OpenBSD 2.8 errata

=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/errata28.html,v retrieving revision 1.29 retrieving revision 1.30 diff -c -r1.29 -r1.30 *** www/errata28.html 2002/10/17 21:38:38 1.29 --- www/errata28.html 2003/03/06 21:44:07 1.30 *************** *** 1,8 **** ! OpenBSD 2.8 errata ! --- 1,8 ---- ! OpenBSD 2.8 errata ! *************** *** 13,19 ****

This is the OpenBSD 2.8 release errata & patch list:

--- 13,19 ----

This is the OpenBSD 2.8 release errata & patch list:

*************** *** 36,42 ****

! You can also fetch a tar.gz file containing all the following patches. This file is updated once a day. --- 36,42 ----

! You can also fetch a tar.gz file containing all the following patches. This file is updated once a day. *************** *** 50,60 ****

All architectures

033: SECURITY FIX: September 11, 2001
! A security hole exists in uuxqt(8) that may allow an attacker to run arbitrary commands as user uucp and use this to gain root access. The UUCP execution daemon, uuxqt(8), has a bug in its command line --- 50,60 ----
!
All architectures
- 033: SECURITY FIX: September 11, 2001
  ! A security hole exists in uuxqt(8) that may allow an attacker to run arbitrary commands as user uucp and use this to gain root access. The UUCP execution daemon, uuxqt(8), has a bug in its command line *************** *** 65,72 **** A source code patch exists which remedies the problem
  !
- 032: SECURITY FIX: August 29, 2001
  ! A security hole exists in lpd(8) that may allow an attacker with line printer access to gain root privileges. A machine must be running lpd to be vulnerable (OpenBSD does not start lpd by default). Only machines with line printer --- 65,72 ---- A source code patch exists which remedies the problem
  !
- 032: SECURITY FIX: August 29, 2001
  ! A security hole exists in lpd(8) that may allow an attacker with line printer access to gain root privileges. A machine must be running lpd to be vulnerable (OpenBSD does not start lpd by default). Only machines with line printer *************** *** 76,98 **** A source code patch exists which remedies the problem
  !
- 031: SECURITY FIX: August 21, 2001
  ! A security hole exists in sendmail(8) that may allow an attacker on the local host to gain root privileges by specifying out-of-bounds debug parameters.
  A source code patch exists which remedies the problem
  !
- 030: SECURITY FIX: June 15, 2001
  ! A race condition exists in the kernel execve(2) implementation that opens a small window of vulnerability for a non-privileged user to ptrace(2) attach to a suid/sgid process.
  A source code patch exists which remedies the problem.
  !
- 029: SECURITY FIX: May 30, 2001
  ! Programs using the fts(3) routines (such as rm, find, and most programs that take a -R flag) can be tricked into changing into the wrong directory if the parent dir is changed out from underneath it. This is similar to --- 76,98 ---- A source code patch exists which remedies the problem
  !
- 031: SECURITY FIX: August 21, 2001
  ! A security hole exists in sendmail(8) that may allow an attacker on the local host to gain root privileges by specifying out-of-bounds debug parameters.
  A source code patch exists which remedies the problem
  !
- 030: SECURITY FIX: June 15, 2001
  ! A race condition exists in the kernel execve(2) implementation that opens a small window of vulnerability for a non-privileged user to ptrace(2) attach to a suid/sgid process.
  A source code patch exists which remedies the problem.
  !
- 029: SECURITY FIX: May 30, 2001
  ! Programs using the fts(3) routines (such as rm, find, and most programs that take a -R flag) can be tricked into changing into the wrong directory if the parent dir is changed out from underneath it. This is similar to *************** *** 102,181 **** This is the second version of the patch.
  !
- 028: SECURITY FIX: May 29, 2001
  The signal handlers in sendmail(8) contain code that is unsafe in the context of a signal handler. This leads to potentially serious race conditions. At the moment this is a theoretical attack only and can only be exploited on the local host (if at all).
  A source code patch exists which remedies the problem by updating sendmail to version 8.11.4.
  !
- 027: SECURITY FIX: Apr 23, 2001
  IPF has a serious problem with fragment caching, the bug is triggered if you use the ipf(5) syntax "keep state".
  A source code patch exists which remedies the problem.
  
  !
- 026: SECURITY FIX: Apr 23, 2001
  ! ftpd(8) has a potential DoS related to glob(3). This patch introduces a GLOB_LIMIT, eliminating the DoS. You must have 025_glob.patch installed before installing this patch.
  A source code patch exists which remedies the problem.
  
