version 1.367, 2001/12/31 01:25:54 |
version 1.368, 2002/01/18 17:41:57 |
|
|
<a name=all></a> |
<a name=all></a> |
<li><h3><font color=#e00000>All architectures</font></h3> |
<li><h3><font color=#e00000>All architectures</font></h3> |
<ul> |
<ul> |
|
<a name=sudo> |
|
<li><font color=#009000><strong>011: SECURITY FIX: January 17, 2002</strong></font><br> |
|
If the Postfix sendmail replacement is installed on a system an |
|
attacker may be able to gain root privileges on the local host via |
|
sudo(8) which runs the mailer as root with an environment inherited |
|
from the invoking user. While this is a bug in sudo it is not |
|
believed to be possible to exploit when sendmail (the mailer that |
|
ships with OpenBSD) is the mailer. As of version 1.6.5, sudo passes |
|
the mailer an environment that is not subject to influence from the |
|
invoking user. |
|
<a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/011_sudo.patch">A source code patch exists which remedies the problem</a>. |
|
<p> |
<a name=ipip> |
<a name=ipip> |
<li><font color=#009000><strong>010: RELIABILITY FIX: December 13, 2001</strong></font><br> |
<li><font color=#009000><strong>010: RELIABILITY FIX: December 13, 2001</strong></font><br> |
Systems running with IP-in-IP encapulation can be made to crash by |
Systems running with IP-in-IP encapulation can be made to crash by |