On 13/04/2014 6:09 PM, Christian Kratzer wrote: > Hi, > > apparentyly openbsd has more or less silently fixed an older openssl > issue that has been stuck in the openssl bug tracker: > > The openbsd patch: > > http://www.openbsd.org/errata55.html#004_openssl > > > http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig > > The original issue: > > > http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse > > Here is the openssl bug: > > http://rt.openssl.org/Ticket/Display.html?id=2167 > > The patch; > > diff -u -p -u -r1.20 -r1.20.4.1 > --- lib/libssl/src/ssl/s3_pkt.c 27 Feb 2014 21:04:57 -0000 1.20 > +++ lib/libssl/src/ssl/s3_pkt.c 12 Apr 2014 17:01:14 -0000 > 1.20.4.1 > @@ -1054,7 +1054,7 @@ start: > { > s->rstate=SSL_ST_READ_HEADER; > rr->off=0; > - if (s->mode & SSL_MODE_RELEASE_BUFFERS) > + if (s->mode & SSL_MODE_RELEASE_BUFFERS && > s->s3->rbuf.left == 0) > ssl3_release_read_buffer(s); > } > } > > Can somebody rattle openssl upstream to get them to comment on this ? > > Should freebsd roll out a patch ? > > Greetings > Christian > Thank-you Dirk for promptly deploying the patch to openssl port: http://svnweb.freebsd.org/ports/head/security/openssl/files/patch-ssl-s3_pkt.c?revision=351191&view=markup Regards, Dewayne _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"