version 1.95, 2019/05/27 22:55:19 |
version 1.96, 2019/05/28 16:32:41 |
|
|
<hr> |
<hr> |
|
|
<ul> |
<ul> |
<li id="resolver"> |
|
<strong>027: SECURITY FIX: June 25, 2002</strong> |
<li id="sendmail"> |
|
<strong>001: SECURITY FIX: May 29, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A potential buffer overflow in the DNS resolver has been found.<br> |
The signal handlers in <a href="https://man.openbsd.org/OpenBSD-2.9/sendmail.8">sendmail(8)</a> contain code that is unsafe in the |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/027_resolver.patch"> |
context of a signal handler. This leads to potentially serious |
|
race conditions. At the moment this is a theoretical attack only |
|
and can only be exploited on the local host (if at all).<br> |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/001_sendmail.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="fdalloc2"> |
|
<strong>026: SECURITY FIX: May 8, 2002</strong> |
<li id="fts"> |
|
<strong>002: SECURITY FIX: May 30, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A race condition exists where an attacker could fill the file descriptor |
Programs using the <a href="https://man.openbsd.org/OpenBSD-2.9/fts.3">fts(3)</a> |
table and defeat the kernel's protection of fd slots 0, 1, and 2 for a |
routines (such as rm, find, and most programs that take a <b>-R</b> |
setuid or setgid process.<br> |
flag) can be tricked into changing into the wrong directory if the |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/026_fdalloc2.patch"> |
parent dir is changed out from underneath it. This is similar to |
|
the old fts bug but happens when popping out of directories, as |
|
opposed to descending into them. |
|
<br> |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/002_fts.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
|
This is the second version of the patch. |
<p> |
<p> |
<li id="sudo2"> |
|
<strong>025: SECURITY FIX: April 25, 2002</strong> |
<li id="cd_cover"> |
|
<strong>003: DOCUMENTATION FIX: June 1, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A bug in <a href="https://man.openbsd.org/OpenBSD-2.9/sudo.8">sudo(8)</a> may allow an attacker to corrupt the heap by specifying a custom prompt.<br> |
The 2.9 CD cover states that XFree86 3.3.6-current is included. This is only half-true. |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/025_sudo.patch"> |
In fact, the XFree86 included for all architectures is 4.0.3. On the i386, the |
A source code patch exists which remedies this problem.</a> |
3.3.6 Xservers have also been included, because 4.0.3 still has weak support for |
|
some devices which 3.3.6 supported better. |
<p> |
<p> |
<li id="sshafs"> |
|
<strong>024: SECURITY FIX: April 22, 2002</strong> |
<li id="isakmpd"> |
|
<strong>004: RELIABILITY FIX: June 5, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A local user can gain super-user privileges due to a buffer overflow |
<a href="https://man.openbsd.org/OpenBSD-2.9/isakmpd.8">isakmpd(8)</a> |
in <a href="https://man.openbsd.org/OpenBSD-2.9/sshd.8">sshd(8)</a> |
will fail to use a certificate with an identity string that is |
if AFS has been configured on the system or if |
exactly N * 8 bytes long. |
KerberosTgtPassing or AFSTokenPassing has been enabled |
<br> |
in the sshd_config file. Ticket and token passing is not enabled |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/004_isakmpd.patch"> |
by default.<br> |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/024_sshafs.patch"> |
|
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="mail"> |
|
<strong>023: SECURITY FIX: April 11, 2002</strong> |
<li id="pwd_mkdb"> |
|
<strong>005: RELIABILITY FIX: June 7, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
<a href="https://man.openbsd.org/OpenBSD-2.9/mail.1">mail(1)</a> |
<a href="https://man.openbsd.org/OpenBSD-2.9/pwd_mkdb.8">pwd_mkdb(8)</a> |
will process tilde escapes even in non-interactive mode. |
corrupts /etc/pwd.db when modifying an existing user. |
This can lead to a local root compromise. |
|
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/023_mail.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/005_pwd_mkdb.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="zlib"> |
|
<strong>022: RELIABILITY FIX: March 13, 2002</strong> |
<li id="sshcookie"> |
|
