===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata27.html,v
retrieving revision 1.36
retrieving revision 1.37
diff -c -r1.36 -r1.37
*** www/errata27.html 2003/10/24 22:12:40 1.36
--- www/errata27.html 2003/11/21 16:55:16 1.37
***************
*** 8,13 ****
--- 8,14 ----
+
***************
*** 50,61 ****
consult the OpenBSD FAQ.
!
!
!
All architectures
!
! - 040: SECURITY FIX: Mar 18, 2001
The readline library shipped with OpenBSD allows history files creation
with a permissive
umask(2).
--- 51,61 ----
consult the OpenBSD FAQ.
!
! All architectures
! -
! 040: SECURITY FIX: Mar 18, 2001
The readline library shipped with OpenBSD allows history files creation
with a permissive
umask(2).
***************
*** 67,100 ****
A source code patch exists which remedies the problem.
!
!
- 039: SECURITY FIX: Feb 22, 2001
There is an exploitable heap corruption bug in
sudo.
A source code patch exists which remedies the problem.
!
!
- 037: SECURITY FIX: Dec 4, 2000
OpenBSD 2.7's ftpd contains a one-byte overflow in the replydirname() function.
A source code patch exists which remedies the problem.
!
!
- 035: SECURITY FIX: Nov 10, 2000
Hostile servers can force OpenSSH clients to do agent or X11 forwarding.
This problem is fixed as of OpenSSH 2.3.0.
A source code patch exists which remedies this problem.
!
!
- 033: RELIABILITY FIX: Nov 6, 2000
Invalid fields in the exec header could cause a crash.
A source code patch exists which remedies this problem.
!
!
- 032: SECURITY FIX: Oct 26, 2000
There are two possibly exploitable potential buffer overflows in the X11
libraries using the xtrans code. One of these vulnerabilities was
reported to the
--- 67,100 ----
A source code patch exists which remedies the problem.
!
-
! 039: SECURITY FIX: Feb 22, 2001
There is an exploitable heap corruption bug in
sudo.
A source code patch exists which remedies the problem.
!
-
! 037: SECURITY FIX: Dec 4, 2000
OpenBSD 2.7's ftpd contains a one-byte overflow in the replydirname() function.
A source code patch exists which remedies the problem.
!
-
! 035: SECURITY FIX: Nov 10, 2000
Hostile servers can force OpenSSH clients to do agent or X11 forwarding.
This problem is fixed as of OpenSSH 2.3.0.
A source code patch exists which remedies this problem.
!
-
! 033: RELIABILITY FIX: Nov 6, 2000
Invalid fields in the exec header could cause a crash.
A source code patch exists which remedies this problem.
!
-
! 032: SECURITY FIX: Oct 26, 2000
There are two possibly exploitable potential buffer overflows in the X11
libraries using the xtrans code. One of these vulnerabilities was
reported to the
***************
*** 104,111 ****
A source code patch exists which remedies this problem.
!
!
- 031: SECURITY FIX: Oct 18, 2000
Apache has several bugs in mod_rewrite and mod_vhost_alias
that could cause arbitrary files accessible to the www user on the server
to be exposed under certain configurations when these modules are used.
--- 104,111 ----
A source code patch exists which remedies this problem.
!
-
! 031: SECURITY FIX: Oct 18, 2000
Apache has several bugs in mod_rewrite and mod_vhost_alias
that could cause arbitrary files accessible to the www user on the server
to be exposed under certain configurations when these modules are used.
***************
*** 114,143 ****
A source code patch exists which remedies this problem.
!
!
- 030: SECURITY FIX: Oct 10, 2000
The telnet daemon does not strip out the TERMINFO, TERMINFO_DIRS, TERMPATH
and TERMCAP (when it starts with a '/') environment variables.
A source code patch exists which remedies this problem.
!
!
- 029: RELIABILITY FIX: Oct 9, 2000
There is a non-exploitable buffer overflow in sendmail's test mode.
A source code patch exists which remedies this problem.
!
!
- 028: SECURITY FIX: Oct 6, 2000
There are printf-style format string bugs in several privileged programs.
A source code patch exists which remedies this problem.
!
!
- 027: SECURITY FIX: Oct 6, 2000
libcurses honored terminal descriptions in the $HOME/.terminfo directory
as well as in the TERMCAP environment variable for setuid and setgid
applications.
--- 114,143 ----
A source code patch exists which remedies this problem.
