Date: Fri, 16 Oct 2015 07:08:41 +0000 (UTC) From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r399425 - head/security/vuxml Message-ID: <201510160708.t9G78fq0019595@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brnrd Date: Fri Oct 16 07:08:40 2015 New Revision: 399425 URL: https://svnweb.freebsd.org/changeset/ports/399425 Log: security/libressl: Fix memory leak and buffer overflow DoS vulnerability * Update to 2.2.4 (fixing vulnerabilities) * Create vuxml entry Differential revision: https://reviews.freebsd.org/D3916 Submitted by: Bernard Spil <brnrd@freebsd.org> Reviewed by: delphij (secteam) Approved by: delphij MFC after: 2015Q4 Security: CVE-2015-5333, CVE-2015-533 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Oct 16 07:00:28 2015 (r399424) +++ head/security/vuxml/vuln.xml Fri Oct 16 07:08:40 2015 (r399425) @@ -58,6 +58,36 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="e75a96df-73ca-11e5-9b45-b499baebfeaf"> + <topic>LibreSSL -- Memory leak and buffer overflow</topic> + <affects> + <package> + <name>libressl</name> + <range><lt>2.2.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Qualys reports:</p> + <blockquote cite="http://www.openwall.com/lists/oss-security/2015/10/16/1">; + <p>During the code review of OpenSMTPD a memory leak and buffer overflow + (an off-by-one, usually stack-based) were discovered in LibreSSL's + OBJ_obj2txt() function. This function is called automatically during + a TLS handshake (both client-side, unless an anonymous mode is used, + and server-side, if client authentication is requested).</p> + </body> + </description> + <references> + <url>http://marc.info/?l=openbsd-announce&m=144495690528446</url>; + <cvename>CVE-2015-5333</cvename> + <cvename>CVE-2015-5334</cvename> + </references> + <dates> + <discovery>2015-10-15/discovery> + <entry>2015-10-16</entry> + </dates> + </vuln> + <vuln vid="07a1a76c-734b-11e5-ae81-14dae9d210b8"> <topic>mbedTLS/PolarSSL -- DoS and possible remote code execution</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201510160708.t9G78fq0019595>