version 1.87, 2016/08/15 02:22:06 |
version 1.88, 2016/10/16 19:11:29 |
|
|
<br> |
<br> |
<hr> |
<hr> |
|
|
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2.tar.gz"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2.tar.gz"> |
You can also fetch a tar.gz file containing all the following patches</a>. |
You can also fetch a tar.gz file containing all the following patches</a>. |
This file is updated once a day. |
This file is updated once a day. |
<p> |
<p> |
|
|
If IPSEC communication is attempted by starting photurisd(8) (which is |
If IPSEC communication is attempted by starting photurisd(8) (which is |
disabled by default), a system crash may be evoked from remote if |
disabled by default), a system crash may be evoked from remote if |
an attacker uses some classes of invalid packets. |
an attacker uses some classes of invalid packets. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/ipsec.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/ipsec.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="xterm-xaw"> |
<li id="xterm-xaw"> |
|
|
a security vulnerability for any setuid-root program that uses the Xaw |
a security vulnerability for any setuid-root program that uses the Xaw |
library (including xterm). Patch1 from XFree86 3.3.2 corrects |
library (including xterm). Patch1 from XFree86 3.3.2 corrects |
these problems. |
these problems. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/xterm-xaw.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/xterm-xaw.patch"> |
We provide a version of this patch file specifically for the OpenBSD 2.2 tree</a>. |
We provide a version of this patch file specifically for the OpenBSD 2.2 tree</a>. |
<p> |
<p> |
<li id="rmjob"> |
<li id="rmjob"> |
|
|
lprm and lpd. The problem is exploitable by users on a particular |
lprm and lpd. The problem is exploitable by users on a particular |
machine if there is an entry in <strong>/etc/printcap</strong> which |
machine if there is an entry in <strong>/etc/printcap</strong> which |
points at a remote printer. |
points at a remote printer. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/rmjob.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/rmjob.patch"> |
A patch is available which corrects this behaviour</a>. |
A patch is available which corrects this behaviour</a>. |
<p> |
<p> |
<li id="uucpd"> |
<li id="uucpd"> |
|
|
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A DNS-based vulnerability exists when uucpd is used. By default uucpd |
A DNS-based vulnerability exists when uucpd is used. By default uucpd |
is not enabled in the OpenBSD releases, but some sites may have enabled it. |
is not enabled in the OpenBSD releases, but some sites may have enabled it. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/uucpd.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/uucpd.patch"> |
A patch is available which corrects this behaviour</a>. |
A patch is available which corrects this behaviour</a>. |
<p> |
<p> |
<li id="named"> |
<li id="named"> |
|
|
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A vulnerability exists when (and only when) /etc/named.conf has the |
A vulnerability exists when (and only when) /etc/named.conf has the |
<strong>fake-iquery</strong> option enabled. |
<strong>fake-iquery</strong> option enabled. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/named.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/named.patch"> |
A patch is available which corrects this behaviour</a>. |
A patch is available which corrects this behaviour</a>. |
<p> |
<p> |
<li id="ping"> |
<li id="ping"> |
|
|
routes, an attacker can spoof a reply packet that will overflow inside |
routes, an attacker can spoof a reply packet that will overflow inside |
ping. Preliminary investigation makes it look the worst attack |
ping. Preliminary investigation makes it look the worst attack |
possible is to make ping crash, but one never knows... |
possible is to make ping crash, but one never knows... |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/ping.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/ping.patch"> |
A patch is available which corrects this behaviour</a>. |
A patch is available which corrects this behaviour</a>. |
<p> |
<p> |
<li id="sourceroute"> |
<li id="sourceroute"> |
|
|
itself. Our fix changes the <strong>net.inet.ip.sourceroute</strong> |
itself. Our fix changes the <strong>net.inet.ip.sourceroute</strong> |
variable semantics to mean that all source routed packets should |
variable semantics to mean that all source routed packets should |
be blocked completely. |
be blocked completely. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/sourceroute.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/sourceroute.patch"> |
A kernel patch is provided</a>. |
