Day: March 19, 2015

[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:06.openssl

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

=============================================================================
FreeBSD-SA-15:06.openssl Security Advisory
The FreeBSD Project

Topic: Multiple OpenSSL vulnerabilities

Category: contrib
Module: openssl
Announced: 2015-03-19
Affects: All supported versions of FreeBSD.
Corrected: 2015-03-19 17:40:43 UTC (stable/10, 10.1-STABLE)
2015-03-19 17:42:38 UTC (releng/10.1, 10.1-RELEASE-p7)
2015-03-19 17:40:43 UTC (stable/9, 9.3-STABLE)
2015-03-19 17:42:38 UTC (releng/9.3, 9.3-RELEASE-p11)
2015-03-19 17:40:43 UTC (stable/8, 8.4-STABLE)
2015-03-19 17:42:38 UTC (releng/8.4, 8.4-RELEASE-p25)

(Read more...)

OpenSSL 2015-03-19 Security Advisories – LibreSSL Largely Unaffected

The response to today’s much-anticipated unveiling of newly discovered OpenSSL vulnerabilities has been varied and loud as expected. However, the impact on the OpenBSD-initated LibreSSL project’s code — which has undergone extensive cleanup since LibreSSL forked off OpenSSL’s code base in 2014 — appears to be limited. Out of a total of 13 CVEs in OpenSSL’s announcement, only five –

(Read more...)

OpenSSL 2015-03-19 Security Advisories – LibreSSL Largely Unaffected

The response to today’s much-anticipated unveiling of newly discovered OpenSSL vulnerabilities has been varied and loud as expected. However, the impact on the OpenBSD-initated LibreSSL project’s code — which has undergone extensive cleanup since LibreSSL forked off OpenSSL’s code base in 2014 — appears to be limited. Out of a total of 13 CVEs in OpenSSL’s announcement, only five –

(Read more...)

libre/openssl patches available

Patches are now available to fix a variety of issues in libcrypto and libssl.

For 5.6 and the forthcoming 5.7 release:
CVE-2015-0209 – Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 – Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 – ASN.1 structure reuse memory corruption
CVE-2015-0288 – X509_to_X509_REQ NULL pointer deref
CVE-2015-0289 – PKCS7 NULL pointer dereferences

For 5.5:
CVE-2015-0286 – Apply fix

(Read more...)