| version 1.94, 2019/04/02 12:46:56 |
version 1.95, 2019/05/27 22:55:19 |
|
|
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> |
<!doctype html> |
| <html> |
<html lang=en id=errata> |
| <head> |
<meta charset=utf-8> |
| |
|
| <title>OpenBSD 2.9 Errata</title> |
<title>OpenBSD 2.9 Errata</title> |
| <meta name="description" content="the OpenBSD CD errata page"> |
<meta name="description" content="the OpenBSD CD errata page"> |
| <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
|
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
<meta name="viewport" content="width=device-width, initial-scale=1"> |
| <link rel="stylesheet" type="text/css" href="openbsd.css"> |
<link rel="stylesheet" type="text/css" href="openbsd.css"> |
| <link rel="canonical" href="https://www.openbsd.org/errata29.html"> |
<link rel="canonical" href="https://www.openbsd.org/errata29.html"> |
| </head> |
|
| |
|
| <!-- |
<!-- |
| IMPORTANT REMINDER |
IMPORTANT REMINDER |
| IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE |
IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE |
| --> |
--> |
| |
|
| <body bgcolor="#ffffff" text="#000000" link="#23238E"> |
|
| |
|
| <h2> |
<h2 id=OpenBSD> |
| <a href="index.html"> |
<a href="index.html"> |
| <font color="#0000ff"><i>Open</i></font><font color="#000084">BSD</font></a> |
<i>Open</i><b>BSD</b></a> |
| <font color="#e00000">2.9 Errata</font> |
2.9 Errata |
| </h2> |
</h2> |
| <hr> |
<hr> |
| |
|
|
|
| |
|
| <ul> |
<ul> |
| <li id="resolver"> |
<li id="resolver"> |
| <font color="#009000"><strong>027: SECURITY FIX: June 25, 2002</strong></font> |
<strong>027: SECURITY FIX: June 25, 2002</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A potential buffer overflow in the DNS resolver has been found.<br> |
A potential buffer overflow in the DNS resolver has been found.<br> |
| <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/027_resolver.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/027_resolver.patch"> |
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="fdalloc2"> |
<li id="fdalloc2"> |
| <font color="#009000"><strong>026: SECURITY FIX: May 8, 2002</strong></font> |
<strong>026: SECURITY FIX: May 8, 2002</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A race condition exists where an attacker could fill the file descriptor |
A race condition exists where an attacker could fill the file descriptor |
| table and defeat the kernel's protection of fd slots 0, 1, and 2 for a |
table and defeat the kernel's protection of fd slots 0, 1, and 2 for a |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="sudo2"> |
<li id="sudo2"> |
| <font color="#009000"><strong>025: SECURITY FIX: April 25, 2002</strong></font> |
<strong>025: SECURITY FIX: April 25, 2002</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A bug in <a href="https://man.openbsd.org/OpenBSD-2.9/sudo.8">sudo(8)</a> may allow an attacker to corrupt the heap by specifying a custom prompt.<br> |
A bug in <a href="https://man.openbsd.org/OpenBSD-2.9/sudo.8">sudo(8)</a> may allow an attacker to corrupt the heap by specifying a custom prompt.<br> |
| <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/025_sudo.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/025_sudo.patch"> |
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="sshafs"> |
<li id="sshafs"> |
| <font color="#009000"><strong>024: SECURITY FIX: April 22, 2002</strong></font> |
<strong>024: SECURITY FIX: April 22, 2002</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A local user can gain super-user privileges due to a buffer overflow |
A local user can gain super-user privileges due to a buffer overflow |
| in <a href="https://man.openbsd.org/OpenBSD-2.9/sshd.8">sshd(8)</a> |
in <a href="https://man.openbsd.org/OpenBSD-2.9/sshd.8">sshd(8)</a> |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="mail"> |
<li id="mail"> |
| <font color="#009000"><strong>023: SECURITY FIX: April 11, 2002</strong></font> |
<strong>023: SECURITY FIX: April 11, 2002</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| <a href="https://man.openbsd.org/OpenBSD-2.9/mail.1">mail(1)</a> |
<a href="https://man.openbsd.org/OpenBSD-2.9/mail.1">mail(1)</a> |
| will process tilde escapes even in non-interactive mode. |
will process tilde escapes even in non-interactive mode. |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="zlib"> |
<li id="zlib"> |