  !
- 025: SECURITY FIX: Apr 10, 2001
  ! glob(3) contains multiple buffer overflows.
  A source code patch exists which remedies the problem.
  
  !
- 024: SECURITY FIX: Mar 18, 2001
  The readline library shipped with OpenBSD allows history files creation with a permissive ! umask(2). This can lead to the leakage of sensitive information in applications that use passwords and the like during user interaction (one such application is mysql).
  A source code patch exists which remedies the problem.
  
  !
- 023: SECURITY FIX: Mar 2, 2001
  Insufficient checks in the IPSEC AH IPv4 option handling code can lead to a buffer overrun leading to a remote DoS. This option is not on by default.
  A source code patch exists which remedies the problem.
  
  !
- 021: SECURITY FIX: Feb 22, 2001
  There is an exploitable heap corruption bug in ! sudo.
  A source code patch exists which remedies the problem.
  
  !
- 020: IMPLEMENTATION FIX: Feb 15, 2001
  ! Client side ident protocol was broken in libwrap, affecting anything using libwrap including tcpd. The effect of this was that libwrap would never retrieve and log ident values from remote hosts on connections.
  A source code patch exists which remedies the problem.
  
  !
- 019: IMPLEMENTATION FIX: Jan 31, 2001
  ! Fix memory allocation in the PCI LANCE driver, le. A side effect of this is that OpenBSD under VMWare now works again.
  A source code patch exists which remedies the problem.
  
  !
- 018: SECURITY FIX: Jan 29, 2001
  ! Merge named with ISC BIND 4.9.8-REL, which fixes some buffer vulnerabilities (actually it appears that these were already impossible to exploit beforehand).
  A source code patch exists which remedies the problem.
  
  !
- 017: SECURITY FIX: Jan 22, 2001
  ! The rnd(4) device does not use all of its input when data is written to it.
  A source code patch exists which remedies the problem.
  
  !
- 016: RELIABILITY FIX: Jan 4, 2001
  Allow ThunderLAN cards to share interrupts nicely.
  A source code patch exists which remedies the problem.
  !
- 014: SECURITY FIX: Dec 22, 2000
  Improve xlock(1)'s authentication by authenticating via a pipe in an early forked process. No known vulnerability exists, this is just a precautionary patch.
  A source code patch exists which remedies the problem.
  --- 102,181 ---- This is the second version of the patch.
  !
- 028: SECURITY FIX: May 29, 2001
  The signal handlers in sendmail(8) contain code that is unsafe in the context of a signal handler. This leads to potentially serious race conditions. At the moment this is a theoretical attack only and can only be exploited on the local host (if at all).
  A source code patch exists which remedies the problem by updating sendmail to version 8.11.4.
  !
- 027: SECURITY FIX: Apr 23, 2001
  IPF has a serious problem with fragment caching, the bug is triggered if you use the ipf(5) syntax "keep state".
  A source code patch exists which remedies the problem.
  
  !
- 026: SECURITY FIX: Apr 23, 2001
  ! ftpd(8) has a potential DoS related to glob(3). This patch introduces a GLOB_LIMIT, eliminating the DoS. You must have 025_glob.patch installed before installing this patch.
  A source code patch exists which remedies the problem.
  
  !
- 025: SECURITY FIX: Apr 10, 2001
  ! glob(3) contains multiple buffer overflows.
  A source code patch exists which remedies the problem.
  
  !
- 024: SECURITY FIX: Mar 18, 2001
  The readline library shipped with OpenBSD allows history files creation with a permissive ! umask(2). This can lead to the leakage of sensitive information in applications that use passwords and the like during user interaction (one such application is mysql).
  A source code patch exists which remedies the problem.
  
  !
- 023: SECURITY FIX: Mar 2, 2001
  Insufficient checks in the IPSEC AH IPv4 option handling code can lead to a buffer overrun leading to a remote DoS. This option is not on by default.
  A source code patch exists which remedies the problem.
  
  !
- 021: SECURITY FIX: Feb 22, 2001
  There is an exploitable heap corruption bug in ! sudo.
  A source code patch exists which remedies the problem.
  
  !
- 020: IMPLEMENTATION FIX: Feb 15, 2001
  ! Client side ident protocol was broken in libwrap, affecting anything using libwrap including tcpd. The effect of this was that libwrap would never retrieve and log ident values from remote hosts on connections.
  A source code patch exists which remedies the problem.
  
