libcrypto errata

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

libcrypto errata

Ted Unangst-6
OpenSSL announced several issues today that also affect LibreSSL.

- Memory corruption in the ASN.1 encoder (CVE-2016-2108)
- Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
- EVP_EncodeUpdate overflow (CVE-2016-2105)
- EVP_EncryptUpdate overflow (CVE-2016-2106)
- ASN.1 BIO excessive memory allocation (CVE-2016-2109)

Thanks to OpenSSL for providing information and patches.

Refer to https://www.openssl.org/news/secadv/20160503.txt

Patches for OpenBSD are available:

http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/005_crypto.patch.sig

http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/013_crypto.patch.sig