| <font color="#009000"><strong>022: RELIABILITY FIX: March 13, 2002</strong></font> |
<strong>022: RELIABILITY FIX: March 13, 2002</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| Under some circumstances the zlib compression library can free dynamically |
Under some circumstances the zlib compression library can free dynamically |
| allocated memory twice. This is not a security issue on OpenBSD since the BSD |
allocated memory twice. This is not a security issue on OpenBSD since the BSD |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="openssh"> |
<li id="openssh"> |
| <font color="#009000"><strong>021: SECURITY FIX: March 8, 2002</strong></font> |
<strong>021: SECURITY FIX: March 8, 2002</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A local user can gain super-user privileges due to an off-by-one check |
A local user can gain super-user privileges due to an off-by-one check |
| in the channel forwarding code of OpenSSH.<br> |
in the channel forwarding code of OpenSSH.<br> |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="ptrace"> |
<li id="ptrace"> |
| <font color="#009000"><strong>020: SECURITY FIX: February 20, 2002</strong></font> |
<strong>020: SECURITY FIX: February 20, 2002</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A race condition between the ptrace(2) and execve(2) system calls allows |
A race condition between the ptrace(2) and execve(2) system calls allows |
| an attacker to modify the memory contents of suid/sgid processes which |
an attacker to modify the memory contents of suid/sgid processes which |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="sudo"> |
<li id="sudo"> |
| <font color="#009000"><strong>019: SECURITY FIX: January 17, 2002</strong></font> |
<strong>019: SECURITY FIX: January 17, 2002</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| If the Postfix sendmail replacement is installed on a system an |
If the Postfix sendmail replacement is installed on a system an |
| attacker may be able to gain root privileges on the local host via |
attacker may be able to gain root privileges on the local host via |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="missing"> |
<li id="missing"> |
| <font color="#00900"><strong>018: INSTALL PROBLEM: Dec 11, 2001</strong></font><br> |
<strong>018: INSTALL PROBLEM: Dec 11, 2001</strong><br> |
| The X binary sets shipped with OpenBSD 2.9 do not contain several files. These |
The X binary sets shipped with OpenBSD 2.9 do not contain several files. These |
| missing files can be added manually from the sparc tarballs after the |
missing files can be added manually from the sparc tarballs after the |
| installation:<br> |
installation:<br> |
|
|
| </pre> |
</pre> |
| <p> |
<p> |
| <li id="lpd2"> |
<li id="lpd2"> |
| <font color="#009000"><strong>017: SECURITY FIX: November 28, 2001</strong></font> |
<strong>017: SECURITY FIX: November 28, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A security issue exists in the lpd daemon that may allow an attacker |
A security issue exists in the lpd daemon that may allow an attacker |
| to create arbitrary new files in the root directory. Only machines |
to create arbitrary new files in the root directory. Only machines |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="vi.recover"> |
<li id="vi.recover"> |
| <font color="#009000"><strong>016: SECURITY FIX: November 13, 2001</strong></font> |
<strong>016: SECURITY FIX: November 13, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A security issue exists in the vi.recover script that may allow an attacker |
A security issue exists in the vi.recover script that may allow an attacker |
| to remove arbitrary zero-length files, regardless of ownership. |
to remove arbitrary zero-length files, regardless of ownership. |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="uucp"> |
<li id="uucp"> |
| <font color="#009000"><strong>015: SECURITY FIX: September 11, 2001</strong></font> |
<strong>015: SECURITY FIX: September 11, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A security hole exists in <a href="https://man.openbsd.org/OpenBSD-2.9/uuxqt.8">uuxqt(8)</a> |
A security hole exists in <a href="https://man.openbsd.org/OpenBSD-2.9/uuxqt.8">uuxqt(8)</a> |
| that may allow an attacker to run arbitrary commands as user uucp and |
that may allow an attacker to run arbitrary commands as user uucp and |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="lpd"> |
