OpenSSL 2015-03-19 Security Advisories - LibreSSL Largely Unaffected

from OpenBSD Journal on 2015-03-19 15:05 (#5FPK)

The response to today's much-anticipated unveiling of newly discovered OpenSSL vulnerabilities has been varied and loud as expected. However, the impact on the OpenBSD-initated LibreSSL project's code -- which has undergone extensive cleanup since LibreSSL forked off OpenSSL's code base in 2014 -- appears to be limited. Out of a total of 13 CVEs in OpenSSL's announcement, only five - CVE-2015-0207, CVE-2015-0286, CVE-2015-0287, CVE-2015-0289 and CVE-2015-0209, still applied to LibreSSL's code.

The main takeaway from the announcement appears to be that the cleanup has been effective, however these 'crash-inducing' issues have now been fixed in LibreSSL:

CVE-2015-0209 - Use After Free following d2i_ECPrivatekey errorCVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmpCVE-2015-0287 - ASN.1 structure reuse memory corruptionCVE-2015-0289 - PKCS7 NULL pointer dereferences

The OpenSSL project provided information and patches to the LibreSSL project in advance of the announcements.

More, including information about OpenBSD 5.7, 5.6 and 5.5, after the fold.

Source	RSS or Atom Feed
Feed Location	http://undeadly.org/cgi?action=rss
Feed Title	OpenBSD Journal
Feed Link	http://undeadly.org/