===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata27.html,v
retrieving revision 1.95
retrieving revision 1.96
diff -c -r1.95 -r1.96
*** www/errata27.html 2019/05/27 22:55:19 1.95
--- www/errata27.html 2019/05/28 16:32:41 1.96
***************
*** 84,263 ****
! -
! 040: SECURITY FIX: Mar 18, 2001
All architectures
! The readline library shipped with OpenBSD allows history files creation
! with a permissive
! umask(2).
! This can lead to the leakage of sensitive information in applications
! that use passwords and the like during user interaction (one such
! application is mysql). Additionally, if the HOME environment variable
! is not set, the current working directory is used; this patch disables
! the history file if HOME is not set.
!
A source code patch exists which remedies this problem.
!
-
! 039: SECURITY FIX: Feb 22, 2001
All architectures
! There is an exploitable heap corruption bug in
! sudo.
!
!
A source code patch exists which remedies this problem.
!
-
! 037: SECURITY FIX: Dec 4, 2000
All architectures
! OpenBSD 2.7's ftpd contains a one-byte overflow in the replydirname() function.
!
A source code patch exists which remedies this problem.
!
-
! 036: RELIABILITY FIX: Nov 17, 2000
! Configuring a qec+qe causes a NMI panic.
!
A source code patch exists which remedies this problem.
!
-
! 035: SECURITY FIX: Nov 10, 2000
All architectures
! Hostile servers can force OpenSSH clients to do agent or X11 forwarding.
! This problem is fixed as of OpenSSH 2.3.0.
!
A source code patch exists which remedies this problem.
!
-
! 034: RELIABILITY FIX: Nov 10, 2000
! When running a sparc with a serial console, certain types of interrupts would
! cause great grief.
!
! A source code patch exists which remedies this problem.
!
-
! 033: RELIABILITY FIX: Nov 6, 2000
All architectures
! Invalid fields in the exec header could cause a crash.
!
A source code patch exists which remedies this problem.
!
-
! 032: SECURITY FIX: Oct 26, 2000
All architectures
! There are two possibly exploitable potential buffer overflows in the X11
! libraries using the xtrans code. One of these vulnerabilities was
! reported to the
! BUGTRAQ
! mailing list.
!
A source code patch exists which remedies this problem.
!
-
! 031: SECURITY FIX: Oct 18, 2000
All architectures
! Apache has several bugs in mod_rewrite
and mod_vhost_alias
! that could cause arbitrary files accessible to the www user on the server
! to be exposed under certain configurations when these modules are used.
! (These modules are not active by default).
!
A source code patch exists which remedies this problem.
!
-
! 030: SECURITY FIX: Oct 10, 2000
! All architectures
! The telnet daemon does not strip out the TERMINFO, TERMINFO_DIRS, TERMPATH
! and TERMCAP (when it starts with a '/') environment variables.
!
A source code patch exists which remedies this problem.
!
-
! 029: RELIABILITY FIX: Oct 9, 2000
All architectures
! There is a non-exploitable buffer overflow in sendmail's test mode.
!
A source code patch exists which remedies this problem.
!
-
! 028: SECURITY FIX: Oct 6, 2000
All architectures
! There are printf-style format string bugs in several privileged programs.
!
A source code patch exists which remedies this problem.
!
-
! 027: SECURITY FIX: Oct 6, 2000
! All architectures
! libcurses honored terminal descriptions in the $HOME/.terminfo directory
! as well as in the TERMCAP environment variable for setuid and setgid
! applications.
!
A source code patch exists which remedies this problem.
!
-
! 026: SECURITY FIX: Oct 6, 2000
! All architectures
! A format string vulnerability exists in talkd(8). It is not clear
! yet what the impact is.
!
A source code patch exists which remedies this problem.
!
-
! 025: SECURITY FIX: Oct 3, 2000
All architectures
! A format string vulnerability exists in the pw_error(3) function. This
! manifests itself as a security hole in the chpass utility. As a workaround
! which disables its functionality, do
!
