Hi, apparentyly openbsd has more or less silently fixed an older openssl issue that has been stuck in the openssl bug tracker: The openbsd patch: http://www.openbsd.org/errata55.html#004_openssl http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig The original issue: http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse Here is the openssl bug: http://rt.openssl.org/Ticket/Display.html?id=2167 The patch; diff -u -p -u -r1.20 -r1.20.4.1 --- lib/libssl/src/ssl/s3_pkt.c 27 Feb 2014 21:04:57 -0000 1.20 +++ lib/libssl/src/ssl/s3_pkt.c 12 Apr 2014 17:01:14 -0000 1.20.4.1 @@ -1054,7 +1054,7 @@ start: { s->rstate=SSL_ST_READ_HEADER; rr->off=0; - if (s->mode & SSL_MODE_RELEASE_BUFFERS) + if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) ssl3_release_read_buffer(s); } } Can somebody rattle openssl upstream to get them to comment on this ? Should freebsd roll out a patch ? Greetings Christian -- Christian Kratzer CK Software GmbH Email: [email protected] Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"