<li id="lpd"> |
| <font color="#009000"><strong>014: SECURITY FIX: August 29, 2001</strong></font> |
<strong>014: SECURITY FIX: August 29, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A security hole exists in <a href="https://man.openbsd.org/OpenBSD-2.9/lpd.8">lpd(8)</a> |
A security hole exists in <a href="https://man.openbsd.org/OpenBSD-2.9/lpd.8">lpd(8)</a> |
| that may allow an attacker with line printer access to gain root |
that may allow an attacker with line printer access to gain root |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="sendmail2"> |
<li id="sendmail2"> |
| <font color="#009000"><strong>013: SECURITY FIX: August 21, 2001</strong></font> |
<strong>013: SECURITY FIX: August 21, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A security hole exists in <a href="https://man.openbsd.org/OpenBSD-2.9/sendmail.8">sendmail(8)</a> |
A security hole exists in <a href="https://man.openbsd.org/OpenBSD-2.9/sendmail.8">sendmail(8)</a> |
| that may allow an attacker on the local host to gain root privileges by |
that may allow an attacker on the local host to gain root privileges by |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="nfs"> |
<li id="nfs"> |
| <font color="#009000"><strong>012: SECURITY FIX: July 30, 2001</strong></font> |
<strong>012: SECURITY FIX: July 30, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A kernel buffer overflow exists in the NFS mount code. An attacker may |
A kernel buffer overflow exists in the NFS mount code. An attacker may |
| use this overflow to execute arbitrary code in kernel mode. However, |
use this overflow to execute arbitrary code in kernel mode. However, |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="pkg"> |
<li id="pkg"> |
| <font color="#009000"><strong>011: RELIABILITY FIX: July 15, 2001</strong></font> |
<strong>011: RELIABILITY FIX: July 15, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| The |
The |
| <a href="https://man.openbsd.org/OpenBSD-2.9/packages.7">packages(7)</a> |
<a href="https://man.openbsd.org/OpenBSD-2.9/packages.7">packages(7)</a> |
|
|
| version numbers. |
version numbers. |
| <p> |
<p> |
| <li id="nvidia"> |
<li id="nvidia"> |
| <font color="#009000"><strong>010: RELIABILITY FIX: Jul 9, 2001</strong></font><br> |
<strong>010: RELIABILITY FIX: Jul 9, 2001</strong><br> |
| The NVIDIA driver for XFree86 4.0.3 is incorrectly restoring the text |
The NVIDIA driver for XFree86 4.0.3 is incorrectly restoring the text |
| mode palette upon exit of the X server. <a |
mode palette upon exit of the X server. <a |
| href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/i386/010_nvidia.patch"> |
href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/i386/010_nvidia.patch"> |
|
|
| restart your X server. |
restart your X server. |
| <p> |
<p> |
| <li id="XF86Setup"> |
<li id="XF86Setup"> |
| <font color="#009000"><strong>009: RELIABILITY FIX: Jun 23, 2001</strong></font><br> |
<strong>009: RELIABILITY FIX: Jun 23, 2001</strong><br> |
| The XF86Setup(1) configuration tool for XFree86 3.3.6 is producing |
The XF86Setup(1) configuration tool for XFree86 3.3.6 is producing |
| corrupted /etc/XF86Config files. |
corrupted /etc/XF86Config files. |
| <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/i386/009_XF86Setup.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/i386/009_XF86Setup.patch"> |
|
|
| keyboard controller doesn't acknowledge commands, confusing OpenBSD. |
keyboard controller doesn't acknowledge commands, confusing OpenBSD. |
| <p> |
<p> |
| <li id="twe"> |
<li id="twe"> |
| <font color="#009000"><strong>008: RELIABILITY FIX: June 15, 2001</strong></font> |
<strong>008: RELIABILITY FIX: June 15, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| <a href="https://man.openbsd.org/OpenBSD-2.9/twe.4">twe(4)</a> |
<a href="https://man.openbsd.org/OpenBSD-2.9/twe.4">twe(4)</a> |
| mishandles the DMA mapping resulting in a kernel panic on unaligned data |
mishandles the DMA mapping resulting in a kernel panic on unaligned data |
|
|
| This is the second version of the patch. |
This is the second version of the patch. |
| <p> |
<p> |
| <li id="kernexec"> |
<li id="kernexec"> |
| <font color="#009000"><strong>007: SECURITY FIX: June 15, 2001</strong></font> |