<strong>006: SECURITY FIX: June 12, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Under some circumstances the zlib compression library can free dynamically |
<a href="https://man.openbsd.org/OpenBSD-2.9/sshd.8">sshd(8)</a> |
allocated memory twice. This is not a security issue on OpenBSD since the BSD |
allows users to delete arbitrary files named "cookies" if X11 |
<a href="https://man.openbsd.org/OpenBSD-2.9/free.3">free(3)</a> |
forwarding is enabled. X11 forwarding is disabled by default. |
function detects this. |
<br> |
There is also a kernel zlib component that may be used by pppd and IPsec. |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/006_sshcookie.patch"> |
The feasibility of attacking the kernel this way is currently unknown.<br> |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/022_zlib.patch"> |
|
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="openssh"> |
|
<strong>021: SECURITY FIX: March 8, 2002</strong> |
<li id="kernexec"> |
|
<strong>007: SECURITY FIX: June 15, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A local user can gain super-user privileges due to an off-by-one check |
A race condition exists in the kernel <a href="https://man.openbsd.org/OpenBSD-2.9/execve.2">execve(2)</a> implementation that opens a small window of vulnerability for a non-privileged user to <a href="https://man.openbsd.org/OpenBSD-2.9/ptrace.2">ptrace(2)</a> attach to a suid/sgid process. |
in the channel forwarding code of OpenSSH.<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/021_openssh.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/007_kernexec.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="ptrace"> |
|
<strong>020: SECURITY FIX: February 20, 2002</strong> |
<li id="twe"> |
|
<strong>008: RELIABILITY FIX: June 15, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A race condition between the ptrace(2) and execve(2) system calls allows |
<a href="https://man.openbsd.org/OpenBSD-2.9/twe.4">twe(4)</a> |
an attacker to modify the memory contents of suid/sgid processes which |
mishandles the DMA mapping resulting in a kernel panic on unaligned data |
could lead to compromise of the super-user account.<br> |
transfers, induced by programs such as |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/020_ptrace.patch"> |
<a href="https://man.openbsd.org/OpenBSD-2.9/disklabel.8">disklabel(8)</a> |
|
and |
|
<a href="https://man.openbsd.org/OpenBSD-2.9/dump.8">dump(8)</a>. |
|
<br> |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/008_twe.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
|
This is the second version of the patch. |
<p> |
<p> |
<li id="sudo"> |
|
<strong>019: SECURITY FIX: January 17, 2002</strong> |
<li id="XF86Setup"> |
<i>All architectures</i><br> |
<strong>009: RELIABILITY FIX: Jun 23, 2001</strong><br> |
If the Postfix sendmail replacement is installed on a system an |
The XF86Setup(1) configuration tool for XFree86 3.3.6 is producing |
attacker may be able to gain root privileges on the local host via |
corrupted /etc/XF86Config files. |
sudo(8) which runs the mailer as root with an environment inherited |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/i386/009_XF86Setup.patch"> |
from the invoking user. While this is a bug in sudo it is not |
|
believed to be possible to exploit when sendmail (the mailer that |
|
ships with OpenBSD) is the mailer. As of version 1.6.5, sudo passes |
|
the mailer an environment that is not subject to influence from the |
|
invoking user.<br> |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/019_sudo.patch"> |
|
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
|
It does so by linking XF86Setup against the XFree86 3.3.6 version of libXxf86vm.a. |
<p> |
<p> |
<li id="missing"> |
<li>When using a PS/2 keyboard with an MSI K7T Pro2A motherboard, it may be |
<strong>018: INSTALL PROBLEM: Dec 11, 2001</strong><br> |
necessary to disable the "USB Keyboard Support" and |
The X binary sets shipped with OpenBSD 2.9 do not contain several files. These |
"USB Mouse Support" options in the BIOS. Otherwise, the i8042 |
missing files can be added manually from the sparc tarballs after the |
keyboard controller doesn't acknowledge commands, confusing OpenBSD. |
installation:<br> |
|
Grab the |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/2.9/sparc/xbase29.tgz">xbase29.tgz</a> |
|
and |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/2.9/sparc/xshare29.tgz">xshare29.tgz</a> |
