Contributed by ray on from the CYA dept.
Thanks Damien for the update. Start your patching!Some exploitable logic errors have been discovered in OpenSSL versions prior to 0.9.8j. These errors may permit an attacker to bypass validation of DSA/ECDSA certificates and conduct a "man in the middle attack" against SSL/TLS connection that use them. Fortunately, DSA and ECDSA certificates appear to be rarely used in practice.
This vulnerability has been designated CVE-2008-5077. More information is available from the OpenSSL project at:
http://www.openssl.org/news/secadv_20090107.txtSource code patches are available for OpenBSD 4.3 and 4.4. -current has been updated to OpenSSL 0.9.8jPatch for OpenBSD 4.3:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/007_openssl.patchPatch for OpenBSD 4.4:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/007_openssl.patchThese patches are also available in the OPENBSD_4_3 and OPENBSD_4_4 stable CVS branches.
(Comments are closed)
By Anonymous Coward (87.106.79.175) on
Are there any patches for Bind required as well on OpenBSD?
Bind issued an update as well.
Thanks again for spending the time Demien!
By raw foo (80.249.194.29) on
By m (84.42.224.177) on
Thx
Comments
By Anonymous Coward (99.231.50.3) on
You could try the 4.3 patch on the 4.2 tree but you can't be sure it won't silently break something unless you know what you're doing.
However, it's harder to maintain an unsupported system than to upgrade to one that is supported, even if you do know what you're doing.
Comments
By Anonymous Coward (71.126.39.55) on
>
> You could try the 4.3 patch on the 4.2 tree but you can't be sure it won't silently break something unless you know what you're doing.
The patches for OpenBSD 4.4 and 4.3 are identical in this case (except for the timestamps on the patches, of course). Furthermore, the files that are patched
did not change between OpenBSD 4.1 and 4.3. So, it's a pretty safe bet that the patches will also work on older versions of OpenBSD as far back as 4.1.By Anonymous Coward (194.126.214.2) on
Comments
By Anonymous Coward (128.237.225.101) on
Try http://www.openbsd.org/errata43.html and http://www.openbsd.org/errata44.html
Comments
By tedu (udet) on
>
>
> Try http://www.openbsd.org/errata43.html
> and http://www.openbsd.org/errata44.html
woah, use the right address and you get the right info. who'd a thunk it?
Comments
By Brad (2001:470:b01e:3:216:41ff:fe17:6933) brad at comstyle dot com on
> >
> >
> > Try http://www.openbsd.org/errata43.html
> > and http://www.openbsd.org/errata44.html
>
> woah, use the right address and you get the right info. who'd a thunk it?
That would imply the address is "wrong" which it is not. The real problem is that cvs needs to have its web root synced up.