Bug 205008

Summary: OpenSSL: Multiple Security Vulnerabilities (Update to 1.0.2e)
Product: Base System Reporter: Kubilay Kocak <koobs>
Component: miscAssignee: FreeBSD Security Officer <security-officer>
Status: Closed FIXED    
Severity: Affects Many People CC: delphij, milki, ports-secteam, secteam
Priority: --- Keywords: security
Version: CURRENTFlags: delphij: mfc-stable10+
delphij: mfc-stable9+
delphij: mfc-stable8-
Hardware: Any   
OS: Any   
URL: https://www.openssl.org/news/secadv/20151203.txt
Bug Depends on:    
Bug Blocks: 205009    

Description Kubilay Kocak freebsd_committer freebsd_triage 2015-12-04 06:57:12 UTC 
OpenSSL Security Advisory [3 Dec 2015]

 * BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
 * Certificate verify crash with missing PSS parameter (CVE-2015-3194)
 * X509_ATTRIBUTE memory leak (CVE-2015-3195)
 * Race condition handling PSK identify hint (CVE-2015-3196)

Assign to jkim@ since HEAD has already had 1.0.2e merged [1]

MFC's and SA's pending. Please create blocking issues (bugs) for tasks that need to be resolved by other teams.

[1] https://svnweb.freebsd.org/base?view=revision&revision=291719
Comment 1 Xin LI freebsd_committer freebsd_triage 2015-12-04 09:46:41 UTC 
Takeover.  so@ have already done preliminary patch and have started building of freebsd-update bits, and jkim@ have already done stable/9 and stable/10 updates.

Please delete mfc-stable8 flag from the bug tracking system already :)