OpenBSD 5.4 errata 9, May 1, 2014: An attacker can trigger generation of an SSL alert which could cause a null pointer dereference. Apply patch using: cat 009_openssl.patch | (cd /usr/src && patch -p0) Then build and install libssl cd /usr/src/lib/libssl/ssl make obj make make install Then restart services which depend on SSL. Index: lib/libssl/src/ssl/s3_pkt.c =================================================================== RCS file: /cvs/src/lib/libssl/src/ssl/s3_pkt.c,v retrieving revision 1.19.4.1 retrieving revision 1.19.4.2 diff -u -p -r1.19.4.1 -r1.19.4.2 --- lib/libssl/src/ssl/s3_pkt.c 12 Apr 2014 17:00:53 -0000 1.19.4.1 +++ lib/libssl/src/ssl/s3_pkt.c 1 May 2014 14:17:40 -0000 1.19.4.2 @@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int typ if (i <= 0) return(i); /* if it went, fall through and send more stuff */ + /* we may have released our buffer, so get it again */ + if (wb->buf == NULL) + if (!ssl3_setup_write_buffer(s)) + return -1; } if (len == 0 && !create_empty_fragment)