! # chmod u-s /usr/bin/chpass
!
!
A source code patch exists which remedies this problem.
!
-
! 024: SECURITY FIX: Sep 18, 2000
All architectures
! Bad ESP/AH packets could cause a crash under certain conditions.
!
A source code patch exists which remedies this problem.
!
-
! 023: SECURITY FIX: Aug 16, 2000
All architectures
! A format string vulnerability exists in xlock. As a workaround which disables
! its functionality, do
!
! # chmod u-s /usr/X11R6/bin/xlock
!
!
A source code patch exists which remedies this problem.
!
-
! 022: INSTALLATION FIX: July 14, 2000
! The MacOS installer shipped with OpenBSD 2.7 does not correctly make all
! devices, specifically it does not make the /dev/arandom
device
! needed for the userland crypto such as ssh to work. The problem shows itself
! when ssh-keygen fails to make RSA or DSA keys, resulting in messages like
! RSA-generate_keys failed or DSA-generate_keys failed.
!
! To work around this, once your machine is up and running run the following
! commands as root:
!
! # cd /dev
! # ./MAKEDEV arandom
!
! After doing this (and possibly installing one of the ssl27 packages),
! reboot your machine and it will generate ssh keys correctly.
!
-
021: SECURITY FIX: July 14, 2000
All architectures
--- 84,313 ----
!
! -
! 001: SECURITY FIX: May 25, 2000
All architectures
! A misuse of ipf(8)
! keep-state rules can result in firewall rules being bypassed.
!
A source code patch exists which remedies this problem.
+ It updates ipf to version 3.3.16.
!
!
-
! 002: DRIVER FIX: May 26, 2000
All architectures
! The
! ef(4)
! driver will complain when adding an address with ifconfig
! (ifconfig: SIOCAIFADDR: Invalid argument).
!
A source code patch exists which remedies this problem.
!
!
-
! 003: SECURITY FIX: May 26, 2000
All architectures
! It is possible to bypass the learning flag on an interface if frames
! go directly to the machine acting as a
! bridge.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 004: RELIABILITY FIX: May 29, 2000
! All architectures
! Certain routing table modifications by the superuser could cause a system panic.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 005: RELIABILITY FIX: May 29, 2000
All architectures
! Parse IPv4 options more carefully. It is not yet clear if this can even be used
! to crash the machine remote or locally.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 006: SECURITY FIX: June 6, 2000
! All architectures
! The non-default UseLogin feature in /etc/sshd_config is broken and should not
! be used. On other operating systems, it results in a hole.
! Avoid use of this feature, or update to OpenSSH 2.1.1 or later if you must use it.
!
!
-
! 007: RELIABILITY FIX: June 8, 2000
All architectures
! NFS exporting of CD filesystems caused a system panic.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 008: RELIABILITY FIX: June 8, 2000
All architectures
! Some operations in msdosfs could result in a system panic.
!
A source code patch exists which remedies this problem.
!
!
-
! 009: SECURITY FIX: June 9, 2000
All architectures
! A serious bug in isakmpd(8) policy handling wherein policy
! verification could be completely bypassed in isakmpd.
!
A source code patch exists which remedies this problem.
!
!
-
! 010: CD DISTRIBUTION ERROR: June 15, 2000
! On the 2.7 CD media, the amiga distribution contains two pairs of archives
! files for installation, ie:
!
