From noreply at github.com Mon Feb 13 02:11:08 2023 From: noreply at github.com (Lucas Holt) Date: Sun, 12 Feb 2023 23:11:08 -0800 Subject: [Midnightbsd-cvs] [MidnightBSD/src] Message-ID: Branch: refs/tags/2.2.7 Home: https://github.com/MidnightBSD/src From noreply at github.com Thu Feb 16 14:40:11 2023 From: noreply at github.com (Lucas Holt) Date: Thu, 16 Feb 2023 11:40:11 -0800 Subject: [Midnightbsd-cvs] [MidnightBSD/src] fae474: OpenSSL security fix Message-ID: Branch: refs/heads/master Home: https://github.com/MidnightBSD/src Commit: fae47427305375221e4e8d49f1027c53e8770430 https://github.com/MidnightBSD/src/commit/fae47427305375221e4e8d49f1027c53e8770430 Author: Lucas Holt Date: 2023-02-16 (Thu, 16 Feb 2023) Changed paths: M crypto/openssl/crypto/asn1/bio_ndef.c M crypto/openssl/crypto/bn/bn_blind.c M crypto/openssl/crypto/bn/bn_err.c M crypto/openssl/crypto/bn/bn_local.h A crypto/openssl/crypto/bn/rsa_sup_mul.c M crypto/openssl/crypto/err/openssl.txt M crypto/openssl/crypto/pem/pem_lib.c M crypto/openssl/crypto/rsa/rsa_ossl.c M crypto/openssl/crypto/x509v3/v3_genn.c M crypto/openssl/include/crypto/bn.h M crypto/openssl/include/openssl/bnerr.h M crypto/openssl/include/openssl/x509v3.h M secure/lib/libcrypto/Makefile Log Message: ----------- OpenSSL security fix * X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. * Timing Oracle in RSA Decryption (CVE-2022-4304) A timing based side channel exists in the OpenSSL RSA Decryption implementation. * Use-after-free following BIO_new_NDEF (CVE-2023-0215) The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. * Double free after calling PEM_read_bio_ex (CVE-2022-4450) The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. Obtained from: FreeBSD, OpenSSL From noreply at github.com Thu Feb 16 14:40:58 2023 From: noreply at github.com (Lucas Holt) Date: Thu, 16 Feb 2023 11:40:58 -0800 Subject: [Midnightbsd-cvs] [MidnightBSD/src] 98c487: OpenSSL security fix Message-ID: Branch: refs/heads/stable/3.0 Home: https://github.com/MidnightBSD/src Commit: 98c487cf8da580c8a0a919f0ed91613c01f02849 https://github.com/MidnightBSD/src/commit/98c487cf8da580c8a0a919f0ed91613c01f02849 Author: Lucas Holt Date: 2023-02-16 (Thu, 16 Feb 2023) Changed paths: M crypto/openssl/crypto/asn1/bio_ndef.c M crypto/openssl/crypto/bn/bn_blind.c M crypto/openssl/crypto/bn/bn_err.c M crypto/openssl/crypto/bn/bn_local.h A crypto/openssl/crypto/bn/rsa_sup_mul.c M crypto/openssl/crypto/err/openssl.txt M crypto/openssl/crypto/pem/pem_lib.c M crypto/openssl/crypto/rsa/rsa_ossl.c M crypto/openssl/crypto/x509v3/v3_genn.c M crypto/openssl/include/crypto/bn.h M crypto/openssl/include/openssl/bnerr.h M crypto/openssl/include/openssl/x509v3.h M secure/lib/libcrypto/Makefile Log Message: ----------- OpenSSL security fix * X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. * Timing Oracle in RSA Decryption (CVE-2022-4304) A timing based side channel exists in the OpenSSL RSA Decryption implementation. * Use-after-free following BIO_new_NDEF (CVE-2023-0215) The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. * Double free after calling PEM_read_bio_ex (CVE-2022-4450) The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. Obtained from: FreeBSD, OpenSSL From noreply at github.com Fri Feb 17 14:53:38 2023 From: noreply at github.com (Lucas Holt) Date: Fri, 17 Feb 2023 11:53:38 -0800 Subject: [Midnightbsd-cvs] [MidnightBSD/src] 