Re: NetBSD Security Advisory 2009-009: OpenSSL DTLS Memory Exhaustion and DSA signature verification vulnerabilities

To: NetBSD Security Officer <security-officer%NetBSD.org@localhost>
Subject: Re: NetBSD Security Advisory 2009-009: OpenSSL DTLS Memory Exhaustion and DSA signature verification vulnerabilities
From: Taylor R Campbell <campbell%mumble.net@localhost>
Date: Fri, 17 Jul 2009 16:39:13 -0400

I learned the hard way when following these instructions *not* to
additionally update src/lib/libcrypto, which, in combination with the
installation of the freshly built libraries, rendered su(1) broken.
Fortunately I found a root shell prompt among my screens, so I was
able to diagnose and work around the problem.

The problem was that Updating src/lib/libcrypto brought in Joerg
Sonnenberger's change to make libcrypto use libc's new SHA-224
implementation -- but since I had not also installed a new libc,
loading any object linked against libcrypto would fail.

This makes me wonder, though: how sensitive are the security advisory
instructions to changes in the CVS tree?  If this vulnerability had
required a change in src/lib/libcrypto, and the instructions said to
update src/lib/libcrypto, would that have stopped Joerg Sonnenberger
from making libcrypto use libc's new SHA-224 implementation?  Is it
recommended instead just to update the entire tree whenever these
things come out, rather than parts of the tree incrementally?

Follow-Ups:
- Re: NetBSD Security Advisory 2009-009: OpenSSL DTLS Memory Exhaustion and DSA signature verification vulnerabilities
  - From: Tonnerre LOMBARD

Prev by Date: re(4) and Realtek 8168
Next by Date: Re: PF Problems
Previous by Thread: re(4) and Realtek 8168
Next by Thread: Re: NetBSD Security Advisory 2009-009: OpenSSL DTLS Memory Exhaustion and DSA signature verification vulnerabilities
Indexes:

Home | Main Index | Thread Index | Old Index