If we need to make an exception we can do it and properly document the
reason but by default we should just use the default login class.
rc.d uses daemon or the login class provided in login.conf.d so this has
no impact there.
discussed with sthen@, tb@ and robert@
praying that my grep/sed skills did not break anything and still
believing in portbump :-)
Fixes X.509 Email Address Buffer Overflows (CVE-2022-3602, CVE-2022-3786).
In good OpenSSL tradition, they ship ~250 commits since OpenSSL 3.0.5, the
last non-retracted release.
One might wonder how a punycode decoder that overflows on an example string
from the RFC makes it into a cryptographic library released in '21. Compare
test_puny_overrun() with RFC 3492 7.1 (L)... In PR 9654 someone asked about
tests early on - this was dismissed since a handful of cert chains suffices
to exercise a tricky decoder. The review could then focus on more important
things like file placement, license comments, comment formatting and style.
Ignoring a request for turning a magic number into a constant, not even one
of the 127 items on the PR is on the scary code itself.
It is also questionable whether it was really necessary to classify this as
CRITICAL and generate that much panic. It's bad, but not eye-wateringly bad
(disregarding the development process that led to this fiasco.)
Good thing this was at least downgraded to HIGH in the final announcement.
No one will be surprised that there is more than one issue in this code, so
instead of one CRITICAL issues, we get two HIGH ones. Sounds fair.
https://www.openssl.org/news/secadv/20221101.txthttps://www.openssl.org/news/secadv/20221101b.txt
The OpenSSL 1.1.1r and 3.0.6 releases have been withdrawn. Apparently
there is a regression that isn't security relevant but bad enough for
them to recommend to downgrade. If failure to encrypt is LOW severity,
no-one knows how bad things actually are... What a mess.
https://marc.info/?l=openssl-announce&m=166558438331847&w=2