16be84: always build libsqlite3 and get rid of duplicate Message-ID: Branch: refs/heads/stable/3.0 Home: https://github.com/MidnightBSD/src Commit: 16be8494908aa3f7c777cb8dd01b874db3e9b582 https://github.com/MidnightBSD/src/commit/16be8494908aa3f7c777cb8dd01b874db3e9b582 Author: Lucas Holt Date: 2023-02-17 (Fri, 17 Feb 2023) Changed paths: M Makefile.inc1 Log Message: ----------- always build libsqlite3 and get rid of duplicate From noreply at github.com Fri Feb 17 14:54:01 2023 From: noreply at github.com (Lucas Holt) Date: Fri, 17 Feb 2023 11:54:01 -0800 Subject: [Midnightbsd-cvs] [MidnightBSD/src] 5ea546: always build libsqlite3 and get rid of duplicate Message-ID: Branch: refs/heads/master Home: https://github.com/MidnightBSD/src Commit: 5ea54608bda4b487873fe4277768130d7ced5fc0 https://github.com/MidnightBSD/src/commit/5ea54608bda4b487873fe4277768130d7ced5fc0 Author: Lucas Holt Date: 2023-02-17 (Fri, 17 Feb 2023) Changed paths: M Makefile.inc1 Log Message: ----------- always build libsqlite3 and get rid of duplicate From noreply at github.com Sat Feb 18 16:31:23 2023 From: noreply at github.com (Lucas Holt) Date: Sat, 18 Feb 2023 13:31:23 -0800 Subject: [Midnightbsd-cvs] [MidnightBSD/src] 313bb7: explicitly add extension Message-ID: Branch: refs/heads/master Home: https://github.com/MidnightBSD/src Commit: 313bb7dc611a52ec00db4e5ac95951ec8867e8aa https://github.com/MidnightBSD/src/commit/313bb7dc611a52ec00db4e5ac95951ec8867e8aa Author: Lucas Holt Date: 2023-02-18 (Sat, 18 Feb 2023) Changed paths: M usr.bin/perl/BSDmakefile Log Message: ----------- explicitly add extension From noreply at github.com Sat Feb 18 16:31:44 2023 From: noreply at github.com (Lucas Holt) Date: Sat, 18 Feb 2023 13:31:44 -0800 Subject: [Midnightbsd-cvs] [MidnightBSD/src] dc2560: explicitly add extension Message-ID: Branch: refs/heads/stable/3.0 Home: https://github.com/MidnightBSD/src Commit: dc25602707d84affbdb56b76fb4b6318774ac4cd https://github.com/MidnightBSD/src/commit/dc25602707d84affbdb56b76fb4b6318774ac4cd Author: Lucas Holt Date: 2023-02-18 (Sat, 18 Feb 2023) Changed paths: M usr.bin/perl/BSDmakefile Log Message: ----------- explicitly add extension From noreply at github.com Sat Feb 18 16:34:25 2023 From: noreply at github.com (Lucas Holt) Date: Sat, 18 Feb 2023 13:34:25 -0800 Subject: [Midnightbsd-cvs] [MidnightBSD/src] 7314a6: explicitly add extension Message-ID: Branch: refs/heads/stable/2.2 Home: https://github.com/MidnightBSD/src Commit: 7314a6732cf92e52d74324639ae8d14b44abe366 https://github.com/MidnightBSD/src/commit/7314a6732cf92e52d74324639ae8d14b44abe366 Author: Lucas Holt Date: 2023-02-18 (Sat, 18 Feb 2023) Changed paths: M usr.bin/perl/BSDmakefile Log Message: ----------- explicitly add extension From noreply at github.com Sun Feb 19 12:19:28 2023 From: noreply at github.com (Lucas Holt) Date: Sun, 19 Feb 2023 09:19:28 -0800 Subject: [Midnightbsd-cvs] [MidnightBSD/src] 822563: support midnightbsd Message-ID: Branch: refs/heads/stable/3.0 Home: https://github.com/MidnightBSD/src Commit: 822563b4c1234ccf726130566f7642f96883282d https://github.com/MidnightBSD/src/commit/822563b4c1234ccf726130566f7642f96883282d Author: Lucas Holt Date: 2023-02-19 (Sun, 19 Feb 2023) Changed paths: M contrib/perl/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm Log Message: ----------- support midnightbsd From noreply at github.com