OpenBSD Journal

About latest bugs in OpenBSD

Contributed by jose on from the security-fixes dept.

Juanjo was one of several to write on this topic: "Both ARP and OpenSSL bugs have been fixed in the CVS (3.3 is the version I am using). For the OpenSSL issue is soon and may be we'll see an advisory with a patch, but ARP bug has several days yet.

What happens? Those bugs are not important enough to have an advisory? I know I can get the sources from the CVS and update my 3.3 systems (I do binary updates so I can update systems without resources to compile many things), but I think an offical adv is important so you have something to show: 'yeah, I've updated the system due this'.

I hope it's not related to the system has other problems those days (well, the system as a software bundle)."

They've both been fixed in the 3.2 and 3.3 stable branches (and of course 3.4 and current), so if you have that code you're up to date. No advisories have been issued yet, however. The OpenSSL bug affects mod_ssl in Apache and possibly other SSL tools (including SMTP with TLS and ssldump, available in ports), so you should upgrade that if you're using SSL anywhere. However, the SSL bug does not affect OpenSSH, as it doesn't use any of the affected routines.
Update : The OpenBSD advisory is out now, read on for the contents.


Date: Fri, 03 Oct 2003 16:45:24 -0600
From: Todd C. Miller


To: security-announce@openbsd.org
Subject: DoS bugs in OpenSSL

The use of certain ASN.1 encodings or malformed public keys may
allow an attacker to mount a denial of service attack against
applications linked with ssl(3).  This does not affect OpenSSH.

For full details, please see the OpenSSL advisory:
http://www.openssl.org/news/secadv_20030930.txt


A fix has been committed to the OpenBSD 3.2 and 3.3 -stable
branches.  Patches are also available for OpenBSD 3.2 and 3.3.

Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/020_asn1.patch


Patch for OpenBSD 3.3:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/007_asn1.patch


(Comments are closed)


Comments
  1. By netchan () deadly@netchan.cotse.net on mailto:deadly@netchan.cotse.net

    The OpenSSL bug affects mod_ssl in Apache and possibly other SSL tools

    In general, when there's a bug in a library:

    - How can I identify which applications are affected? I played with ldd but I'm unsure how to check all binaries, etc. How do I find out anything about the statically linked ones?

    - Do I have to recompile all of those? In case of dynamically linked libraries, is it sufficient to just restart the affected apps/daemons?

    Comments
    1. By schubert () on http://schubert.cx/

      Yeah it can be a hassle to identify which applications are, I'm lazy so I wrote a script to sortof take the pain away:

      http://schubert.cx/src/librarytracker-0.2.tar.gz

      initial version of that, if you find a better way to do this, let me know.

      In the case of static binaries, yes you have to recompile them. In the case of dynamic libraries you just need to restart any procceses that use those libraries if they are currently running AFTER you install the new dynamic library.

      Comments
    2. By Anonymous Coward () on

      Most apps that use OpenSSL don't use the affected functions (ASN.1)

  2. By Anonymous Coward () on

    My opinion is that those bugs deserve an advisory and a patch on http://www.openbsd.org/errata.html.

    Some may criticize OpenBSD for not full disclosure and an attempt to hide those issues form their users.

    Comments
    1. By 0112 () on

      > Some may criticize OpenBSD for not full disclosure
      and an attempt to hide those issues form their users.

      No full disclosure of security vulnerabilities? I haven't seen the day. Show me where.

      The source tree changes EVERYDAY with fixes/updates that may fix a unknown security vulnerability. Subscribe to source-changes@ and ports-changes@ and stop spreading misinformation.

  3. By Anonymous Coward () on ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/comm

    What about ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/006_pfnorm.patch? That's been on the ftp site since yesterday. No announcement yet though. There is a similar patch for 3.2.

    Comments
    1. By Anonymous Coward () on

      So what stops you from checking OpenBSD/patches every once in a while?

      Comments
      1. By Gerardo Santana Gómez Garrido () santana at openbsd.org.mx on http://www.openbsd.org.mx/~santana/

        He has a point.

        You are not supposed to be monitoring OpenBSD/patches. That's what errata*html and security-announce@ are for.

  4. By Anonymous Coward () on

    i always perform a daily cvs on OPENBSD_3_4 branch, however it always fetches 1.11 revision of asn1_lib.c, and i think the fix is commited on revision 1.12. how happen this was fixed on OPENBSD_3_4 branch?

    Comments
    1. By Brian () on

      The best I can tell, these patches have not been commited to 3.4.

    2. By Anonymous Coward () on

      OPENBSD_3_4 will *not* be updated until Nov1, or the official release date (If it is changed to be a few days earlier).

      Comments
      1. By Anonymous Coward () on

        3.4 has already received updates such as sendmail.

        Comments
        1. By tedu () on

          not quite the same. those patches were comitted before the cds were mastered.

  5. By Arrigo Triulzi () on http://www.alchemistowl.org/arrigo

    For those who can't upgrade their boxes to more recent versions of OpenBSD: I've tried pulling the patches off the OpenSSL CVS tree:

    http://cvs.openssl.org/chngview?cn=11470
    http://cvs.openssl.org/chngview?cn=11474

    but they don't work too well... I am not entirely sure how but now I have this blasted mdc2dgst.c file which is not in the tree but make wants.

    tempest# make depend
    ===> crypto
    make: don't know how to make mdc2dgst.c. Stop in /usr/src/lib/libssl/crypto.
    *** Error code 2

    Stop in /usr/src/lib/libssl.

    So, bottom line, for once I can't provide help for the users of older versions of OpenBSD :(

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]