|
files found in the 2.9/sparc directory on the CD, or any FTP site. The missing |
|
files can be installed by using the following commands: |
|
<pre> |
|
# cd /; tar xzpf xbase29.tgz ./usr/X11R6/lib/X11/{rgb.txt,xdm} |
|
# cd /; tar xzpf xserv29.tgz ./etc/X11/xserver ./usr/X11R6/lib/X11/xserver |
|
# cd /usr/X11R6/bin/; ln -fs Xmac68k X |
|
</pre> |
|
<p> |
<p> |
<li id="lpd2"> |
|
<strong>017: SECURITY FIX: November 28, 2001</strong> |
<li id="nvidia"> |
|
<strong>010: RELIABILITY FIX: Jul 9, 2001</strong><br> |
|
The NVIDIA driver for XFree86 4.0.3 is incorrectly restoring the text |
|
mode palette upon exit of the X server. <a |
|
href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/i386/010_nvidia.patch"> |
|
A source code patch exists which remedies this problem.</a> |
|
To avoid rebuilding the whole XFree86 tree, an updated binary driver |
|
is also available |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/i386/nv_drv.o">here</a>. |
|
Just grab it, copy it to /usr/X11R6/lib/modules/drivers/ and |
|
restart your X server. |
|
<p> |
|
|
|
<li id="pkg"> |
|
<strong>011: RELIABILITY FIX: July 15, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A security issue exists in the lpd daemon that may allow an attacker |
The |
to create arbitrary new files in the root directory. Only machines |
<a href="https://man.openbsd.org/OpenBSD-2.9/packages.7">packages(7)</a> |
with line printer access (ie: listed in either /etc/hosts.lpd or |
subsystem incorrectly accepts some package dependencies as okay (see |
/etc/hosts.equiv) may be used to mount an attack and the attacker |
<a href="https://man.openbsd.org/OpenBSD-2.9/packages-specs.7">packages-specs(7)</a> |
must have root access on the machine. OpenBSD does not start lpd |
for details). |
in the default installation. |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/017_lpd.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/011_pkg.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
|
by forcing <code>/usr/sbin/pkg</code> to be more careful in checking |
|
version numbers. |
<p> |
<p> |
<li id="vi.recover"> |
|
<strong>016: SECURITY FIX: November 13, 2001</strong> |
<li id="nfs"> |
|
<strong>012: SECURITY FIX: July 30, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A security issue exists in the vi.recover script that may allow an attacker |
A kernel buffer overflow exists in the NFS mount code. An attacker may |
to remove arbitrary zero-length files, regardless of ownership. |
use this overflow to execute arbitrary code in kernel mode. However, |
|
only users with <a href="https://man.openbsd.org/OpenBSD-2.9/mount.2">mount(2)</a> |
|
privileges can initiate this attack. In default installs, only super-user has |
|
mount privileges. The kern.usermount <a href="https://man.openbsd.org/OpenBSD-2.9/sysctl.3">sysctl(3)</a> controls whether other users have mount privileges. |
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/016_recover.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/012_nfs.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="uucp"> |
|
<strong>015: SECURITY FIX: September 11, 2001</strong> |
<li id="sendmail2"> |
|
<strong>013: SECURITY FIX: August 21, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A security hole exists in <a href="https://man.openbsd.org/OpenBSD-2.9/uuxqt.8">uuxqt(8)</a> |
A security hole exists in <a href="https://man.openbsd.org/OpenBSD-2.9/sendmail.8">sendmail(8)</a> |
that may allow an attacker to run arbitrary commands as user uucp and |
that may allow an attacker on the local host to gain root privileges by |
use this to gain root access. |
specifying out-of-bounds debug parameters. |
The UUCP execution daemon, uuxqt(8), has a bug in its command line |
|
parsing routine that may allow arbitrary commands to be run. Because |
|
some UUCP commands are run as root (and daemon) from cron it is possible |
|
to leverage compromise of the UUCP user to gain root. |
|
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/015_uucp.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/013_sendmail.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
|
|
<li id="lpd"> |
<li id="lpd"> |
<strong>014: SECURITY FIX: August 29, 2001</strong> |
<strong>014: SECURITY FIX: August 29, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
|