! -rw-r--r-- 1 root mirftp 20191465 Apr 29 14:27 base27.tar.gz
! -rw-r--r-- 1 root mirftp 20291753 May 13 19:33 base27.tgz
! -rw-r--r-- 1 root mirftp 13699507 Apr 29 14:26 comp27.tar.gz
! -rw-r--r-- 1 root mirftp 13748096 May 13 19:33 comp27.tgz
! -rw-r--r-- 1 root mirftp 1005376 Apr 29 14:26 etc27.tar.gz
! -rw-r--r-- 1 root mirftp 1010772 May 13 19:33 etc27.tgz
! -rw-r--r-- 1 root mirftp 2755567 Apr 29 14:26 game27.tar.gz
! -rw-r--r-- 1 root mirftp 2755624 May 13 19:33 game27.tgz
! -rw-r--r-- 1 root mirftp 5002872 Apr 29 14:26 man27.tar.gz
! -rw-r--r-- 1 root mirftp 5038896 May 13 19:33 man27.tgz
! -rw-r--r-- 1 root mirftp 1684356 Apr 29 14:26 misc27.tar.gz
! -rw-r--r-- 1 root mirftp 1684381 May 13 19:33 misc27.tgz
!
! The installation script will list ALL of these files. For proper
! operation one should install the *.tgz versions, and deselect
! the *.tar.gz versions.
! The FTP area sets do not suffer from this problem.
!
!
!
-
! 011: DRIVER BUG: June 17, 2000
! The an(4)
! Aironet Communications 4500/4800 IEEE 802.11DS driver has a bug which prevents
! ancontrol(8) from working correctly, instead causing a panic.
!
A source code patch exists which remedies this problem.
!
!
-
! 012: SECURITY FIX: June 24, 2000
All architectures
! A serious bug in dhclient(8) could allow strings from a malicious dhcp
! server to be executed in the shell as root.
!
A source code patch exists which remedies this problem.
!
!
-
! 013: SECURITY FIX: June 28, 2000
All architectures
! libedit would check for a .editrc file in the current directory.
! That behaviour is not nice; this does not turn into a security problem in
! any real world situation that we know of, but a patch is available anyways.
!
A source code patch exists which remedies this problem.
!
!
-
! 014: DRIVER BUG: June 30, 2000
! The PC console driver (PCVT) has two bugs. Display problems can result if
! reverse video mode is turned on or off twice in a row. This patch also
! fixes a problem with scrolling region handling that has been seen by many
! users trying to use the BitchX irc client with the screen program.
!
A source code patch exists which remedies this problem.
+ This is the second revision of the patch.
!
!
-
! 015: DRIVER BUG: June 30, 2000
! The ste(4)
! driver supporting Ethernet cards based on the Sundance ST201 chipset
! (i.e., the D-Link 550TX) has a bug which causes the machine to panic at
! boot-time.
!
A source code patch exists which remedies this problem.
!
!
-
! 016: DRIVER BUG: July 2, 2000
! The xl(4)
! driver supporting various 3com cards, had a bug which prevented the multicast
! filter from working correctly on the 3c905B, thus preventing many IPv6 things
! from working.
!
!
! A source code patch exists which remedies this problem.
!
!
!
-
! 017: INSTALLATION FIX: July 3, 2000
All architectures
! The screen package shipped with 2.7 does not install itself properly. The
! existing package in 2.7/packages/_ARCH_/screen-3.9.5.tgz has been renamed to
! screen-3.9.5.tgz.old and a replacement package has been provided under the
! name screen-3.9.5p1.tgz.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 018: SECURITY FIX: July 5, 2000
All architectures
! Mopd contained a buffer overflow.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 019: SECURITY FIX: July 5, 2000
All architectures
! Just like pretty much all the other unix ftp daemons on the planet,
! ftpd had a remote root hole in it. Luckily, ftpd was not enabled by default.
! The problem exists if anonymous ftp is enabled.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 020: KERNEL BUG: July 10, 2000
! As originally shipped, the pmax port would fail to install due to
! /kern/msgbuf bugs.
! The necessary fixes have been merged,
! and the binaries needed re-released on the FTP site.
! However, the 2.7 srcsys.tar.gz file has not been updated.
! If you recompile a kernel, you should use either the
! stable release source tree or apply the
! provided patch to a 2.7 source tree.
!
! A source code patch exists which remedies this problem.
!
-
021: SECURITY FIX: July 14, 2000
All architectures
***************
*** 290,497 ****
ignore the build error. The whatis database will be rebuilt the next
time /etc/weekly runs.