!
-
! 030: SECURITY FIX: Oct 10, 2000
The telnet daemon does not strip out the TERMINFO, TERMINFO_DIRS, TERMPATH
and TERMCAP (when it starts with a '/') environment variables.
A source code patch exists which remedies this problem.
!
-
! 029: RELIABILITY FIX: Oct 9, 2000
There is a non-exploitable buffer overflow in sendmail's test mode.
A source code patch exists which remedies this problem.
!
-
! 028: SECURITY FIX: Oct 6, 2000
There are printf-style format string bugs in several privileged programs.
A source code patch exists which remedies this problem.
!
-
! 027: SECURITY FIX: Oct 6, 2000
libcurses honored terminal descriptions in the $HOME/.terminfo directory
as well as in the TERMCAP environment variable for setuid and setgid
applications.
***************
*** 145,160 ****
A source code patch exists which remedies this problem.
!
!
- 026: SECURITY FIX: Oct 6, 2000
A format string vulnerability exists in talkd(8). It is not clear
yet what the impact is.
A source code patch exists which remedies this problem.
!
!
- 025: SECURITY FIX: Oct 3, 2000
A format string vulnerability exists in the pw_error(3) function. This
manifests itself as a security hole in the chpass utility. As a workaround
which disables its functionality, do
--- 145,160 ----
A source code patch exists which remedies this problem.
!
-
! 026: SECURITY FIX: Oct 6, 2000
A format string vulnerability exists in talkd(8). It is not clear
yet what the impact is.
A source code patch exists which remedies this problem.
!
-
! 025: SECURITY FIX: Oct 3, 2000
A format string vulnerability exists in the pw_error(3) function. This
manifests itself as a security hole in the chpass utility. As a workaround
which disables its functionality, do
***************
*** 164,177 ****
A source code patch exists which remedies this problem.
!
!
- 024: SECURITY FIX: Sep 18, 2000
Bad ESP/AH packets could cause a crash under certain conditions.
A source code patch exists which remedies this problem.
!
!
- 023: SECURITY FIX: Aug 16, 2000
A format string vulnerability exists in xlock. As a workaround which disables
its functionality, do
--- 164,177 ----
A source code patch exists which remedies this problem.
!
-
! 024: SECURITY FIX: Sep 18, 2000
Bad ESP/AH packets could cause a crash under certain conditions.
A source code patch exists which remedies this problem.
!
-
! 023: SECURITY FIX: Aug 16, 2000
A format string vulnerability exists in xlock. As a workaround which disables
its functionality, do
***************
*** 180,187 ****
A source code patch exists which remedies this problem.
!
!
- 021: SECURITY FIX: July 14, 2000
Various problems in X11 libraries have various side effects. We provide a
jumbo patch to fix them.
--- 180,187 ----
A source code patch exists which remedies this problem.
!
-
! 021: SECURITY FIX: July 14, 2000
Various problems in X11 libraries have various side effects. We provide a
jumbo patch to fix them.
***************
*** 211,218 ****
ignore the build error. The whatis database will be rebuilt the next
time /etc/weekly runs.
!
!
- 019: SECURITY FIX: July 5, 2000
Just like pretty much all the other unix ftp daemons on the planet,
ftpd had a remote root hole in it. Luckily, ftpd was not enabled by default.
The problem exists if anonymous ftp is enabled.
--- 211,218 ----
ignore the build error. The whatis database will be rebuilt the next
time /etc/weekly runs.
!
-
! 019: SECURITY FIX: July 5, 2000
Just like pretty much all the other unix ftp daemons on the planet,
ftpd had a remote root hole in it. Luckily, ftpd was not enabled by default.
The problem exists if anonymous ftp is enabled.
***************
*** 220,234 ****
A source code patch exists which remedies this problem.
!
!
- 018: SECURITY FIX: July 5, 2000
Mopd contained a buffer overflow.
A source code patch exists which remedies this problem.
!
!
- 017: INSTALLATION FIX: July 3, 2000
The screen package shipped with 2.7 does not install itself properly. The
existing package in 2.7/packages/_ARCH_/screen-3.9.5.tgz has been renamed to
--- 220,234 ----
A source code patch exists which remedies this problem.
!
-
! 018: SECURITY FIX: July 5, 2000
Mopd contained a buffer overflow.
A source code patch exists which remedies this problem.
!
