This advisory covers two distinct OpenSSL issues:
The X509VFLAGX509STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the mplementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates.
A TLSv1.2 renegotiation ClientHello message sent to a TLS server that omits the signaturealgorithms extension (where it was present in the initial ClientHello), but includes a signaturealgorithms_cert extension results in a NULL pointer dereference in the server.
The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX or BSD systems.
Unfortunately the operating system's live media failed to boot on their test systems, systems which can run FreeBSD, and so they put it aside to try another project.
Very small and compact solution for notifications on X11 desktop – herbe – as its author describes it – its daemon-less notifications without D-Bus. Minimal and lightweight.
This is the last development release for the 3.3.x branch before it is declared stable.
Since Unbound DNS in OPNsense does not support DNS over HTTPS (DoH) directly, it was necessary to use the DNSCrypt-Proxy plugin. The plugin also supports DNS over TLS (DoT). However, Unbound gained native support for DoT at some point in time, which is very nice. Because of built-in support for DoT, the configuration of DNS over TLS becomes pretty trivial.
iostat provides a window into the i/o effort of the storage subsystem. You can use it to determine usage patterns, bottlenecks and poor behavior at a glance. It can produce data to support conclusions and suggest further avenues of investigation when used judiciously. In this article, we will dissect its output and introduce disk subsystem troubleshooting using statistical output from iostat.
Errata patches for the X server have been released for OpenBSD 6.7 and 6.8. Input validation failures in X server XInput extension can lead to privileges elevations for authorized clients. Binary updates for the amd64, i386, and arm64 platforms are available via the syspatch utility.