Fix a race condition exists in the OpenSSL TLS server extension code andreleng/7.1

a double free in the SSL client ECDH handling code.

Approved by:	so (simon)
Security:	CVE-2010-2939, CVE-2010-3864
Security:	FreeBSD-SA-10:10.openssl

3 files changed, 5 insertions, 1 deletions

diff --git a/UPDATING b/UPDATING
index 384447d3ab90..844e7f0012f7 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,9 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20101129:	p16	FreeBSD-SA-10:10.openssl
+	Fix OpenSSL multiple vulnerabilities.
+
 20101110:	p15	FreeBSD-SA-10:09.pseudofs
 	Don't unlock a mutex which wasn't locked.
 
diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
index e52e9cadc9f5..23a07b16f650 100644
--- a/crypto/openssl/ssl/s3_clnt.c
+++ b/crypto/openssl/ssl/s3_clnt.c
@@ -1289,6 +1289,7 @@ int ssl3_get_key_exchange(SSL *s)
 		s->session->sess_cert->peer_ecdh_tmp=ecdh;
 		ecdh=NULL;
 		BN_CTX_free(bn_ctx);
+		bn_ctx = NULL;
 		EC_POINT_free(srvr_ecpoint);
 		srvr_ecpoint = NULL;
 		}
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index da9a0ff3910e..1f34cd31770f 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="7.1"
-BRANCH="RELEASE-p15"
+BRANCH="RELEASE-p16"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi