting a service for automating updates. It would require some resource$ (hard disks, more archs, bandwidth) so I need to be sure it will be useful for a good number of users.

      Comments
      1. By Z-Blocker () superspammer@pi.be on mailto:superspammer@pi.be

        This is nice.
        I wonder why the OpenBSD project is not doing this.
        These kind of things keep people away from OpenBSD as other operating systems have a better way of handling patches mostly.
        In an ideal situation a user or administrator would be able to patch the system without recompiling things. (or even without downtime :P )

        Z

      2. Comments
        1. By Anonymous Coward () on

          You are a god-send

    2. By Daniel Tams () on

      I have one machine for compiling the binaries. After patching and compiling a program, I copy the affected binaries over to my production machine, which doesn't have any sources or the compilation tools itself.

    3. By pravus () on

      i must say that after spending some time in a Windows environment, i'll welcome a few patches every now and again for OpenBSD. compared to the hoops you have to jump through to patch Windows systems, OpenBSD is a snap... especially if you dedicate one machine to building and then distribute from there. simple and efficient.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]