OpenBSD 5.4 errata 9, May 1, 2014:  An attacker can trigger generation
of an SSL alert which could cause a null pointer dereference.

Apply patch using:

   cat 009_openssl.patch | (cd /usr/src && patch -p0)

Then build and install libssl

   cd /usr/src/lib/libssl/ssl
   make obj
   make
   make install

Then restart services which depend on SSL.

Index: lib/libssl/src/ssl/s3_pkt.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/s3_pkt.c,v
retrieving revision 1.19.4.1
retrieving revision 1.19.4.2
diff -u -p -r1.19.4.1 -r1.19.4.2
--- lib/libssl/src/ssl/s3_pkt.c 12 Apr 2014 17:00:53 -0000      1.19.4.1
+++ lib/libssl/src/ssl/s3_pkt.c 1 May 2014 14:17:40 -0000       1.19.4.2
@@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int typ
               if (i <= 0)
                       return(i);
               /* if it went, fall through and send more stuff */
+               /* we may have released our buffer, so get it again */
+               if (wb->buf == NULL)
+                       if (!ssl3_setup_write_buffer(s))
+                               return -1;
               }

       if (len == 0 && !create_empty_fragment)

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.