www/errata22.html - diff

Return to errata22.html CVS log

Up to [local] / www

Diff for /www/errata22.html between version 1.58 and 1.59

version 1.58, 2010/03/08 21:53:37

version 1.59, 2010/07/08 19:00:07

Line 52

<hr>

You can also fetch a tar.gz file containing all the following patches</a>.

This file is updated once a day.

Line 70

If IPSEC communication is attempted by starting photurisd(8) (which is

disabled by default), a system crash may be evoked from remote if

an attacker uses some classes of invalid packets.

A source code patch exists which remedies this problem.</a>

Line 85

a security vulnerability for any setuid-root program that uses the Xaw

library (including xterm). Patch1 from XFree86 3.3.2 corrects

these problems.

We provide a version of this patch file specifically for the OpenBSD 2.2 tree</a>.

Line 94

lprm and lpd. The problem is exploitable by users on a particular

machine if there is an entry in /etc/printcap which

points at a remote printer.

A patch is available which corrects this behaviour</a>.

SECURITY FIX

A DNS-based vulnerability exists when uucpd is used. By default uucpd

is not enabled in the OpenBSD releases, but some sites may have enabled it.

A patch is available which corrects this behaviour</a>.

SECURITY FIX

A vulnerability exists when (and only when) /etc/named.conf has the

fake-iquery option enabled.

A patch is available which corrects this behaviour</a>.

Line 117

routes, an attacker can spoof a reply packet that will overflow inside

ping. Preliminary investigation makes it look the worst attack

possible is to make ping crash, but one never knows...

A patch is available which corrects this behaviour</a>.

Line 129

itself. Our fix changes the net.inet.ip.sourceroute

variable semantics to mean that all source routed packets should

be blocked completely.

A kernel patch is provided</a>.

Line 145

<ul>

<li>

(1) A kernel patch which adds a new sysctl option which permits the

administrator to decide whether setuid corefiles should be written or not</a>.

(2) Replaces the libc ruserok() function with a more paranoid

version which detects bogus looking .rhosts files better.</a>

</ul>

Line 172

safety semantics which securelevels are supposed to provide. If a user

manages to gain kmem group permissions, using this problem they can then

gain root trivially and/or turn securelevels off.

A kernel patch is available which corrects this behaviour (this is

revision 3 of this patch)</a>.

Line 182

whose target name is exactly 33 characters). As a workaround you have to

either provide the source tree read/write, or install a newer version of

/usr/bin/readlink.

A replacement source file exists</a>.

Line 190

If a line in /etc/exports which contains hostnames results in an empty

list because none of the supplied hostnames is known, mountd(8) will

accidentally export the filesystem to the world.

A patch is available which corrects this behaviour</a>.

<li>RELIABILITY FIX

Setting the MSG_EOR flag on a tcp packet in the send(2) family of

system calls could cause a kernel panic.

A patch</a> to return EINVAL in this case is available.

</ul>

Line 210

to lock your machine up using a 4-line program. The problem only affects

Intel P5 processors (the i386, i486, P-Pro, and P-II are not vulnerable,

nor are processors by other manufacturers).

A kernel source-code patch is available</a>.

<li>FUNCTIONALITY FIX

Some Linux binaries will execute in SVR4 emulation mode, which is

definitely a problem for people who need Linux emulation to work correctly.

To solve this mis-identification problem,

a patch file is provided</a>.

<li>RELIABILITY FIX

APM can crash on machines without it.

A kernel source-code patch is available</a>.

<li>INSTALLATION PROCESS FLAW

Line 242

<li>NEW SOFTWARE

Unfortunately, X11 binaries for the mac68k did not manage to make it onto the

CDROM. However, X11 for the mac68k is immediately available from

ftp://ftp.OpenBSD.org/pub/OpenBSD/2.2/mac68k/X11/X11R6.tar.gz</a>. Please

http://ftp.OpenBSD.org/pub/OpenBSD/2.2/mac68k/X11/X11R6.tar.gz</a>. Please

be sure to read the <a href="ftp://ftp.openbsd.org/pub/OpenBSD/2.2/mac68k/X11/README.X11">README file</a> also in that directory for instructions on installing

be sure to read the <a href="http://ftp.openbsd.org/pub/OpenBSD/2.2/mac68k/X11/README.X11">README file</a> also in that directory for instructions on installing

and setting up X.

<li>INSTALLATION PROCESS FLAW

As shipped on the CDROM, both the

generic kernel</a>

and the

genericsbc kernel</a>

extract themselves into the wrong place in the filesystem.

Both should extract a kernel named <tt>/bsd</tt>, but they extract

the kernel into <tt>/usr/src/sys/arch/mac68k/compile</tt> instead.

This has been fixed on the ftp release of <a href=22.html>OpenBSD 2.2</a>, and

fresh kernels are available from <a href="ftp://ftp.openbsd.org/pub/OpenBSD/2.2/mac68k">

fresh kernels are available from <a href="http://ftp.openbsd.org/pub/OpenBSD/2.2/mac68k">

ftp://ftp.OpenBSD.ORG/pub/OpenBSD/2.2/mac68k/</a>. If at all possible,

http://ftp.OpenBSD.ORG/pub/OpenBSD/2.2/mac68k/</a>. If at all possible,

installing these kernels is recommended.

A number of possible workarounds exist if you don't have easy access to ftp

Line 276

<li>RELIABILITY FIX

Older 4/xxx systems (particularly the 4/300's) cannot boot

with the 2.2 kernel due to bugs in the scsi device driver.

A kernel source patch is available</a>.

Replacement kernels are available for:

<a href="ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/2.2/sparc/bsd">bsd</a>,

<a href="http://ftp.OpenBSD.org/pub/OpenBSD/patches/2.2/sparc/bsd">bsd</a>,

<a href="ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/2.2/sparc/bsd.scsi3">bsd.scsi3</a>,

<a href="http://ftp.OpenBSD.org/pub/OpenBSD/patches/2.2/sparc/bsd.scsi3">bsd.scsi3</a>,

and a replacement for bsd.rd is coming soon.

RELIABILITY FIX

SPARCstation 4 and 5 (Microsparc 2) users may see kernel panics when

using a custom kernel configured for option sun4m only.

A workaround (kernel source patch) is available</a>. Apply the patch and

then re-build your kernel.

Line 297

<ul>

<li>FUNCTIONALITY FIX

Missing Xamiga manual pages. Get

this package</a> and execute, as root:

# pkg_add Xamiga-manual.tgz

The MD5 checksum of this package is:

Line 313

<li>FUNCTIONALITY FIX

There is a Year-1998 problem in the time-setting code (which causes the

date and time to be set incorrectly after a reboot in 1998).

A source code patch file is available</a> plus replacement installation

kernels for the 2.2 release at

<a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/bsd.NFS">bsd.NFS</a>,

<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/bsd.NFS">bsd.NFS</a>,

<a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/bsd">bsd</a>,

<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/bsd">bsd</a>,

<a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/bsd.rz0">bsd.rz0</a>.

<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/bsd.rz0">bsd.rz0</a>.

<li>FUNCTIONALITY FIX

X11 support for the 3min and 3maxplus machines was broken

due to a kernel bug.

A source code patch is available</a>.

Line 331

A security problem in the shared library linker ld.so

requires that you replace it with a new binary. The following binary

will work on both pmax and arc machines.

The replacement binary is here</a>.

</ul>

Line 342

A security problem in the shared library linker ld.so requires

that you replace it with a new binary. The following binary

will work on both pmax and arc machines.

The replacement binary is here</a>.

</ul>