!
-
! 020: KERNEL BUG: July 10, 2000
! As originally shipped, the pmax port would fail to install due to
! /kern/msgbuf bugs.
! The necessary fixes have been merged,
! and the binaries needed re-released on the FTP site.
! However, the 2.7 srcsys.tar.gz file has not been updated.
! If you recompile a kernel, you should use either the
! stable release source tree or apply the
! provided patch to a 2.7 source tree.
!
! A source code patch exists which remedies this problem.
!
-
! 019: SECURITY FIX: July 5, 2000
All architectures
! Just like pretty much all the other unix ftp daemons on the planet,
! ftpd had a remote root hole in it. Luckily, ftpd was not enabled by default.
! The problem exists if anonymous ftp is enabled.
!
!
A source code patch exists which remedies this problem.
!
-
! 018: SECURITY FIX: July 5, 2000
All architectures
! Mopd contained a buffer overflow.
!
!
A source code patch exists which remedies this problem.
!
-
! 017: INSTALLATION FIX: July 3, 2000
All architectures
! The screen package shipped with 2.7 does not install itself properly. The
! existing package in 2.7/packages/_ARCH_/screen-3.9.5.tgz has been renamed to
! screen-3.9.5.tgz.old and a replacement package has been provided under the
! name screen-3.9.5p1.tgz.
!
!
A source code patch exists which remedies this problem.
!
-
! 016: DRIVER BUG: July 2, 2000
! The xl(4)
! driver supporting various 3com cards, had a bug which prevented the multicast
! filter from working correctly on the 3c905B, thus preventing many IPv6 things
! from working.
!
A source code patch exists which remedies this problem.
!
-
! 015: DRIVER BUG: June 30, 2000
! The ste(4)
! driver supporting Ethernet cards based on the Sundance ST201 chipset
! (i.e., the D-Link 550TX) has a bug which causes the machine to panic at
! boot-time.
!
A source code patch exists which remedies this problem.
!
-
! 014: DRIVER BUG: June 30, 2000
! The PC console driver (PCVT) has two bugs. Display problems can result if
! reverse video mode is turned on or off twice in a row. This patch also
! fixes a problem with scrolling region handling that has been seen by many
! users trying to use the BitchX irc client with the screen program.
!
A source code patch exists which remedies this problem.
- This is the second revision of the patch.
!
-
! 013: SECURITY FIX: June 28, 2000
All architectures
! libedit would check for a .editrc file in the current directory.
! That behaviour is not nice; this does not turn into a security problem in
! any real world situation that we know of, but a patch is available anyways.
!
A source code patch exists which remedies this problem.
!
-
! 012: SECURITY FIX: June 24, 2000
All architectures
! A serious bug in dhclient(8) could allow strings from a malicious dhcp
! server to be executed in the shell as root.
!
A source code patch exists which remedies this problem.
!
-
! 011: DRIVER BUG: June 17, 2000
! The an(4)
! Aironet Communications 4500/4800 IEEE 802.11DS driver has a bug which prevents
! ancontrol(8) from working correctly, instead causing a panic.
!
A source code patch exists which remedies this problem.
!
-
! 010: CD DISTRIBUTION ERROR: June 15, 2000
! On the 2.7 CD media, the amiga distribution contains two pairs of archives
! files for installation, ie:
!
! -rw-r--r-- 1 root mirftp 20191465 Apr 29 14:27 base27.tar.gz
! -rw-r--r-- 1 root mirftp 20291753 May 13 19:33 base27.tgz
! -rw-r--r-- 1 root mirftp 13699507 Apr 29 14:26 comp27.tar.gz
! -rw-r--r-- 1 root mirftp 13748096 May 13 19:33 comp27.tgz
! -rw-r--r-- 1 root mirftp 1005376 Apr 29 14:26 etc27.tar.gz
! -rw-r--r-- 1 root mirftp 1010772 May 13 19:33 etc27.tgz
! -rw-r--r-- 1 root mirftp 2755567 Apr 29 14:26 game27.tar.gz
! -rw-r--r-- 1 root mirftp 2755624 May 13 19:33 game27.tgz
! -rw-r--r-- 1 root mirftp 5002872 Apr 29 14:26 man27.tar.gz
! -rw-r--r-- 1 root mirftp 5038896 May 13 19:33 man27.tgz
! -rw-r--r-- 1 root mirftp 1684356 Apr 29 14:26 misc27.tar.gz
! -rw-r--r-- 1 root mirftp 1684381 May 13 19:33 misc27.tgz
!
