Contributed by jose on from the security-fixes dept.
What happens? Those bugs are not important enough to have an advisory? I know I can get the sources from the CVS and update my 3.3 systems (I do binary updates so I can update systems without resources to compile many things), but I think an offical adv is important so you have something to show: 'yeah, I've updated the system due this'.
I hope it's not related to the system has other problems those days (well, the system as a software bundle)."
They've both been fixed in the 3.2 and 3.3 stable branches (and of course 3.4 and current), so if you have that code you're up to date. No advisories have been issued yet, however. The OpenSSL bug affects mod_ssl in Apache and possibly other SSL tools (including SMTP with TLS and ssldump, available in ports), so you should upgrade that if you're using SSL anywhere. However, the SSL bug does not affect OpenSSH, as it doesn't use any of the affected routines.
Update
: The OpenBSD advisory is out now, read on for the contents.
Date: Fri, 03 Oct 2003 16:45:24 -0600 From: Todd C. MillerTo: security-announce@openbsd.org Subject: DoS bugs in OpenSSL The use of certain ASN.1 encodings or malformed public keys may allow an attacker to mount a denial of service attack against applications linked with ssl(3). This does not affect OpenSSH. For full details, please see the OpenSSL advisory: http://www.openssl.org/news/secadv_20030930.txt A fix has been committed to the OpenBSD 3.2 and 3.3 -stable branches. Patches are also available for OpenBSD 3.2 and 3.3. Patch for OpenBSD 3.2: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/020_asn1.patch Patch for OpenBSD 3.3: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/007_asn1.patch
(Comments are closed)
By netchan () deadly@netchan.cotse.net on mailto:deadly@netchan.cotse.net
In general, when there's a bug in a library:
- How can I identify which applications are affected? I played with ldd but I'm unsure how to check all binaries, etc. How do I find out anything about the statically linked ones?
- Do I have to recompile all of those? In case of dynamically linked libraries, is it sufficient to just restart the affected apps/daemons?
Comments
By schubert () on http://schubert.cx/
http://schubert.cx/src/librarytracker-0.2.tar.gz
initial version of that, if you find a better way to do this, let me know.
In the case of static binaries, yes you have to recompile them. In the case of dynamic libraries you just need to restart any procceses that use those libraries if they are currently running AFTER you install the new dynamic library.
Comments
By netchan () deadly@netchan.cotse.net on mailto:deadly@netchan.cotse.net
By Anonymous Coward () on
By Anonymous Coward () on
Some may criticize OpenBSD for not full disclosure and an attempt to hide those issues form their users.
Comments
By 0112 () on
and an attempt to hide those issues form their users.
No full disclosure of security vulnerabilities? I haven't seen the day. Show me where.
The source tree changes EVERYDAY with fixes/updates that may fix a unknown security vulnerability. Subscribe to source-changes@ and ports-changes@ and stop spreading misinformation.
By Anonymous Coward () on ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/comm
Comments
By Anonymous Coward () on
Comments
By Gerardo Santana Gómez Garrido () santana at openbsd.org.mx on http://www.openbsd.org.mx/~santana/
He has a point.
You are not supposed to be monitoring OpenBSD/patches. That's what errata*html and security-announce@ are for.
By Anonymous Coward () on
Comments
By Brian () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By tedu () on
By Arrigo Triulzi () on http://www.alchemistowl.org/arrigo
http://cvs.openssl.org/chngview?cn=11470
http://cvs.openssl.org/chngview?cn=11474
but they don't work too well... I am not entirely sure how but now I have this blasted mdc2dgst.c file which is not in the tree but make wants.
tempest# make depend
===> crypto
make: don't know how to make mdc2dgst.c. Stop in /usr/src/lib/libssl/crypto.
*** Error code 2
Stop in /usr/src/lib/libssl.
So, bottom line, for once I can't provide help for the users of older versions of OpenBSD :(