tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: NetBSD Security Advisory 2009-009: OpenSSL DTLS Memory Exhaustion and DSA signature verification vulnerabilities
I learned the hard way when following these instructions *not* to
additionally update src/lib/libcrypto, which, in combination with the
installation of the freshly built libraries, rendered su(1) broken.
Fortunately I found a root shell prompt among my screens, so I was
able to diagnose and work around the problem.
The problem was that Updating src/lib/libcrypto brought in Joerg
Sonnenberger's change to make libcrypto use libc's new SHA-224
implementation -- but since I had not also installed a new libc,
loading any object linked against libcrypto would fail.
This makes me wonder, though: how sensitive are the security advisory
instructions to changes in the CVS tree? If this vulnerability had
required a change in src/lib/libcrypto, and the instructions said to
update src/lib/libcrypto, would that have stopped Joerg Sonnenberger
from making libcrypto use libc's new SHA-224 implementation? Is it
recommended instead just to update the entire tree whenever these
things come out, rather than parts of the tree incrementally?
Home |
Main Index |
Thread Index |
Old Index