Contributed by jose on from the super-security-fixes dept.
The text from errata reads: The use of certain ASN.1 encodings or malformed public keys may allow an attacker to mount a denial of service attack against applications linked with ssl(3). This does not affect OpenSSH.
Patches for 3.2-stable and 3.3-stable are below:
patches/3.3/common/007_asn1.patch
patches/3.2/common/020_asn1.patch
(Comments are closed)
By Z-Blocker () superspam@pi.be on mailto:superspam@pi.be
In a production environment this a bit of a hassle.
Especially recompilling all those things.
How do you guys handle those patches? or don't you patch it all because of the situation?
Z
Comments
By Gerardo Santana Gómez Garrido () santana at openbsd.org.mx on http://www.openbsd.org.mx/~santana/
Many patches in a small period of time certainly, but never too many IMO.
I use binary patches of course ;)[http://www.openbsd.org.mx/en/projects/binpatch.html] to update my servers. I started to build them for myself, but I'm publishing them at request of some users.
You could prefer downloading the framework instead and build binary patches in a machine you trust, and then apply them to the rest of your servers.
BTW, I've fixed some broken links at our site. We have AnonCVS, CVSWeb and FTP service now. Thanks go to selerius [http://www.codefusionis.org] who is hosting us.
On the other hand, I'd like to hear some feedback from binpatch users. I'm thinking of starting a service for automating updates. It would require some resource$ (hard disks, more archs, bandwidth) so I need to be sure it will be useful for a good number of users.
Comments
By Z-Blocker () superspammer@pi.be on mailto:superspammer@pi.be
I wonder why the OpenBSD project is not doing this.
These kind of things keep people away from OpenBSD as other operating systems have a better way of handling patches mostly.
In an ideal situation a user or administrator would be able to patch the system without recompiling things. (or even without downtime :P )
Z
By Gerardo Santana Gómez Garrido () santana at openbsd.org.mx on http://www.openbsd.org.mx/~santana/
We have shut down the FTP service now in favor of HTTP:
http://www.openbsd.org.mx/pub/binpatch/
CVS Web: http://www.openbsd.org.mx/cvsweb/cvsweb.cgi/binpatch/
Comments
By Anonymous Coward () on
By Daniel Tams () on
By pravus () on
By Boris () support@localhost on http://www.ebaumsworld.com/random/appliedcrypt.jpg