A kernel patch is provided</a>. |
<p> |
<p> |
<li id="ruserok"> |
<li id="ruserok"> |
|
|
<p> |
<p> |
<ul> |
<ul> |
<li> |
<li> |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/nosuidcoredump.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/nosuidcoredump.patch"> |
(1) A kernel patch which adds a new sysctl option which permits the |
(1) A kernel patch which adds a new sysctl option which permits the |
administrator to decide whether setuid corefiles should be written or not</a>. |
administrator to decide whether setuid corefiles should be written or not</a>. |
<p> |
<p> |
<li><a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/rcmd.patch"> |
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/rcmd.patch"> |
(2) Replaces the libc ruserok() function with a more paranoid |
(2) Replaces the libc ruserok() function with a more paranoid |
version which detects bogus looking .rhosts files better.</a> |
version which detects bogus looking .rhosts files better.</a> |
</ul> |
</ul> |
|
|
safety semantics which securelevels are supposed to provide. If a user |
safety semantics which securelevels are supposed to provide. If a user |
manages to gain kmem group permissions, using this problem they can then |
manages to gain kmem group permissions, using this problem they can then |
gain root trivially and/or turn securelevels off. |
gain root trivially and/or turn securelevels off. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/vm_mmap.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/vm_mmap.patch"> |
A kernel patch is available which corrects this behaviour (this is |
A kernel patch is available which corrects this behaviour (this is |
revision 3 of this patch)</a>. |
revision 3 of this patch)</a>. |
<p> |
<p> |
|
|
whose target name is exactly 33 characters). As a workaround you have to |
whose target name is exactly 33 characters). As a workaround you have to |
either provide the source tree read/write, or install a newer version of |
either provide the source tree read/write, or install a newer version of |
/usr/bin/readlink. |
/usr/bin/readlink. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/readlink.c"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/readlink.c"> |
A replacement source file exists</a>. |
A replacement source file exists</a>. |
<p> |
<p> |
<li id="mountd"> |
<li id="mountd"> |
|
|
If a line in /etc/exports which contains hostnames results in an empty |
If a line in /etc/exports which contains hostnames results in an empty |
list because none of the supplied hostnames is known, mountd(8) will |
list because none of the supplied hostnames is known, mountd(8) will |
accidentally export the filesystem to the world. |
accidentally export the filesystem to the world. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/mountd.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/mountd.patch"> |
A patch is available which corrects this behaviour</a>. |
A patch is available which corrects this behaviour</a>. |
<p> |
<p> |
<li><font color="#009000"><strong>RELIABILITY FIX</strong></font> |
<li><font color="#009000"><strong>RELIABILITY FIX</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Setting the MSG_EOR flag on a tcp packet in the send(2) family of |
Setting the MSG_EOR flag on a tcp packet in the send(2) family of |
system calls could cause a kernel panic. |
system calls could cause a kernel panic. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/send.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/send.patch"> |
A patch</a> to return EINVAL in this case is available. |
A patch</a> to return EINVAL in this case is available. |
<p> |
<p> |
<li id="f00f"> |
<li id="f00f"> |
|
|
to lock your machine up using a 4-line program. The problem only affects |
to lock your machine up using a 4-line program. The problem only affects |
Intel P5 processors (the i386, i486, P-Pro, and P-II are not vulnerable, |
Intel P5 processors (the i386, i486, P-Pro, and P-II are not vulnerable, |
nor are processors by other manufacturers). |
nor are processors by other manufacturers). |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/i386/f00f.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/i386/f00f.patch"> |
A kernel source-code patch is available</a>. |
A kernel source-code patch is available</a>. |
<p> |
<p> |
<li><font color="#009000"><strong>FUNCTIONALITY FIX</strong></font><br> |
<li><font color="#009000"><strong>FUNCTIONALITY FIX</strong></font><br> |
Some Linux binaries will execute in SVR4 emulation mode, which is |
Some Linux binaries will execute in SVR4 emulation mode, which is |
definitely a problem for people who need Linux emulation to work correctly. |
definitely a problem for people who need Linux emulation to work correctly. |
To solve this mis-identification problem, |
