| version 1.80, 2016/03/21 05:46:19 |
version 1.81, 2016/03/22 10:54:42 |
|
|
| <li id="sudo2"> |
<li id="sudo2"> |
| <font color="#009000"><strong>025: SECURITY FIX: April 25, 2002</strong></font> |
<font color="#009000"><strong>025: SECURITY FIX: April 25, 2002</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A bug in <a href="http://man.openbsd.org?query=sudo&sektion=8">sudo(8)</a> may allow an attacker to corrupt the heap by specifying a custom prompt.<br> |
A bug in <a href="http://man.openbsd.org/?query=sudo&sektion=8">sudo(8)</a> may allow an attacker to corrupt the heap by specifying a custom prompt.<br> |
| <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/025_sudo.patch"> |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/025_sudo.patch"> |
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
|
|
| <font color="#009000"><strong>024: SECURITY FIX: April 22, 2002</strong></font> |
<font color="#009000"><strong>024: SECURITY FIX: April 22, 2002</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A local user can gain super-user privileges due to a buffer overflow |
A local user can gain super-user privileges due to a buffer overflow |
| in <a href="http://man.openbsd.org?query=sshd&sektion=8">sshd(8)</a> |
in <a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a> |
| if AFS has been configured on the system or if |
if AFS has been configured on the system or if |
| KerberosTgtPassing or AFSTokenPassing has been enabled |
KerberosTgtPassing or AFSTokenPassing has been enabled |
| in the sshd_config file. Ticket and token passing is not enabled |
in the sshd_config file. Ticket and token passing is not enabled |
|
|
| <li id="mail"> |
<li id="mail"> |
| <font color="#009000"><strong>023: SECURITY FIX: April 11, 2002</strong></font> |
<font color="#009000"><strong>023: SECURITY FIX: April 11, 2002</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| <a href="http://man.openbsd.org?query=mail&sektion=1">mail(1)</a> |
<a href="http://man.openbsd.org/?query=mail&sektion=1">mail(1)</a> |
| will process tilde escapes even in non-interactive mode. |
will process tilde escapes even in non-interactive mode. |
| This can lead to a local root compromise. |
This can lead to a local root compromise. |
| <br> |
<br> |
|
|
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| Under some circumstances the zlib compression library can free dynamically |
Under some circumstances the zlib compression library can free dynamically |
| allocated memory twice. This is not a security issue on OpenBSD since the BSD |
allocated memory twice. This is not a security issue on OpenBSD since the BSD |
| <a href="http://man.openbsd.org?query=free&sektion=3">free(3)</a> |
<a href="http://man.openbsd.org/?query=free&sektion=3">free(3)</a> |
| function detects this. |
function detects this. |
| There is also a kernel zlib component that may be used by pppd and IPsec. |
There is also a kernel zlib component that may be used by pppd and IPsec. |
| The feasibility of attacking the kernel this way is currently unknown.<br> |
The feasibility of attacking the kernel this way is currently unknown.<br> |
|
|
| <li id="uucp"> |
<li id="uucp"> |
| <font color="#009000"><strong>015: SECURITY FIX: September 11, 2001</strong></font> |
<font color="#009000"><strong>015: SECURITY FIX: September 11, 2001</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A security hole exists in <a href="http://man.openbsd.org?query=uuxqt&sektion=8">uuxqt(8)</a> |
A security hole exists in <a href="http://man.openbsd.org/?query=uuxqt&sektion=8">uuxqt(8)</a> |
| that may allow an attacker to run arbitrary commands as user uucp and |
that may allow an attacker to run arbitrary commands as user uucp and |
| use this to gain root access. |
use this to gain root access. |
| The UUCP execution daemon, uuxqt(8), has a bug in its command line |
The UUCP execution daemon, uuxqt(8), has a bug in its command line |
|
|
| <li id="lpd"> |
<li id="lpd"> |
| <font color="#009000"><strong>014: SECURITY FIX: August 29, 2001</strong></font> |
<font color="#009000"><strong>014: SECURITY FIX: August 29, 2001</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A security hole exists in <a href="http://man.openbsd.org?query=lpd&sektion=8">lpd(8)</a> |
A security hole exists in <a href="http://man.openbsd.org/?query=lpd&sektion=8">lpd(8)</a> |
| that may allow an attacker with line printer access to gain root |
that may allow an attacker with line printer access to gain root |
| privileges. A machine must be running lpd to be vulnerable (OpenBSD |
privileges. A machine must be running lpd to be vulnerable (OpenBSD |