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/014_lpd.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/014_lpd.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="sendmail2"> |
|
<strong>013: SECURITY FIX: August 21, 2001</strong> |
<li id="uucp"> |
|
<strong>015: SECURITY FIX: September 11, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A security hole exists in <a href="https://man.openbsd.org/OpenBSD-2.9/sendmail.8">sendmail(8)</a> |
A security hole exists in <a href="https://man.openbsd.org/OpenBSD-2.9/uuxqt.8">uuxqt(8)</a> |
that may allow an attacker on the local host to gain root privileges by |
that may allow an attacker to run arbitrary commands as user uucp and |
specifying out-of-bounds debug parameters. |
use this to gain root access. |
|
The UUCP execution daemon, uuxqt(8), has a bug in its command line |
|
parsing routine that may allow arbitrary commands to be run. Because |
|
some UUCP commands are run as root (and daemon) from cron it is possible |
|
to leverage compromise of the UUCP user to gain root. |
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/013_sendmail.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/015_uucp.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="nfs"> |
|
<strong>012: SECURITY FIX: July 30, 2001</strong> |
<li id="vi.recover"> |
|
<strong>016: SECURITY FIX: November 13, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A kernel buffer overflow exists in the NFS mount code. An attacker may |
A security issue exists in the vi.recover script that may allow an attacker |
use this overflow to execute arbitrary code in kernel mode. However, |
to remove arbitrary zero-length files, regardless of ownership. |
only users with <a href="https://man.openbsd.org/OpenBSD-2.9/mount.2">mount(2)</a> |
|
privileges can initiate this attack. In default installs, only super-user has |
|
mount privileges. The kern.usermount <a href="https://man.openbsd.org/OpenBSD-2.9/sysctl.3">sysctl(3)</a> controls whether other users have mount privileges. |
|
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/012_nfs.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/016_recover.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="pkg"> |
|
<strong>011: RELIABILITY FIX: July 15, 2001</strong> |
<li id="lpd2"> |
|
<strong>017: SECURITY FIX: November 28, 2001</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
The |
A security issue exists in the lpd daemon that may allow an attacker |
<a href="https://man.openbsd.org/OpenBSD-2.9/packages.7">packages(7)</a> |
to create arbitrary new files in the root directory. Only machines |
subsystem incorrectly accepts some package dependencies as okay (see |
with line printer access (ie: listed in either /etc/hosts.lpd or |
<a href="https://man.openbsd.org/OpenBSD-2.9/packages-specs.7">packages-specs(7)</a> |
/etc/hosts.equiv) may be used to mount an attack and the attacker |
for details). |
must have root access on the machine. OpenBSD does not start lpd |
<br> |
in the default installation. |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/011_pkg.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/017_lpd.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
by forcing <code>/usr/sbin/pkg</code> to be more careful in checking |
|
version numbers. |
|
<p> |
<p> |
<li id="nvidia"> |
|
<strong>010: RELIABILITY FIX: Jul 9, 2001</strong><br> |
<li id="missing"> |
The NVIDIA driver for XFree86 4.0.3 is incorrectly restoring the text |
<strong>018: INSTALL PROBLEM: Dec 11, 2001</strong><br> |
mode palette upon exit of the X server. <a |
The X binary sets shipped with OpenBSD 2.9 do not contain several files. These |
href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/i386/010_nvidia.patch"> |
missing files can be added manually from the sparc tarballs after the |
A source code patch exists which remedies this problem.</a> |
installation:<br> |
To avoid rebuilding the whole XFree86 tree, an updated binary driver |
Grab the |
is also available |
<a href="https://ftp.openbsd.org/pub/OpenBSD/2.9/sparc/xbase29.tgz">xbase29.tgz</a> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/i386/nv_drv.o">here</a>. |
and |
Just grab it, copy it to /usr/X11R6/lib/modules/drivers/ and |
<a href="https://ftp.openbsd.org/pub/OpenBSD/2.9/sparc/xshare29.tgz">xshare29.tgz</a> |
restart your X server. |
files found in the 2.9/sparc directory on the CD, or any FTP site. The missing |