-
! 017: INSTALLATION FIX: July 3, 2000
The screen package shipped with 2.7 does not install itself properly. The
existing package in 2.7/packages/_ARCH_/screen-3.9.5.tgz has been renamed to
***************
*** 238,245 ****
A source code patch exists which remedies this problem.
!
!
- 013: SECURITY FIX: June 28, 2000
libedit would check for a .editrc file in the current directory.
That behaviour is not nice; this does not turn into a security problem in
any real world situation that we know of, but a patch is available anyways.
--- 238,245 ----
A source code patch exists which remedies this problem.
!
-
! 013: SECURITY FIX: June 28, 2000
libedit would check for a .editrc file in the current directory.
That behaviour is not nice; this does not turn into a security problem in
any real world situation that we know of, but a patch is available anyways.
***************
*** 247,305 ****
A source code patch exists which remedies this problem.
!
!
- 012: SECURITY FIX: June 24, 2000
A serious bug in dhclient(8) could allow strings from a malicious dhcp
server to be executed in the shell as root.
A source code patch exists which remedies this problem.
!
!
- 009: SECURITY FIX: June 9, 2000
A serious bug in isakmpd(8) policy handling wherein policy
verification could be completely bypassed in isakmpd.
A source code patch exists which remedies this problem.
!
!
- 008: RELIABILITY FIX: June 8, 2000
Some operations in msdosfs could result in a system panic.
A source code patch exists which remedies this problem.
!
!
- 007: RELIABILITY FIX: June 8, 2000
NFS exporting of CD filesystems caused a system panic.
A source code patch exists which remedies this problem.
!
!
- 006: SECURITY FIX: June 6, 2000
The non-default UseLogin feature in /etc/sshd_config is broken and should not
be used. On other operating systems, it results in a hole.
Avoid use of this feature, or update to OpenSSH 2.1.1 or later if you must use it.
!
!
- 005: RELIABILITY FIX: May 29, 2000
Parse IPv4 options more carefully. It is not yet clear if this can even be used
to crash the machine remote or locally.
A source code patch exists which remedies this problem.
!
!
- 004: RELIABILITY FIX: May 29, 2000
Certain routing table modifications by the superuser could cause a system panic.
A source code patch exists which remedies this problem.
!
!
- 003: SECURITY FIX: May 26, 2000
It is possible to bypass the learning flag on an interface if frames
go directly to the machine acting as a
bridge.
--- 247,305 ----
A source code patch exists which remedies this problem.
!
-
! 012: SECURITY FIX: June 24, 2000
A serious bug in dhclient(8) could allow strings from a malicious dhcp
server to be executed in the shell as root.
A source code patch exists which remedies this problem.
!
-
! 009: SECURITY FIX: June 9, 2000
A serious bug in isakmpd(8) policy handling wherein policy
verification could be completely bypassed in isakmpd.
A source code patch exists which remedies this problem.
!
-
! 008: RELIABILITY FIX: June 8, 2000
Some operations in msdosfs could result in a system panic.
A source code patch exists which remedies this problem.
!
-
! 007: RELIABILITY FIX: June 8, 2000
NFS exporting of CD filesystems caused a system panic.
A source code patch exists which remedies this problem.
!
-
! 006: SECURITY FIX: June 6, 2000
The non-default UseLogin feature in /etc/sshd_config is broken and should not
be used. On other operating systems, it results in a hole.
Avoid use of this feature, or update to OpenSSH 2.1.1 or later if you must use it.
!
-
! 005: RELIABILITY FIX: May 29, 2000
Parse IPv4 options more carefully. It is not yet clear if this can even be used
to crash the machine remote or locally.
A source code patch exists which remedies this problem.
!
-
! 004: RELIABILITY FIX: May 29, 2000
Certain routing table modifications by the superuser could cause a system panic.
A source code patch exists which remedies this problem.
!
-
! 003: SECURITY FIX: May 26, 2000
It is possible to bypass the learning flag on an interface if frames
go directly to the machine acting as a
bridge.
***************
*** 307,314 ****
A source code patch exists which remedies this problem.
!
!
- 002: DRIVER FIX: May 26, 2000
The
ef(4)
driver will complain when adding an address with ifconfig
--- 307,314 ----
A source code patch exists which remedies this problem.
!
-
! 002: DRIVER FIX: May 26, 2000
The
ef(4)
driver will complain when adding an address with ifconfig
***************
*** 316,323 ****
A source code patch exists which remedies this problem.