| does not start lpd by default). Only machines with line printer |
does not start lpd by default). Only machines with line printer |
|
|
| <li id="sendmail2"> |
<li id="sendmail2"> |
| <font color="#009000"><strong>013: SECURITY FIX: August 21, 2001</strong></font> |
<font color="#009000"><strong>013: SECURITY FIX: August 21, 2001</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A security hole exists in <a href="http://man.openbsd.org?query=sendmail&sektion=8">sendmail(8)</a> |
A security hole exists in <a href="http://man.openbsd.org/?query=sendmail&sektion=8">sendmail(8)</a> |
| that may allow an attacker on the local host to gain root privileges by |
that may allow an attacker on the local host to gain root privileges by |
| specifying out-of-bounds debug parameters. |
specifying out-of-bounds debug parameters. |
| <br> |
<br> |
|
|
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A kernel buffer overflow exists in the NFS mount code. An attacker may |
A kernel buffer overflow exists in the NFS mount code. An attacker may |
| use this overflow to execute arbitrary code in kernel mode. However, |
use this overflow to execute arbitrary code in kernel mode. However, |
| only users with <a href="http://man.openbsd.org?query=mount&sektion=2">mount(2)</a> |
only users with <a href="http://man.openbsd.org/?query=mount&sektion=2">mount(2)</a> |
| privileges can initiate this attack. In default installs, only super-user has |
privileges can initiate this attack. In default installs, only super-user has |
| mount privileges. The kern.usermount <a href="http://man.openbsd.org?query=sysctl&sektion=3">sysctl(3)</a> controls whether other users have mount privileges. |
mount privileges. The kern.usermount <a href="http://man.openbsd.org/?query=sysctl&sektion=3">sysctl(3)</a> controls whether other users have mount privileges. |
| <br> |
<br> |
| <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/012_nfs.patch"> |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/012_nfs.patch"> |
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
|
|
| <font color="#009000"><strong>011: RELIABILITY FIX: July 15, 2001</strong></font> |
<font color="#009000"><strong>011: RELIABILITY FIX: July 15, 2001</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| The |
The |
| <a href="http://man.openbsd.org?query=packages&sektion=7&format=html">packages(7)</a> |
<a href="http://man.openbsd.org/?query=packages&sektion=7&format=html">packages(7)</a> |
| subsystem incorrectly accepts some package dependencies as okay (see |
subsystem incorrectly accepts some package dependencies as okay (see |
| <a href="http://man.openbsd.org?query=packages-specs&sektion=7&format=html">packages-specs(7)</a> |
<a href="http://man.openbsd.org/?query=packages-specs&sektion=7&format=html">packages-specs(7)</a> |
| for details). |
for details). |
| <br> |
<br> |
| <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/011_pkg.patch"> |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/011_pkg.patch"> |
|
|
| <li id="twe"> |
<li id="twe"> |
| <font color="#009000"><strong>008: RELIABILITY FIX: June 15, 2001</strong></font> |
<font color="#009000"><strong>008: RELIABILITY FIX: June 15, 2001</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| <a href="http://man.openbsd.org?query=twe&sektion=4&format=html">twe(4)</a> |
<a href="http://man.openbsd.org/?query=twe&sektion=4&format=html">twe(4)</a> |
| mishandles the DMA mapping resulting in a kernel panic on unaligned data |
mishandles the DMA mapping resulting in a kernel panic on unaligned data |
| transfers, induced by programs such as |
transfers, induced by programs such as |
| <a href="http://man.openbsd.org?query=disklabel&sektion=8&format=html">disklabel(8)</a> |
<a href="http://man.openbsd.org/?query=disklabel&sektion=8&format=html">disklabel(8)</a> |
| and |
and |
| <a href="http://man.openbsd.org?query=dump&sektion=8&format=html">dump(8)</a>. |
<a href="http://man.openbsd.org/?query=dump&sektion=8&format=html">dump(8)</a>. |
| <br> |
<br> |
| <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/008_twe.patch"> |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/008_twe.patch"> |
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
|
|
| <li id="kernexec"> |
<li id="kernexec"> |
| <font color="#009000"><strong>007: SECURITY FIX: June 15, 2001</strong></font> |
<font color="#009000"><strong>007: SECURITY FIX: June 15, 2001</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A race condition exists in the kernel <a href="http://man.openbsd.org?query=execve&sektion=2&format=html">execve(2)</a> implementation that opens a small window of vulnerability for a non-privileged user to <a href="http://man.openbsd.org?query=ptrace&sektion=2&format=html">ptrace(2)</a> attach to a suid/sgid process. |