|
files can be installed by using the following commands: |
|
<pre> |
|
# cd /; tar xzpf xbase29.tgz ./usr/X11R6/lib/X11/{rgb.txt,xdm} |
|
# cd /; tar xzpf xserv29.tgz ./etc/X11/xserver ./usr/X11R6/lib/X11/xserver |
|
# cd /usr/X11R6/bin/; ln -fs Xmac68k X |
|
</pre> |
<p> |
<p> |
<li id="XF86Setup"> |
|
<strong>009: RELIABILITY FIX: Jun 23, 2001</strong><br> |
<li id="sudo"> |
The XF86Setup(1) configuration tool for XFree86 3.3.6 is producing |
<strong>019: SECURITY FIX: January 17, 2002</strong> |
corrupted /etc/XF86Config files. |
<i>All architectures</i><br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/i386/009_XF86Setup.patch"> |
If the Postfix sendmail replacement is installed on a system an |
|
attacker may be able to gain root privileges on the local host via |
|
sudo(8) which runs the mailer as root with an environment inherited |
|
from the invoking user. While this is a bug in sudo it is not |
|
believed to be possible to exploit when sendmail (the mailer that |
|
ships with OpenBSD) is the mailer. As of version 1.6.5, sudo passes |
|
the mailer an environment that is not subject to influence from the |
|
invoking user.<br> |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/019_sudo.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
It does so by linking XF86Setup against the XFree86 3.3.6 version of libXxf86vm.a. |
|
<p> |
<p> |
<li>When using a PS/2 keyboard with an MSI K7T Pro2A motherboard, it may be |
|
necessary to disable the "USB Keyboard Support" and |
<li id="ptrace"> |
"USB Mouse Support" options in the BIOS. Otherwise, the i8042 |
<strong>020: SECURITY FIX: February 20, 2002</strong> |
keyboard controller doesn't acknowledge commands, confusing OpenBSD. |
|
<p> |
|
<li id="twe"> |
|
<strong>008: RELIABILITY FIX: June 15, 2001</strong> |
|
<i>All architectures</i><br> |
<i>All architectures</i><br> |
<a href="https://man.openbsd.org/OpenBSD-2.9/twe.4">twe(4)</a> |
A race condition between the ptrace(2) and execve(2) system calls allows |
mishandles the DMA mapping resulting in a kernel panic on unaligned data |
an attacker to modify the memory contents of suid/sgid processes which |
transfers, induced by programs such as |
could lead to compromise of the super-user account.<br> |
<a href="https://man.openbsd.org/OpenBSD-2.9/disklabel.8">disklabel(8)</a> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/020_ptrace.patch"> |
and |
|
<a href="https://man.openbsd.org/OpenBSD-2.9/dump.8">dump(8)</a>. |
|
<br> |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/008_twe.patch"> |
|
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
This is the second version of the patch. |
|
<p> |
<p> |
<li id="kernexec"> |
|
<strong>007: SECURITY FIX: June 15, 2001</strong> |
<li id="openssh"> |
|
<strong>021: SECURITY FIX: March 8, 2002</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A race condition exists in the kernel <a href="https://man.openbsd.org/OpenBSD-2.9/execve.2">execve(2)</a> implementation that opens a small window of vulnerability for a non-privileged user to <a href="https://man.openbsd.org/OpenBSD-2.9/ptrace.2">ptrace(2)</a> attach to a suid/sgid process. |
A local user can gain super-user privileges due to an off-by-one check |
<br> |
in the channel forwarding code of OpenSSH.<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/007_kernexec.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/021_openssh.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="sshcookie"> |
|
<strong>006: SECURITY FIX: June 12, 2001</strong> |
<li id="zlib"> |
|
<strong>022: RELIABILITY FIX: March 13, 2002</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
<a href="https://man.openbsd.org/OpenBSD-2.9/sshd.8">sshd(8)</a> |
Under some circumstances the zlib compression library can free dynamically |
allows users to delete arbitrary files named "cookies" if X11 |
allocated memory twice. This is not a security issue on OpenBSD since the BSD |
forwarding is enabled. X11 forwarding is disabled by default. |
<a href="https://man.openbsd.org/OpenBSD-2.9/free.3">free(3)</a> |
<br> |
function detects this. |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/006_sshcookie.patch"> |
There is also a kernel zlib component that may be used by pppd and IPsec. |
|