!
!
- 001: SECURITY FIX: May 25, 2000
A misuse of ipf(8)
keep-state rules can result in firewall rules being bypassed.
--- 316,323 ----
A source code patch exists which remedies this problem.
!
-
! 001: SECURITY FIX: May 25, 2000
A misuse of ipf(8)
keep-state rules can result in firewall rules being bypassed.
***************
*** 326,336 ****
!
!
i386
!
! - 016: DRIVER BUG: July 2, 2000
The xl(4)
driver supporting various 3com cards, had a bug which prevented the multicast
filter from working correctly on the 3c905B, thus preventing many IPv6 things
--- 326,336 ----
!
!
i386
! -
! 016: DRIVER BUG: July 2, 2000
The xl(4)
driver supporting various 3com cards, had a bug which prevented the multicast
filter from working correctly on the 3c905B, thus preventing many IPv6 things
***************
*** 339,346 ****
A source code patch exists which remedies this problem.
!
!
- 015: DRIVER BUG: June 30, 2000
The ste(4)
driver supporting Ethernet cards based on the Sundance ST201 chipset
(i.e., the D-Link 550TX) has a bug which causes the machine to panic at
--- 339,346 ----
A source code patch exists which remedies this problem.
!
-
! 015: DRIVER BUG: June 30, 2000
The ste(4)
driver supporting Ethernet cards based on the Sundance ST201 chipset
(i.e., the D-Link 550TX) has a bug which causes the machine to panic at
***************
*** 349,356 ****
A source code patch exists which remedies this problem.
!
!
- 014: DRIVER BUG: June 30, 2000
The PC console driver (PCVT) has two bugs. Display problems can result if
reverse video mode is turned on or off twice in a row. This patch also
fixes a problem with scrolling region handling that has been seen by many
--- 349,356 ----
A source code patch exists which remedies this problem.
!
-
! 014: DRIVER BUG: June 30, 2000
The PC console driver (PCVT) has two bugs. Display problems can result if
reverse video mode is turned on or off twice in a row. This patch also
fixes a problem with scrolling region handling that has been seen by many
***************
*** 359,366 ****
There is now a second revision of the source code patch which remedies this problem.
!
!
- 011: DRIVER BUG: June 17, 2000
The an(4)
Aironet Communications 4500/4800 IEEE 802.11DS driver has a bug which prevents
ancontrol(8) from working correctly, instead causing a panic.
--- 359,366 ----
There is now a second revision of the source code patch which remedies this problem.
!
-
! 011: DRIVER BUG: June 17, 2000
The an(4)
Aironet Communications 4500/4800 IEEE 802.11DS driver has a bug which prevents
ancontrol(8) from working correctly, instead causing a panic.
***************
*** 370,380 ****
!
!
mac68k
!
! - 022: INSTALLATION FIX: July 14, 2000
The MacOS installer shipped with OpenBSD 2.7 does not correctly make all
devices, specifically it does not make the /dev/arandom device
--- 370,380 ----
!
!
mac68k
!
!
sparc
!
!
sparc
!
!
amiga
!
! - 010: CD DISTRIBUTION ERROR: June 15, 2000
On the 2.7 CD media, the amiga distribution contains two pairs of archives
files for installation, ie:
--- 411,421 ----
!
!
amiga
!
!
pmax
!
! - 020: KERNEL BUG: July 10, 2000
As originally shipped, the pmax port would fail to install due to
/kern/msgbuf bugs.
The necessary fixes have been merged,
--- 439,449 ----
!
!
pmax
! -
! 020: KERNEL BUG: July 10, 2000
As originally shipped, the pmax port would fail to install due to
/kern/msgbuf bugs.
The necessary fixes have been merged,
***************
*** 458,494 ****
!
!
arc
- No problems identified yet.
!
!
alpha
- No problems identified yet.
!
!
hp300
- No problems identified yet.
!
!
mvme68k
- No problems identified yet.
!
!
powerpc
- No problems identified yet.
-
--- 458,493 ----
!
!
arc
- No problems identified yet.
!
!
alpha
- No problems identified yet.
!
!
hp300
- No problems identified yet.
!
!
mvme68k
- No problems identified yet.
!
!
powerpc
- No problems identified yet.
***************
*** 513,519 ****
www@openbsd.org
!
$OpenBSD: errata27.html,v 1.36 2003/10/24 22:12:40 david Exp $