===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata26.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- www/errata26.html 2000/05/19 20:04:53 1.1
+++ www/errata26.html 2000/05/25 07:36:21 1.2
@@ -37,6 +37,20 @@
All architectures
+
+- 022: SECURITY FIX: May 25, 2000
+xlockmore has a localhost attack against it which allows recovery of the encrypted
+hash of the root password. The damage to systems using DES passwords from this
+attack is pretty heavy, but to systems with a well-chosen root password under
+blowfish encoding
+(see
+crypt(3))
+the impact is much reduced.
+(Aside: We do not consider this a localhost root hole in the default install,
+since we have not seen a fast blowfish cracker yet ;-)
+
+A source code patch exists, which remedies this problem.
+
- 021: RZSZ SNOOPING: Jan 31, 2000
The rzsz port was removed from the ports collection, as it collects and
@@ -284,7 +298,7 @@
www@openbsd.org
-
$OpenBSD: errata26.html,v 1.1 2000/05/19 20:04:53 deraadt Exp $
+
$OpenBSD: errata26.html,v 1.2 2000/05/25 07:36:21 deraadt Exp $