To solve this mis-identification problem, |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/i386/compat_linux.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/i386/compat_linux.patch"> |
a patch file is provided</a>. |
a patch file is provided</a>. |
<p> |
<p> |
<li><font color="#009000"><strong>RELIABILITY FIX</strong></font><br> |
<li><font color="#009000"><strong>RELIABILITY FIX</strong></font><br> |
APM can crash on machines without it. |
APM can crash on machines without it. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/i386/apm.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/i386/apm.patch"> |
A kernel source-code patch is available</a>. |
A kernel source-code patch is available</a>. |
<p> |
<p> |
<li><font color="#009000"><strong>INSTALLATION PROCESS FLAW</strong></font><br> |
<li><font color="#009000"><strong>INSTALLATION PROCESS FLAW</strong></font><br> |
|
|
<li><font color="#009000"><strong>NEW SOFTWARE</strong></font><br> |
<li><font color="#009000"><strong>NEW SOFTWARE</strong></font><br> |
Unfortunately, X11 binaries for the mac68k did not manage to make it onto the |
Unfortunately, X11 binaries for the mac68k did not manage to make it onto the |
CDROM. However, X11 for the mac68k is immediately available from |
CDROM. However, X11 for the mac68k is immediately available from |
<a href="http://ftp.openbsd.org/pub/OpenBSD/2.2/mac68k/X11/X11R6.tar.gz"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/2.2/mac68k/X11/X11R6.tar.gz"> |
http://ftp.OpenBSD.org/pub/OpenBSD/2.2/mac68k/X11/X11R6.tar.gz</a>. Please |
https://ftp.OpenBSD.org/pub/OpenBSD/2.2/mac68k/X11/X11R6.tar.gz</a>. Please |
be sure to read the <a href="http://ftp.openbsd.org/pub/OpenBSD/2.2/mac68k/X11/README.X11">README file</a> also in that directory for instructions on installing |
be sure to read the <a href="https://ftp.openbsd.org/pub/OpenBSD/2.2/mac68k/X11/README.X11">README file</a> also in that directory for instructions on installing |
and setting up X. |
and setting up X. |
<p> |
<p> |
<li><font color="#009000"><strong>INSTALLATION PROCESS FLAW</strong></font><br> |
<li><font color="#009000"><strong>INSTALLATION PROCESS FLAW</strong></font><br> |
As shipped on the CDROM, both the |
As shipped on the CDROM, both the |
<a href="http://ftp.openbsd.org/pub/OpenBSD/2.2/mac68k/bsd-generic.tar.gz"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/2.2/mac68k/bsd-generic.tar.gz"> |
generic kernel</a> |
generic kernel</a> |
and the |
and the |
<a href="http://ftp.openbsd.org/pub/OpenBSD/2.2/bsd-genericbsc.tar.gz"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/2.2/bsd-genericbsc.tar.gz"> |
genericsbc kernel</a> |
genericsbc kernel</a> |
extract themselves into the wrong place in the filesystem. |
extract themselves into the wrong place in the filesystem. |
Both <strong>should</strong> extract a kernel named <tt>/bsd</tt>, but they extract |
Both <strong>should</strong> extract a kernel named <tt>/bsd</tt>, but they extract |
the kernel into <tt>/usr/src/sys/arch/mac68k/compile</tt> instead. |
the kernel into <tt>/usr/src/sys/arch/mac68k/compile</tt> instead. |
<p> |
<p> |
This has been fixed on the ftp release of <a href=22.html>OpenBSD 2.2</a>, and |
This has been fixed on the ftp release of <a href=22.html>OpenBSD 2.2</a>, and |
fresh kernels are available from <a href="http://ftp.openbsd.org/pub/OpenBSD/2.2/mac68k"> |
fresh kernels are available from <a href="https://ftp.openbsd.org/pub/OpenBSD/2.2/mac68k"> |
http://ftp.OpenBSD.ORG/pub/OpenBSD/2.2/mac68k/</a>. If at all possible, |
http://ftp.OpenBSD.ORG/pub/OpenBSD/2.2/mac68k/</a>. If at all possible, |
installing these kernels is recommended. |
installing these kernels is recommended. |
<p> |
<p> |
|
|
<li><font color="#009000"><strong>RELIABILITY FIX</strong></font><br> |
<li><font color="#009000"><strong>RELIABILITY FIX</strong></font><br> |
Older 4/xxx systems (particularly the 4/300's) cannot boot |
Older 4/xxx systems (particularly the 4/300's) cannot boot |
with the 2.2 kernel due to bugs in the scsi device driver. |
with the 2.2 kernel due to bugs in the scsi device driver. |
<a href="http://ftp.OpenBSD.org/pub/OpenBSD/patches/2.2/sparc/esp.patch"> |
<a href="https://ftp.OpenBSD.org/pub/OpenBSD/patches/2.2/sparc/esp.patch"> |
A kernel source patch is available</a>. |
A kernel source patch is available</a>. |
Replacement kernels are available for: |
Replacement kernels are available for: |
<a href="http://ftp.OpenBSD.org/pub/OpenBSD/patches/2.2/sparc/bsd">bsd</a>, |
<a href="https://ftp.OpenBSD.org/pub/OpenBSD/patches/2.2/sparc/bsd">bsd</a>, |
<a href="http://ftp.OpenBSD.org/pub/OpenBSD/patches/2.2/sparc/bsd.scsi3">bsd.scsi3</a>, |
<a href="https://ftp.OpenBSD.org/pub/OpenBSD/patches/2.2/sparc/bsd.scsi3">bsd.scsi3</a>, |
and a replacement for bsd.rd is coming soon. |