A race condition exists in the kernel <a href="http://man.openbsd.org/?query=execve&sektion=2&format=html">execve(2)</a> implementation that opens a small window of vulnerability for a non-privileged user to <a href="http://man.openbsd.org/?query=ptrace&sektion=2&format=html">ptrace(2)</a> attach to a suid/sgid process. |
| <br> |
<br> |
| <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/007_kernexec.patch"> |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/007_kernexec.patch"> |
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
|
|
| <li id="sshcookie"> |
<li id="sshcookie"> |
| <font color="#009000"><strong>006: SECURITY FIX: June 12, 2001</strong></font> |
<font color="#009000"><strong>006: SECURITY FIX: June 12, 2001</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| <a href="http://man.openbsd.org?query=sshd&sektion=8&format=html">sshd(8)</a> |
<a href="http://man.openbsd.org/?query=sshd&sektion=8&format=html">sshd(8)</a> |
| allows users to delete arbitrary files named "cookies" if X11 |
allows users to delete arbitrary files named "cookies" if X11 |
| forwarding is enabled. X11 forwarding is disabled by default. |
forwarding is enabled. X11 forwarding is disabled by default. |
| <br> |
<br> |
|
|
| <li id="pwd_mkdb"> |
<li id="pwd_mkdb"> |
| <font color="#009000"><strong>005: RELIABILITY FIX: June 7, 2001</strong></font> |
<font color="#009000"><strong>005: RELIABILITY FIX: June 7, 2001</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| <a href="http://man.openbsd.org?query=pwd_mkdb&sektion=8&format=html">pwd_mkdb(8)</a> |
<a href="http://man.openbsd.org/?query=pwd_mkdb&sektion=8&format=html">pwd_mkdb(8)</a> |
| corrupts /etc/pwd.db when modifying an existing user. |
corrupts /etc/pwd.db when modifying an existing user. |
| <br> |
<br> |
| <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/005_pwd_mkdb.patch"> |
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/005_pwd_mkdb.patch"> |
|
|
| <li id="isakmpd"> |
<li id="isakmpd"> |
| <font color="#009000"><strong>004: RELIABILITY FIX: June 5, 2001</strong></font> |
<font color="#009000"><strong>004: RELIABILITY FIX: June 5, 2001</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| <a href="http://man.openbsd.org?query=isakmpd&sektion=8&format=html">isakmpd(8)</a> |
<a href="http://man.openbsd.org/?query=isakmpd&sektion=8&format=html">isakmpd(8)</a> |
| will fail to use a certificate with an identity string that is |
will fail to use a certificate with an identity string that is |
| exactly N * 8 bytes long. |
exactly N * 8 bytes long. |
| <br> |
<br> |
|
|
| <li id="fts"> |
<li id="fts"> |
| <font color="#009000"><strong>002: SECURITY FIX: May 30, 2001</strong></font> |
<font color="#009000"><strong>002: SECURITY FIX: May 30, 2001</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| Programs using the <a href="http://man.openbsd.org?query=fts&sektion=3&format=html">fts(3)</a> |
Programs using the <a href="http://man.openbsd.org/?query=fts&sektion=3&format=html">fts(3)</a> |
| routines (such as rm, find, and most programs that take a <b>-R</b> |
routines (such as rm, find, and most programs that take a <b>-R</b> |
| flag) can be tricked into changing into the wrong directory if the |
flag) can be tricked into changing into the wrong directory if the |
| parent dir is changed out from underneath it. This is similar to |
parent dir is changed out from underneath it. This is similar to |
|
|
| <li id="sendmail"> |
<li id="sendmail"> |
| <font color="#009000"><strong>001: SECURITY FIX: May 29, 2001</strong></font> |
<font color="#009000"><strong>001: SECURITY FIX: May 29, 2001</strong></font> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| The signal handlers in <a href="http://man.openbsd.org?query=sendmail&sektion=8&format=html">sendmail(8)</a> contain code that is unsafe in the |
The signal handlers in <a href="http://man.openbsd.org/?query=sendmail&sektion=8&format=html">sendmail(8)</a> contain code that is unsafe in the |
| context of a signal handler. This leads to potentially serious |
context of a signal handler. This leads to potentially serious |
| race conditions. At the moment this is a theoretical attack only |
race conditions. At the moment this is a theoretical attack only |
| and can only be exploited on the local host (if at all).<br> |
and can only be exploited on the local host (if at all).<br> |
![[BACK]](/icons/back.gif){kind=icon}
Return to errata29.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www