NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NetBSD Security Advisory 2009-009: OpenSSL DTLS Memory Exhaustion and DSA signature verification vulnerabilities

I learned the hard way when following these instructions *not* to
additionally update src/lib/libcrypto, which, in combination with the
installation of the freshly built libraries, rendered su(1) broken.
Fortunately I found a root shell prompt among my screens, so I was
able to diagnose and work around the problem.

The problem was that Updating src/lib/libcrypto brought in Joerg
Sonnenberger's change to make libcrypto use libc's new SHA-224
implementation -- but since I had not also installed a new libc,
loading any object linked against libcrypto would fail.

This makes me wonder, though: how sensitive are the security advisory
instructions to changes in the CVS tree?  If this vulnerability had
required a change in src/lib/libcrypto, and the instructions said to
update src/lib/libcrypto, would that have stopped Joerg Sonnenberger
from making libcrypto use libc's new SHA-224 implementation?  Is it
recommended instead just to update the entire tree whenever these
things come out, rather than parts of the tree incrementally?

Home | Main Index | Thread Index | Old Index