<strong>007: SECURITY FIX: June 15, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| A race condition exists in the kernel <a href="https://man.openbsd.org/OpenBSD-2.9/execve.2">execve(2)</a> implementation that opens a small window of vulnerability for a non-privileged user to <a href="https://man.openbsd.org/OpenBSD-2.9/ptrace.2">ptrace(2)</a> attach to a suid/sgid process. |
A race condition exists in the kernel <a href="https://man.openbsd.org/OpenBSD-2.9/execve.2">execve(2)</a> implementation that opens a small window of vulnerability for a non-privileged user to <a href="https://man.openbsd.org/OpenBSD-2.9/ptrace.2">ptrace(2)</a> attach to a suid/sgid process. |
| <br> |
<br> |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="sshcookie"> |
<li id="sshcookie"> |
| <font color="#009000"><strong>006: SECURITY FIX: June 12, 2001</strong></font> |
<strong>006: SECURITY FIX: June 12, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| <a href="https://man.openbsd.org/OpenBSD-2.9/sshd.8">sshd(8)</a> |
<a href="https://man.openbsd.org/OpenBSD-2.9/sshd.8">sshd(8)</a> |
| allows users to delete arbitrary files named "cookies" if X11 |
allows users to delete arbitrary files named "cookies" if X11 |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="pwd_mkdb"> |
<li id="pwd_mkdb"> |
| <font color="#009000"><strong>005: RELIABILITY FIX: June 7, 2001</strong></font> |
<strong>005: RELIABILITY FIX: June 7, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| <a href="https://man.openbsd.org/OpenBSD-2.9/pwd_mkdb.8">pwd_mkdb(8)</a> |
<a href="https://man.openbsd.org/OpenBSD-2.9/pwd_mkdb.8">pwd_mkdb(8)</a> |
| corrupts /etc/pwd.db when modifying an existing user. |
corrupts /etc/pwd.db when modifying an existing user. |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="isakmpd"> |
<li id="isakmpd"> |
| <font color="#009000"><strong>004: RELIABILITY FIX: June 5, 2001</strong></font> |
<strong>004: RELIABILITY FIX: June 5, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| <a href="https://man.openbsd.org/OpenBSD-2.9/isakmpd.8">isakmpd(8)</a> |
<a href="https://man.openbsd.org/OpenBSD-2.9/isakmpd.8">isakmpd(8)</a> |
| will fail to use a certificate with an identity string that is |
will fail to use a certificate with an identity string that is |
|
|
| A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
| <p> |
<p> |
| <li id="cd_cover"> |
<li id="cd_cover"> |
| <font color="#009000"><strong>003: DOCUMENTATION FIX: June 1, 2001</strong></font> |
<strong>003: DOCUMENTATION FIX: June 1, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| The 2.9 CD cover states that XFree86 3.3.6-current is included. This is only half-true. |
The 2.9 CD cover states that XFree86 3.3.6-current is included. This is only half-true. |
| In fact, the XFree86 included for all architectures is 4.0.3. On the i386, the |
In fact, the XFree86 included for all architectures is 4.0.3. On the i386, the |
|
|
| some devices which 3.3.6 supported better. |
some devices which 3.3.6 supported better. |
| <p> |
<p> |
| <li id="fts"> |
<li id="fts"> |
| <font color="#009000"><strong>002: SECURITY FIX: May 30, 2001</strong></font> |
<strong>002: SECURITY FIX: May 30, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| Programs using the <a href="https://man.openbsd.org/OpenBSD-2.9/fts.3">fts(3)</a> |
Programs using the <a href="https://man.openbsd.org/OpenBSD-2.9/fts.3">fts(3)</a> |
| routines (such as rm, find, and most programs that take a <b>-R</b> |
routines (such as rm, find, and most programs that take a <b>-R</b> |
|
|
| This is the second version of the patch. |
This is the second version of the patch. |
| <p> |
<p> |
| <li id="sendmail"> |
<li id="sendmail"> |
| <font color="#009000"><strong>001: SECURITY FIX: May 29, 2001</strong></font> |
<strong>001: SECURITY FIX: May 29, 2001</strong> |
| <i>All architectures</i><br> |
<i>All architectures</i><br> |
| The signal handlers in <a href="https://man.openbsd.org/OpenBSD-2.9/sendmail.8">sendmail(8)</a> contain code that is unsafe in the |
The signal handlers in <a href="https://man.openbsd.org/OpenBSD-2.9/sendmail.8">sendmail(8)</a> contain code that is unsafe in the |
| context of a signal handler. This leads to potentially serious |
context of a signal handler. This leads to potentially serious |
|
|
| </ul> |
</ul> |
| |
|
| <hr> |
<hr> |
| |
|
| </body> |
|
| </html> |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to errata29.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www