===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata26.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- www/errata26.html	2000/05/19 20:04:53	1.1
+++ www/errata26.html	2000/05/25 07:36:21	1.2
@@ -37,6 +37,20 @@
 <a name=all></a>
 <li><h3><font color=#e00000>All architectures</font></h3>
 <ul>
+<a name=xlockmore></a>
+<li><font color=#009000><strong>022: SECURITY FIX: May 25, 2000</strong></font><br>
+xlockmore has a localhost attack against it which allows recovery of the encrypted
+hash of the root password.  The damage to systems using DES passwords from this
+attack is pretty heavy, but to systems with a well-chosen root password under
+blowfish encoding
+(see <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&sektion=3">
+crypt(3)</a>)
+the impact is much reduced.<br>
+(Aside:  We do not consider this a localhost root hole in the default install,
+since we have not seen a fast blowfish cracker yet ;-)<br>
+<a href=ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.6/common/022_syslog.patch>
+A source code patch exists, which remedies this problem.</a>
+<p>
 <a name=rzsz></a>
 <li><font color=#009000><strong>021: RZSZ SNOOPING: Jan 31, 2000</strong></font><br>
 The rzsz port was removed from the ports collection, as it collects and
@@ -284,7 +298,7 @@
 
 <a href=index.html><img height=24 width=24 src=back.gif border=0 alt=OpenBSD></a> 
 <a href=mailto:www@openbsd.org>www@openbsd.org</a>
-<br><small>$OpenBSD: errata26.html,v 1.1 2000/05/19 20:04:53 deraadt Exp $</small>
+<br><small>$OpenBSD: errata26.html,v 1.2 2000/05/25 07:36:21 deraadt Exp $</small>
 
 </body>
 </html>