! The installation script will list ALL of these files. For proper
! operation one should install the *.tgz versions, and deselect
! the *.tar.gz versions.
! The FTP area sets do not suffer from this problem.
!
!
-
! 009: SECURITY FIX: June 9, 2000
All architectures
! A serious bug in isakmpd(8) policy handling wherein policy
! verification could be completely bypassed in isakmpd.
!
A source code patch exists which remedies this problem.
!
-
! 008: RELIABILITY FIX: June 8, 2000
All architectures
! Some operations in msdosfs could result in a system panic.
!
!
A source code patch exists which remedies this problem.
!
-
! 007: RELIABILITY FIX: June 8, 2000
! All architectures
! NFS exporting of CD filesystems caused a system panic.
!
!
A source code patch exists which remedies this problem.
!
-
! 006: SECURITY FIX: June 6, 2000
All architectures
! The non-default UseLogin feature in /etc/sshd_config is broken and should not
! be used. On other operating systems, it results in a hole.
! Avoid use of this feature, or update to OpenSSH 2.1.1 or later if you must use it.
!
-
! 005: RELIABILITY FIX: May 29, 2000
! All architectures
! Parse IPv4 options more carefully. It is not yet clear if this can even be used
! to crash the machine remote or locally.
!
!
A source code patch exists which remedies this problem.
!
-
! 004: RELIABILITY FIX: May 29, 2000
All architectures
! Certain routing table modifications by the superuser could cause a system panic.
!
!
A source code patch exists which remedies this problem.
!
-
! 003: SECURITY FIX: May 26, 2000
All architectures
! It is possible to bypass the learning flag on an interface if frames
! go directly to the machine acting as a
! bridge.
!
A source code patch exists which remedies this problem.
!
-
! 002: DRIVER FIX: May 26, 2000
All architectures
! The
! ef(4)
! driver will complain when adding an address with ifconfig
! (ifconfig: SIOCAIFADDR: Invalid argument).
!
A source code patch exists which remedies this problem.
-
-
-
- 001: SECURITY FIX: May 25, 2000
- All architectures
- A misuse of ipf(8)
- keep-state rules can result in firewall rules being bypassed.
-
- A source code patch exists which remedies this problem.
- It updates ipf to version 3.3.16.
--- 340,536 ----
ignore the build error. The whatis database will be rebuilt the next
time /etc/weekly runs.
!
!
-
! 022: INSTALLATION FIX: July 14, 2000
! The MacOS installer shipped with OpenBSD 2.7 does not correctly make all
! devices, specifically it does not make the /dev/arandom
device
! needed for the userland crypto such as ssh to work. The problem shows itself
! when ssh-keygen fails to make RSA or DSA keys, resulting in messages like
! RSA-generate_keys failed or DSA-generate_keys failed.
!
! To work around this, once your machine is up and running run the following
! commands as root:
!
! # cd /dev
! # ./MAKEDEV arandom
!
! After doing this (and possibly installing one of the ssl27 packages),
! reboot your machine and it will generate ssh keys correctly.
!
!
!
-
! 023: SECURITY FIX: Aug 16, 2000
All architectures
! A format string vulnerability exists in xlock. As a workaround which disables
! its functionality, do
!
! # chmod u-s /usr/X11R6/bin/xlock
!
!
A source code patch exists which remedies this problem.
!
!
-
! 024: SECURITY FIX: Sep 18, 2000
All architectures
! Bad ESP/AH packets could cause a crash under certain conditions.