  !
- 019: IMPLEMENTATION FIX: Jan 31, 2001
  ! Fix memory allocation in the PCI LANCE driver, le. A side effect of this is that OpenBSD under VMWare now works again.
  A source code patch exists which remedies the problem.
  
  !
- 018: SECURITY FIX: Jan 29, 2001
  ! Merge named with ISC BIND 4.9.8-REL, which fixes some buffer vulnerabilities (actually it appears that these were already impossible to exploit beforehand).
  A source code patch exists which remedies the problem.
  
  !
- 017: SECURITY FIX: Jan 22, 2001
  ! The rnd(4) device does not use all of its input when data is written to it.
  A source code patch exists which remedies the problem.
  
  !
- 016: RELIABILITY FIX: Jan 4, 2001
  Allow ThunderLAN cards to share interrupts nicely.
  A source code patch exists which remedies the problem.
  !
- 014: SECURITY FIX: Dec 22, 2000
  Improve xlock(1)'s authentication by authenticating via a pipe in an early forked process. No known vulnerability exists, this is just a precautionary patch.
  A source code patch exists which remedies the problem.
  *************** *** 193,223 ****
!
013: SECURITY FIX: Dec 18, 2000
! Procfs contained numerous overflows, which could lead an intruder to root permissions. Procfs is NOT enabled by default in OpenBSD.
A source code patch exists which remedies the problem.
!
011: RELIABILITY FIX: Dec 13, 2000
The crypto subsystem could incorrectly fail to run certain software ciphers, if a hardware card existed in the machine.
A source code patch exists which remedies the problem.
!
010: RELIABILITY FIX: Dec 11, 2000
A crash could occur during fast routing, if IPSEC was enabled.
A source code patch exists which remedies the problem.
!
009: SECURITY FIX: Dec 10, 2000
Another problem exists in the Kerberos libraries.
A source code patch exists which remedies the problem.
!
008: SECURITY FIX: Dec 7, 2000
Two problems have recently been discovered in the KerberosIV code.
1. A symlink problem was discovered in the KerberosIV password checking routines /usr/bin/su and /usr/bin/login, which makes it possible for a --- 193,223 ----

013: SECURITY FIX: Dec 18, 2000
! Procfs contained numerous overflows, which could lead an intruder to root permissions. Procfs is NOT enabled by default in OpenBSD.
A source code patch exists which remedies the problem.

011: RELIABILITY FIX: Dec 13, 2000
The crypto subsystem could incorrectly fail to run certain software ciphers, if a hardware card existed in the machine.
A source code patch exists which remedies the problem.

010: RELIABILITY FIX: Dec 11, 2000
A crash could occur during fast routing, if IPSEC was enabled.
A source code patch exists which remedies the problem.

009: SECURITY FIX: Dec 10, 2000
Another problem exists in the Kerberos libraries.
A source code patch exists which remedies the problem.

008: SECURITY FIX: Dec 7, 2000
Two problems have recently been discovered in the KerberosIV code.

1. A symlink problem was discovered in the KerberosIV password checking routines /usr/bin/su and /usr/bin/login, which makes it possible for a *************** *** 232,273 **** A source code patch exists which remedies the problem.

005: SECURITY FIX: Dec 4, 2000
OpenBSD 2.8's ftpd contains a one-byte overflow in the replydirname() function.
A source code patch exists which remedies the problem.
You can view the OpenBSD Advisory here.

004: RELIABILITY FIX: Nov 17, 2000
First off, AES (Rijndael) encryption and decryption were broken for IPsec and swap encryption.
Secondly, the AES code did not work properly on big endian machines.
A second revision source code patch exists which remedies the problem.

002: IMPLEMENTATION FIX: Nov 10, 2000
In ssh(1), skey support for SSH1 protocol was broken. Some people might consider that kind of important.
! A source code patch exists which remedies this problem.

i386

022: SECURITY FIX: Mar 2, 2001
The USER_LDT kernel option allows an attacker to gain access to privileged areas of kernel memory. This option is not on by default. A source code patch exists which remedies the problem.

