===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata26.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -c -r1.1 -r1.2
*** www/errata26.html	2000/05/19 20:04:53	1.1
--- www/errata26.html	2000/05/25 07:36:21	1.2
***************
*** 37,42 ****
--- 37,56 ----
  <a name=all></a>
  <li><h3><font color=#e00000>All architectures</font></h3>
  <ul>
+ <a name=xlockmore></a>
+ <li><font color=#009000><strong>022: SECURITY FIX: May 25, 2000</strong></font><br>
+ xlockmore has a localhost attack against it which allows recovery of the encrypted
+ hash of the root password.  The damage to systems using DES passwords from this
+ attack is pretty heavy, but to systems with a well-chosen root password under
+ blowfish encoding
+ (see <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&sektion=3">
+ crypt(3)</a>)
+ the impact is much reduced.<br>
+ (Aside:  We do not consider this a localhost root hole in the default install,
+ since we have not seen a fast blowfish cracker yet ;-)<br>
+ <a href=ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.6/common/022_syslog.patch>
+ A source code patch exists, which remedies this problem.</a>
+ <p>
  <a name=rzsz></a>
  <li><font color=#009000><strong>021: RZSZ SNOOPING: Jan 31, 2000</strong></font><br>
  The rzsz port was removed from the ports collection, as it collects and
***************
*** 284,290 ****
  
  <a href=index.html><img height=24 width=24 src=back.gif border=0 alt=OpenBSD></a> 
  <a href=mailto:www@openbsd.org>www@openbsd.org</a>
! <br><small>$OpenBSD: errata26.html,v 1.1 2000/05/19 20:04:53 deraadt Exp $</small>
  
  </body>
  </html>
--- 298,304 ----
  
  <a href=index.html><img height=24 width=24 src=back.gif border=0 alt=OpenBSD></a> 
  <a href=mailto:www@openbsd.org>www@openbsd.org</a>
! <br><small>$OpenBSD: errata26.html,v 1.2 2000/05/25 07:36:21 deraadt Exp $</small>
  
  </body>
  </html>