!
A source code patch exists which remedies this problem.
!
!
-
! 025: SECURITY FIX: Oct 3, 2000
All architectures
! A format string vulnerability exists in the pw_error(3) function. This
! manifests itself as a security hole in the chpass utility. As a workaround
! which disables its functionality, do
!
! # chmod u-s /usr/bin/chpass
!
!
A source code patch exists which remedies this problem.
!
!
-
! 026: SECURITY FIX: Oct 6, 2000
! All architectures
! A format string vulnerability exists in talkd(8). It is not clear
! yet what the impact is.
!
A source code patch exists which remedies this problem.
!
!
-
! 027: SECURITY FIX: Oct 6, 2000
! All architectures
! libcurses honored terminal descriptions in the $HOME/.terminfo directory
! as well as in the TERMCAP environment variable for setuid and setgid
! applications.
!
A source code patch exists which remedies this problem.
!
!
-
! 028: SECURITY FIX: Oct 6, 2000
! All architectures
! There are printf-style format string bugs in several privileged programs.
!
A source code patch exists which remedies this problem.
!
!
-
! 029: RELIABILITY FIX: Oct 9, 2000
All architectures
! There is a non-exploitable buffer overflow in sendmail's test mode.
!
A source code patch exists which remedies this problem.
!
!
-
! 030: SECURITY FIX: Oct 10, 2000
All architectures
! The telnet daemon does not strip out the TERMINFO, TERMINFO_DIRS, TERMPATH
! and TERMCAP (when it starts with a '/') environment variables.
!
A source code patch exists which remedies this problem.
!
!
-
! 031: SECURITY FIX: Oct 18, 2000
! All architectures
! Apache has several bugs in mod_rewrite
and mod_vhost_alias
! that could cause arbitrary files accessible to the www user on the server
! to be exposed under certain configurations when these modules are used.
! (These modules are not active by default).
!
A source code patch exists which remedies this problem.
!
!
-
! 032: SECURITY FIX: Oct 26, 2000
All architectures
! There are two possibly exploitable potential buffer overflows in the X11
! libraries using the xtrans code. One of these vulnerabilities was
! reported to the
! BUGTRAQ
! mailing list.
!
A source code patch exists which remedies this problem.
!
!
-
! 033: RELIABILITY FIX: Nov 6, 2000
All architectures
! Invalid fields in the exec header could cause a crash.
!
A source code patch exists which remedies this problem.
!
!
-
! 034: RELIABILITY FIX: Nov 10, 2000
! When running a sparc with a serial console, certain types of interrupts would
! cause great grief.
!
A source code patch exists which remedies this problem.
!
!
-
! 035: SECURITY FIX: Nov 10, 2000
All architectures
! Hostile servers can force OpenSSH clients to do agent or X11 forwarding.
! This problem is fixed as of OpenSSH 2.3.0.
!
! A source code patch exists which remedies this problem.
!
!
-
! 036: RELIABILITY FIX: Nov 17, 2000
! Configuring a qec+qe causes a NMI panic.
!
A source code patch exists which remedies this problem.
!
!
-
! 037: SECURITY FIX: Dec 4, 2000
All architectures
! OpenBSD 2.7's ftpd contains a one-byte overflow in the replydirname() function.
!
A source code patch exists which remedies this problem.
!
!
-
! 039: SECURITY FIX: Feb 22, 2001
All architectures
! There is an exploitable heap corruption bug in
! sudo.
!
A source code patch exists which remedies this problem.
!
!
-
! 040: SECURITY FIX: Mar 18, 2001
All architectures
! The readline library shipped with OpenBSD allows history files creation
! with a permissive
! umask(2).
! This can lead to the leakage of sensitive information in applications
! that use passwords and the like during user interaction (one such
! application is mysql). Additionally, if the HOME environment variable
! is not set, the current working directory is used; this patch disables
! the history file if HOME is not set.
!
A source code patch exists which remedies this problem.