Sun Feb 19 13:35:03 2023 From: noreply at github.com (Lucas Holt) Date: Sun, 19 Feb 2023 10:35:03 -0800 Subject: [Midnightbsd-cvs] [MidnightBSD/src] b650a1: support midnightbsd Message-ID: Branch: refs/heads/master Home: https://github.com/MidnightBSD/src Commit: b650a1ac58c866ade4499238d27c95e9acfe76ef https://github.com/MidnightBSD/src/commit/b650a1ac58c866ade4499238d27c95e9acfe76ef Author: Lucas Holt Date: 2023-02-19 (Sun, 19 Feb 2023) Changed paths: M contrib/perl/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm Log Message: ----------- support midnightbsd From noreply at github.com Sun Feb 19 14:07:58 2023 From: noreply at github.com (Lucas Holt) Date: Sun, 19 Feb 2023 11:07:58 -0800 Subject: [Midnightbsd-cvs] [MidnightBSD/src] d0fb16: support midnightbsd Message-ID: Branch: refs/heads/stable/2.2 Home: https://github.com/MidnightBSD/src Commit: d0fb16624d219d420dfc683e084f2c3bc655e7c9 https://github.com/MidnightBSD/src/commit/d0fb16624d219d420dfc683e084f2c3bc655e7c9 Author: Lucas Holt Date: 2023-02-19 (Sun, 19 Feb 2023) Changed paths: M contrib/perl/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm Log Message: ----------- support midnightbsd From noreply at github.com Sun Feb 19 14:09:25 2023 From: noreply at github.com (Lucas Holt) Date: Sun, 19 Feb 2023 11:09:25 -0800 Subject: [Midnightbsd-cvs] [MidnightBSD/src] b934e1: mention perl man page fix Message-ID: Branch: refs/heads/stable/2.2 Home: https://github.com/MidnightBSD/src Commit: b934e14c29fe3aa1560b8a1f0a5698e36a3808d4 https://github.com/MidnightBSD/src/commit/b934e14c29fe3aa1560b8a1f0a5698e36a3808d4 Author: Lucas Holt Date: 2023-02-19 (Sun, 19 Feb 2023) Changed paths: M UPDATING Log Message: ----------- mention perl man page fix From noreply at github.com Sun Feb 19 14:09:56 2023 From: noreply at github.com (Lucas Holt) Date: Sun, 19 Feb 2023 11:09:56 -0800 Subject: [Midnightbsd-cvs] [MidnightBSD/src] c9a3f4: bump Message-ID: Branch: refs/heads/stable/2.2 Home: https://github.com/MidnightBSD/src Commit: c9a3f41a5da0398b6a16020c0620efdc34f086b5 https://github.com/MidnightBSD/src/commit/c9a3f41a5da0398b6a16020c0620efdc34f086b5 Author: Lucas Holt Date: 2023-02-19 (Sun, 19 Feb 2023) Changed paths: M sys/conf/newvers.sh Log Message: ----------- bump From yassinehmimou3 at gmail.com Wed Feb 15 16:29:59 2023 From: yassinehmimou3 at gmail.com (yassine hmimou) Date: Wed, 15 Feb 2023 21:29:59 -0000 Subject: [Midnightbsd-cvs] Report detailed about vulnerabilities in your site // Security Vulnerability Notification| Important Message-ID: hello team, I hope you are well and in good health. I am contacting you today because I have found a serious security vulnerability in your site I am Yassin Hamimou, a student in informatics development and an ethical hacker. I look for vulnerabilities in websites and help you patch them to earn some money. I have experience in this field for more than 5 years and I have a lot of testimonials and my name is listed on many websites. I work on this platform: https://www.openbugbounty.org/researchers/yassinehmimou2/ Please, where can I send the vulnerability report that I found on your site? In order to quickly fix it and make your site safe I wish you a happy day Waiting for your reply I am happy to make your site more secure. Best Regards Yassine Hmimou security researcher My account on Twitter: / https://twitter.com/yassinehmimou2