Created attachment 154472 [details] svn diff for security/libressl Backport of 2 of the 3 "Low" vulnerabilities from tomorrow's to be announced OpenSSL sec vulns. The originator of the High vuln indicated that LibreSSL doesn't seem to be affected, that leaves 3 medium vulns to analyze/fix.
Created attachment 154473 [details] svn diff for security/libressl
Could you please add the entry to the vulnxml port?
Created attachment 154474 [details] Poudriere testport log of security/libressl
CVE-2015-0288 patch https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=28a00bcd8e318da18031b2ac8778c64147cd54f9 CVE-2015-0209 patch https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=9e442d485008046933cdc7da65080f436a4af089
Created attachment 154477 [details] svn diff for security/libressl Revised patch... According to upstream "most important part missing"
Created attachment 154478 [details] Poudriere build log of security/libressl
Bernard, regarding the requested security/vuxml entry, don't hesitate to ask for assistance from #bsddocs or #bsdports folk. You can find more info on the format here: http://www2.au.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/book.html#security-notify
Created attachment 154518 [details] svn diff for security/libressl Now contains complete patch from GithUb for CVE reference Description Severity CVE-2015-0207 Segmentation fault in DTLSv1_listen moderate CVE-2015-0209 Use After Free following d2i_ECPrivatekey error low CVE-2015-0286 Segmentation fault in ASN1_TYPE_cmp moderate CVE-2015-0287 ASN.1 structure reuse memory corruption moderate CVE-2015-0289 PKCS7 NULL pointer dereferences moderate
Created attachment 154519 [details] Build log of security/libressl With the patches applied
A commit references this bug: Author: vsevolod Date: Thu Mar 19 15:30:30 UTC 2015 New revision: 381603 URL: https://svnweb.freebsd.org/changeset/ports/381603 Log: - Backport the following fixes from openssl [1]: CVE-2015-0207 Segmentation fault in DTLSv1_listen moderate CVE-2015-0209 Use After Free following d2i_ECPrivatekey error low CVE-2015-0286 Segmentation fault in ASN1_TYPE_cmp moderate CVE-2015-0287 ASN.1 structure reuse memory corruption moderate CVE-2015-0289 PKCS7 NULL pointer dereferences moderate - Enable libtls component [2] - Bump portrevision PR: 198681 [1] Submitted by: Bernard Spil <spil.oss at gmail.com> [1], naddy [2] Changes: head/security/libressl/Makefile head/security/libressl/pkg-plist head/security/libressl/security/ head/security/libressl/security/libressl/ head/security/libressl/security/libressl/files/ head/security/libressl/security/libressl/files/patch-crypto_asn1_a__int.c head/security/libressl/security/libressl/files/patch-crypto_asn1_a__set.c head/security/libressl/security/libressl/files/patch-crypto_asn1_a__type.c head/security/libressl/security/libressl/files/patch-crypto_asn1_d2i__pr.c head/security/libressl/security/libressl/files/patch-crypto_asn1_d2i__pu.c head/security/libressl/security/libressl/files/patch-crypto_asn1_n__pkey.c head/security/libressl/security/libressl/files/patch-crypto_asn1_tasn__dec.c head/security/libressl/security/libressl/files/patch-crypto_asn1_x__x509.c head/security/libressl/security/libressl/files/patch-crypto_ec_ec__asn1.c head/security/libressl/security/libressl/files/patch-crypto_pkcs7_pk7__doit.c head/security/libressl/security/libressl/files/patch-crypto_pkcs7_pk7__lib.c head/security/libressl/security/libressl/files/patch-ssl_d1__lib.c
I've committed this patch but I'll still appreciate if you could update vulnxml entry accordingly.