The feasibility of attacking the kernel this way is currently unknown.<br> |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/022_zlib.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="pwd_mkdb"> |
|
<strong>005: RELIABILITY FIX: June 7, 2001</strong> |
<li id="mail"> |
|
<strong>023: SECURITY FIX: April 11, 2002</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
<a href="https://man.openbsd.org/OpenBSD-2.9/pwd_mkdb.8">pwd_mkdb(8)</a> |
<a href="https://man.openbsd.org/OpenBSD-2.9/mail.1">mail(1)</a> |
corrupts /etc/pwd.db when modifying an existing user. |
will process tilde escapes even in non-interactive mode. |
|
This can lead to a local root compromise. |
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/005_pwd_mkdb.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/023_mail.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="isakmpd"> |
|
<strong>004: RELIABILITY FIX: June 5, 2001</strong> |
<li id="sshafs"> |
|
<strong>024: SECURITY FIX: April 22, 2002</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
<a href="https://man.openbsd.org/OpenBSD-2.9/isakmpd.8">isakmpd(8)</a> |
A local user can gain super-user privileges due to a buffer overflow |
will fail to use a certificate with an identity string that is |
in <a href="https://man.openbsd.org/OpenBSD-2.9/sshd.8">sshd(8)</a> |
exactly N * 8 bytes long. |
if AFS has been configured on the system or if |
<br> |
KerberosTgtPassing or AFSTokenPassing has been enabled |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/004_isakmpd.patch"> |
in the sshd_config file. Ticket and token passing is not enabled |
|
by default.<br> |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/024_sshafs.patch"> |
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
<li id="cd_cover"> |
|
<strong>003: DOCUMENTATION FIX: June 1, 2001</strong> |
|
|
<li id="sudo2"> |
|
<strong>025: SECURITY FIX: April 25, 2002</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
The 2.9 CD cover states that XFree86 3.3.6-current is included. This is only half-true. |
A bug in <a href="https://man.openbsd.org/OpenBSD-2.9/sudo.8">sudo(8)</a> may allow an attacker to corrupt the heap by specifying a custom prompt.<br> |
In fact, the XFree86 included for all architectures is 4.0.3. On the i386, the |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/025_sudo.patch"> |
3.3.6 Xservers have also been included, because 4.0.3 still has weak support for |
A source code patch exists which remedies this problem.</a> |
some devices which 3.3.6 supported better. |
|
<p> |
<p> |
<li id="fts"> |
|
<strong>002: SECURITY FIX: May 30, 2001</strong> |
<li id="fdalloc2"> |
|
<strong>026: SECURITY FIX: May 8, 2002</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Programs using the <a href="https://man.openbsd.org/OpenBSD-2.9/fts.3">fts(3)</a> |
A race condition exists where an attacker could fill the file descriptor |
routines (such as rm, find, and most programs that take a <b>-R</b> |
table and defeat the kernel's protection of fd slots 0, 1, and 2 for a |
flag) can be tricked into changing into the wrong directory if the |
setuid or setgid process.<br> |
parent dir is changed out from underneath it. This is similar to |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/026_fdalloc2.patch"> |
the old fts bug but happens when popping out of directories, as |
|
opposed to descending into them. |
|
<br> |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/002_fts.patch"> |
|
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
This is the second version of the patch. |
|
<p> |
<p> |
<li id="sendmail"> |
|
<strong>001: SECURITY FIX: May 29, 2001</strong> |
<li id="resolver"> |
|
<strong>027: SECURITY FIX: June 25, 2002</strong> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
The signal handlers in <a href="https://man.openbsd.org/OpenBSD-2.9/sendmail.8">sendmail(8)</a> contain code that is unsafe in the |
A potential buffer overflow in the DNS resolver has been found.<br> |
context of a signal handler. This leads to potentially serious |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/027_resolver.patch"> |
race conditions. At the moment this is a theoretical attack only |
|
and can only be exploited on the local host (if at all).<br> |
|
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/001_sendmail.patch"> |
|
A source code patch exists which remedies this problem.</a> |
A source code patch exists which remedies this problem.</a> |
<p> |
<p> |
|
|