!
015: STABILITY FIX: Dec 22, 2000
Some machines locked up while trying to use the mouse in console mode. This patch solves that problem.
A source code patch exists which remedies this problem.
!
006: STABILITY FIX: Dec 4, 2000
On some machines, a PCIBIOS device driver interrupt allocation bug can cause a kernel hang while probing PCI devices. If you have this symptom, you can disable PCIBIOS as a workaround. To do this, --- 232,273 ---- A source code patch exists which remedies the problem.
!
005: SECURITY FIX: Dec 4, 2000
OpenBSD 2.8's ftpd contains a one-byte overflow in the replydirname() function.
A source code patch exists which remedies the problem.
You can view the OpenBSD Advisory here.
!
004: RELIABILITY FIX: Nov 17, 2000
First off, AES (Rijndael) encryption and decryption were broken for IPsec and swap encryption.
Secondly, the AES code did not work properly on big endian machines.
A second revision source code patch exists which remedies the problem.
!
002: IMPLEMENTATION FIX: Nov 10, 2000
In ssh(1), skey support for SSH1 protocol was broken. Some people might consider that kind of important.
! A source code patch exists which remedies this problem.

i386

022: SECURITY FIX: Mar 2, 2001
The USER_LDT kernel option allows an attacker to gain access to privileged areas of kernel memory. This option is not on by default. A source code patch exists which remedies the problem.

!
015: STABILITY FIX: Dec 22, 2000
Some machines locked up while trying to use the mouse in console mode. This patch solves that problem.
A source code patch exists which remedies this problem.
!
006: STABILITY FIX: Dec 4, 2000
On some machines, a PCIBIOS device driver interrupt allocation bug can cause a kernel hang while probing PCI devices. If you have this symptom, you can disable PCIBIOS as a workaround. To do this, *************** *** 286,295 ****

mac68k

007: INSTALL PROBLEM: Dec 4, 2000
The X packages share28.tgz and --- 286,295 ----

mac68k

007: INSTALL PROBLEM: Dec 4, 2000
The X packages share28.tgz and *************** *** 303,312 ****

sparc

007: INSTALL PROBLEM: Dec 4, 2000
The X packages share28.tgz and --- 303,312 ----

sparc

007: INSTALL PROBLEM: Dec 4, 2000
The X packages share28.tgz and *************** *** 319,342 ****
!
003: RELIABILITY FIX: Nov 17, 2000
Configuring a qec+qe causes a NMI panic.
! A source code patch exists which remedies this problem.
!
001: RELIABILITY FIX: Nov 10, 2000
When running a sparc with a serial console, certain types of interrupts would cause great grief.
! A source code patch exists which remedies this problem.

amiga

007: INSTALL PROBLEM: Dec 4, 2000
The X packages share28.tgz and --- 319,342 ----
!
003: RELIABILITY FIX: Nov 17, 2000
Configuring a qec+qe causes a NMI panic.
! A source code patch exists which remedies this problem.
!
001: RELIABILITY FIX: Nov 10, 2000
When running a sparc with a serial console, certain types of interrupts would cause great grief.
! A source code patch exists which remedies this problem.

amiga

007: INSTALL PROBLEM: Dec 4, 2000
The X packages share28.tgz and *************** *** 350,365 ****

pmax

No problems identified yet.

hp300

007: INSTALL PROBLEM: Dec 4, 2000
The X packages share28.tgz and --- 350,365 ----

pmax

No problems identified yet.

hp300

007: INSTALL PROBLEM: Dec 4, 2000
The X packages share28.tgz and *************** *** 373,382 ****

mvme68k

007: INSTALL PROBLEM: Dec 4, 2000
The X packages share28.tgz and --- 373,382 ----

mvme68k

007: INSTALL PROBLEM: Dec 4, 2000
The X packages share28.tgz and *************** *** 390,399 ****

powerpc

012: INSTALL PROBLEM: Dec 14, 2000
The IMac DV+ (and probably some other machines) incorrectly identify their video hardware, but it is possible to work around the problem.
--- 390,399 ----

powerpc

012: INSTALL PROBLEM: Dec 14, 2000
The IMac DV+ (and probably some other machines) incorrectly identify their video hardware, but it is possible to work around the problem.
*************** *** 401,416 ****

vax

No problems identified yet.

sun3

007: INSTALL PROBLEM: Dec 4, 2000
The X packages share28.tgz and --- 401,416 ----

vax

No problems identified yet.

sun3

007: INSTALL PROBLEM: Dec 4, 2000
The X packages share28.tgz and *************** *** 445,452 ****
! www@openbsd.org !
$OpenBSD: errata28.html,v 1.29 2002/10/17 21:38:38 deraadt Exp $ --- 445,452 ----
! www@openbsd.org !
$OpenBSD: errata28.html,v 1.30 2003/03/06 21:44:07 naddy Exp $