From luke at foolishgames.com Thu Jan 14 21:36:20 2016 From: luke at foolishgames.com (Lucas Holt) Date: Thu, 14 Jan 2016 21:36:20 -0500 Subject: [Midnightbsd-users] MidnightBSD 0.7.3 RELEASE Message-ID: <50250624-90FC-44BA-B546-9499A13FCE08@foolishgames.com> An update for MidnightBSD is now available from SVN, 0.7.3 RELEASE. This release includes the following security fixes: OpenSSL The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. [CVE-2015-3194] When presented with a malformed X509_ATTRIBUTE structure, OpenSSL will leak memory. [CVE-2015-3195] If PSK identity hints are received by a multi-threaded client then the values are incorrectly updated in the parent SSL_CTX structure. [CVE-2015-3196] linuxolator A programming error in the Linux compatibility layer setgroups(2) system call can lead to an unexpected results, such as overwriting random kernel memory contents. A programming error in the handling of Linux futex robust lists may result in incorrect memory locations being accessed. 0.7.2 RELEASE Fix a security issue with bsnmpd configuration file installation. TCP MD5 signature denial of service A programming error in processing a TCP connection with both TCP_MD5SIG and TCP_NOOPT socket options may lead to kernel crash. SCTP A lack of proper input checks in the ICMPv6 processing in the SCTP stack can lead to either a failed kernel assertion or to a NULL pointer dereference. In either case, a kernel panic will follow. In addition, users who run on the stable branch will also get an update for OpenSSH that disables roaming capability in the client. Lucas Holt Luke at FoolishGames.com ________________________________________________________ MidnightBSD.org (Free OS) JustJournal.com (Free blogging) From luke at foolishgames.com Thu Jan 14 21:36:20 2016 From: luke at foolishgames.com (Lucas Holt) Date: Thu, 14 Jan 2016 21:36:20 -0500 Subject: [Midnightbsd-users] MidnightBSD 0.7.3 RELEASE Message-ID: <50250624-90FC-44BA-B546-9499A13FCE08@foolishgames.com> An update for MidnightBSD is now available from SVN, 0.7.3 RELEASE. This release includes the following security fixes: OpenSSL The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. [CVE-2015-3194] When presented with a malformed X509_ATTRIBUTE structure, OpenSSL will leak memory. [CVE-2015-3195] If PSK identity hints are received by a multi-threaded client then the values are incorrectly updated in the parent SSL_CTX structure. [CVE-2015-3196] linuxolator A programming error in the Linux compatibility layer setgroups(2) system call can lead to an unexpected results, such as overwriting random kernel memory contents. A programming error in the handling of Linux futex robust lists may result in incorrect memory locations being accessed. 0.7.2 RELEASE Fix a security issue with bsnmpd configuration file installation. TCP MD5 signature denial of service A programming error in processing a TCP connection with both TCP_MD5SIG and TCP_NOOPT socket options may lead to kernel crash. SCTP A lack of proper input checks in the ICMPv6 processing in the SCTP stack can lead to either a failed kernel assertion or to a NULL pointer dereference. In either case, a kernel panic will follow. In addition, users who run on the stable branch will also get an update for OpenSSH that disables roaming capability in the client. Lucas Holt Luke at FoolishGames.com ________________________________________________________ MidnightBSD.org (Free OS) JustJournal.com (Free blogging)