Date: Tue, 8 Mar 2016 07:45:39 -0500 From: Mike Tancsa <mike@sentex.net> To: Xin LI <delphij@freebsd.org>, src-committers@freebsd.org, "stable@freebsd.org" <stable@freebsd.org> Subject: Re: svn commit: r296462 - in stable/9: crypto/openssl/crypto/bio crypto/openssl/crypto/bn crypto/openssl/doc/apps crypto/openssl/ssl secure/usr.bin/openssl/man Message-ID: <56DEC973.5000106@sentex.net> In-Reply-To: <201603071618.u27GI736079901@repo.freebsd.org> References: <201603071618.u27GI736079901@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I tried on 2 separate boxes, and sshd segfaults when this rev is applied ---Mike On 3/7/2016 11:18 AM, Xin LI wrote: > Author: delphij > Date: Mon Mar 7 16:18:07 2016 > New Revision: 296462 > URL: https://svnweb.freebsd.org/changeset/base/296462 > > Log: > Fix multiple OpenSSL vulnerabilities as published in > OpenSSL advisory on 2016/03/01: > > constant-time MOD_EXP_CTIME_COPY_FROM_PREBUF. > [CVE-2016-0702, upstream d6482a8. 5ea08bd, d6d422e, > 8fc8f48 317be63 skipped intentionally as we are not > using the code on FreeBSD. Backport done by jkim@. > > Fix memory issues in BIO_*printf functions. > [CVE-2016-0799, upstream d889682, a801bf2]. > > Fix BN_hex2bn/BN_dec2bn NULL ptr/heap corruption. > [CVE-2016-0797, upstream 8f65132]. > > Disable SSLv2 in default negotiation and weak ciphers. > [CVE-2016-0800 "DROWN", upstream 56f1acf5]. Note that > support of SSLv2 is not removed in order to preserve > ABI compatibility, and application may still explicitly > ask for vulnerable protocol or ciphers. > > In collaboration with: jkim -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56DEC973.5000106>