and a replacement for bsd.rd is coming soon. |
<p> |
<p> |
<li id="sparciommu"> |
<li id="sparciommu"> |
<font color="#009000"><strong>RELIABILITY FIX</strong></font><br> |
<font color="#009000"><strong>RELIABILITY FIX</strong></font><br> |
SPARCstation 4 and 5 (Microsparc 2) users may see kernel panics when |
SPARCstation 4 and 5 (Microsparc 2) users may see kernel panics when |
using a custom kernel configured for option sun4m only. |
using a custom kernel configured for option sun4m only. |
<a href="http://ftp.OpenBSD.org/pub/OpenBSD/patches/2.2/sparc/sun4m.patch"> |
<a href="https://ftp.OpenBSD.org/pub/OpenBSD/patches/2.2/sparc/sun4m.patch"> |
A workaround (kernel source patch) is available</a>. Apply the patch and |
A workaround (kernel source patch) is available</a>. Apply the patch and |
then re-build your kernel. |
then re-build your kernel. |
<p> |
<p> |
<li><font color="#009000"><strong>FUNCTIONALITY FIX</strong></font><br> |
<li><font color="#009000"><strong>FUNCTIONALITY FIX</strong></font><br> |
Missing Xamiga manual pages. Get |
Missing Xamiga manual pages. Get |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/amiga/Xamiga-manual.tgz"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/amiga/Xamiga-manual.tgz"> |
this package</a> and execute, <i>as root</i>:<br> |
this package</a> and execute, <i>as root</i>:<br> |
<strong><b># </b>pkg_add Xamiga-manual.tgz</strong><br> |
<strong><b># </b>pkg_add Xamiga-manual.tgz</strong><br> |
The MD5 checksum of this package is:<br> |
The MD5 checksum of this package is:<br> |
|
|
<li><font color="#009000"><strong>FUNCTIONALITY FIX</strong></font><br> |
<li><font color="#009000"><strong>FUNCTIONALITY FIX</strong></font><br> |
There is a Year-1998 problem in the time-setting code (which causes the |
There is a Year-1998 problem in the time-setting code (which causes the |
date and time to be set incorrectly after a reboot in 1998). |
date and time to be set incorrectly after a reboot in 1998). |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/clock.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/clock.patch"> |
A source code patch file is available</a> plus replacement installation |
A source code patch file is available</a> plus replacement installation |
kernels for the 2.2 release at |
kernels for the 2.2 release at |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/bsd.NFS">bsd.NFS</a>, |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/bsd.NFS">bsd.NFS</a>, |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/bsd">bsd</a>, |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/bsd">bsd</a>, |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/bsd.rz0">bsd.rz0</a>. |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/bsd.rz0">bsd.rz0</a>. |
<p> |
<p> |
<li><font color="#009000"><strong>FUNCTIONALITY FIX</strong></font><br> |
<li><font color="#009000"><strong>FUNCTIONALITY FIX</strong></font><br> |
X11 support for the 3min and 3maxplus machines was broken |
X11 support for the 3min and 3maxplus machines was broken |
due to a kernel bug. |
due to a kernel bug. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/fb.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/fb.patch"> |
A source code patch is available</a>. |
A source code patch is available</a>. |
<p> |
<p> |
<li id="ldso"> |
<li id="ldso"> |
|
|
A security problem in the shared library linker <strong>ld.so</strong> |
A security problem in the shared library linker <strong>ld.so</strong> |
requires that you replace it with a new binary. The following binary |
requires that you replace it with a new binary. The following binary |
will work on both pmax and arc machines. |
will work on both pmax and arc machines. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/ld.so"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/ld.so"> |
The replacement binary is here</a>. |
The replacement binary is here</a>. |
<p> |
<p> |
<li><font color="#009000"><strong>SECURITY FIX</strong></font><br> |
<li><font color="#009000"><strong>SECURITY FIX</strong></font><br> |
A security problem in the shared library linker <strong>ld.so</strong> requires |
A security problem in the shared library linker <strong>ld.so</strong> requires |
that you replace it with a new binary. The following binary |
that you replace it with a new binary. The following binary |
will work on both pmax and arc machines. |
will work on both pmax and arc machines. |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/ld.so"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.2/pmax/ld.so"> |
The replacement binary is here</a>. |
The replacement binary is here</a>. |
<p> |
<p> |
<li><font color="#009000"><strong>MISSING FUNCTIONALITY</strong></font><br> |
<li><font color="#009000"><strong>MISSING FUNCTIONALITY</strong></font><br> |