040: SECURITY FIX: Mar 18, 2001
The readline library shipped with OpenBSD allows history files creation
with a permissive
-umask(2).
+umask(2).
This can lead to the leakage of sensitive information in applications
that use passwords and the like during user interaction (one such
application is mysql). Additionally, if the HOME environment variable
@@ -66,133 +66,133 @@
">A source code patch exists which remedies the problem.
032: SECURITY FIX: Oct 26, 2000
There are two possibly exploitable potential buffer overflows in the X11
libraries using the xtrans code. One of these vulnerabilities was
reported to the
BUGTRAQ
mailing list.
-
+
A source code patch exists which remedies this problem.
-
031: SECURITY FIX: Oct 18, 2000
+
031: SECURITY FIX: Oct 18, 2000
Apache has several bugs in mod_rewrite and mod_vhost_alias
that could cause arbitrary files accessible to the www user on the server
to be exposed under certain configurations when these modules are used.
(These modules are not active by default).
-
+
A source code patch exists which remedies this problem.
027: SECURITY FIX: Oct 6, 2000
libcurses honored terminal descriptions in the $HOME/.terminfo directory
as well as in the TERMCAP environment variable for setuid and setgid
applications.
-
+
A source code patch exists which remedies this problem.
025: SECURITY FIX: Oct 3, 2000
A format string vulnerability exists in the pw_error(3) function. This
manifests itself as a security hole in the chpass utility. As a workaround
which disables its functionality, do
Server overflow
This is covered by the patches to xc/programs/Xserver/xkb.
@@ -200,7 +200,7 @@
the XFree86 Xwrapper already has tests for bad arguments.
019: SECURITY FIX: July 5, 2000
Just like pretty much all the other unix ftp daemons on the planet,
ftpd had a remote root hole in it. Luckily, ftpd was not enabled by default.
The problem exists if anonymous ftp is enabled.
-
+
A source code patch exists which remedies this problem.
017: INSTALLATION FIX: July 3, 2000
The screen package shipped with 2.7 does not install itself properly. The
existing package in 2.7/packages/_ARCH_/screen-3.9.5.tgz has been renamed to
screen-3.9.5.tgz.old and a replacement package has been provided under the
name screen-3.9.5p1.tgz.
-
+
A source code patch exists which remedies this problem.
-
013: SECURITY FIX: June 28, 2000
+
013: SECURITY FIX: June 28, 2000
libedit would check for a .editrc file in the current directory.
That behaviour is not nice; this does not turn into a security problem in
any real world situation that we know of, but a patch is available anyways.
-
+
A source code patch exists which remedies this problem.
006: SECURITY FIX: June 6, 2000
The non-default UseLogin feature in /etc/sshd_config is broken and should not
be used. On other operating systems, it results in a hole.
Avoid use of this feature, or update to OpenSSH 2.1.1 or later if you must use it.
001: SECURITY FIX: May 25, 2000
A misuse of ipf(8)
keep-state rules can result in firewall rules being bypassed.
-
+
A source code patch exists, which remedies this problem, and updates ipf
to version 3.3.16.
016: DRIVER BUG: July 2, 2000
+The xl(4)
driver supporting various 3com cards, had a bug which prevented the multicast
filter from working correctly on the 3c905B, thus preventing many IPv6 things
from working.
-
+
A source code patch exists which remedies this problem.
014: DRIVER BUG: June 30, 2000
The PC console driver (PCVT) has two bugs. Display problems can result if
reverse video mode is turned on or off twice in a row. This patch also
fixes a problem with scrolling region handling that has been seen by many
users trying to use the BitchX irc client with the screen program.
022: INSTALLATION FIX: July 14, 2000
The MacOS installer shipped with OpenBSD 2.7 does not correctly make all
devices, specifically it does not make the /dev/arandom device
@@ -392,28 +392,28 @@