A number of exploitable flaws in OpenSSL's ASN.1 handling code have been
found. These errors permit denial-of-service (crashing) of applications
that use OpenSSL's libcrypto to parse or print ASN.1 objects.
The vulnerabilities have been designated CVE-2009-0590 and CVE-2009-0789
and are described in more detail in OpenSSL's security advisory:
http://www.openssl.org/news/secadv_20090325.txtPlease note that the other, more serious issue described in the OpenSSL
advisory "Incorrect Error Checking During CMS verification" does not
affect OpenBSD as we have not enabled the offending code.
Source code patches are available for OpenBSD 4.3, 4.4 and 4.5. OpenBSD
-current has been updated to OpenSSL 0.9.8k, which is not vulnerable.
Patch for OpenBSD 4.5:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_openssl.patch
Patch for OpenBSD 4.4:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/012_openssl.patch
Patch for OpenBSD 4.3:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/012_openssl.patch
These patches are also available in the OPENBSD_4_5, OPENBSD_4_4 and
OPENBSD_4_3 patch branches.