=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/errata29.html,v retrieving revision 1.34 retrieving revision 1.35 diff -c -r1.34 -r1.35 *** www/errata29.html 2003/10/24 22:12:40 1.34 --- www/errata29.html 2003/11/21 16:55:16 1.35 *************** *** 8,13 **** --- 8,14 ---- + *************** *** 50,78 **** consult the OpenBSD FAQ.

! !

All architectures

027: SECURITY FIX: June 25, 2002
A potential buffer overflow in the DNS resolver has been found.
A source code patch exists which remedies the problem.
! !
026: SECURITY FIX: May 8, 2002
A race condition exists where an attacker could fill the file descriptor table and defeat the kernel's protection of fd slots 0, 1, and 2 for a setuid or setgid process.
A source code patch exists which remedies the problem.
! !
025: SECURITY FIX: April 25, 2002
A bug in sudo(8) may allow an attacker to corrupt the heap by specifying a custom prompt.
A source code patch exists which remedies the problem.
! !
024: SECURITY FIX: April 22, 2002
A local user can gain super-user privileges due to a buffer overflow in sshd(8) if AFS has been configured on the system or if --- 51,78 ---- consult the OpenBSD FAQ.
! !
All architectures
- ! 027: SECURITY FIX: June 25, 2002
  A potential buffer overflow in the DNS resolver has been found.
  A source code patch exists which remedies the problem.
  !
- ! 026: SECURITY FIX: May 8, 2002
  A race condition exists where an attacker could fill the file descriptor table and defeat the kernel's protection of fd slots 0, 1, and 2 for a setuid or setgid process.
  A source code patch exists which remedies the problem.
  !
- ! 025: SECURITY FIX: April 25, 2002
  A bug in sudo(8) may allow an attacker to corrupt the heap by specifying a custom prompt.
  A source code patch exists which remedies the problem.
  !
- ! 024: SECURITY FIX: April 22, 2002
  A local user can gain super-user privileges due to a buffer overflow in sshd(8) if AFS has been configured on the system or if *************** *** 81,96 **** by default.
  A source code patch exists which remedies the problem.
  ! !
- 023: SECURITY FIX: April 11, 2002
  mail(1) will process tilde escapes even in non-interactive mode. This can lead to a local root compromise.
  A source code patch exists which remedies the problem.
  ! !
- 022: RELIABILITY FIX: March 13, 2002
  Under some circumstances the zlib compression library can free dynamically allocated memory twice. This is not a security issue on OpenBSD since the BSD free(3) --- 81,96 ---- by default.
  A source code patch exists which remedies the problem.
  !
- ! 023: SECURITY FIX: April 11, 2002
  mail(1) will process tilde escapes even in non-interactive mode. This can lead to a local root compromise.
  A source code patch exists which remedies the problem.
  !
- ! 022: RELIABILITY FIX: March 13, 2002
  Under some circumstances the zlib compression library can free dynamically allocated memory twice. This is not a security issue on OpenBSD since the BSD free(3) *************** *** 99,121 **** The feasibility of attacking the kernel this way is currently unknown.
  A source code patch exists which remedies the problem.
  ! !
- 021: SECURITY FIX: March 8, 2002
  A local user can gain super-user privileges due to an off-by-one check in the channel forwarding code of OpenSSH.
  A source code patch exists which remedies the problem.
  ! !
- 020: SECURITY FIX: February 20, 2002
  A race condition between the ptrace(2) and execve(2) system calls allows an attacker to modify the memory contents of suid/sgid processes which could lead to compromise of the super-user account.
  A source code patch exists which remedies the problem.
  ! !
- 019: SECURITY FIX: January 17, 2002
  If the Postfix sendmail replacement is installed on a system an attacker may be able to gain root privileges on the local host via sudo(8) which runs the mailer as root with an environment inherited --- 99,121 ---- The feasibility of attacking the kernel this way is currently unknown.
  A source code patch exists which remedies the problem.
  !
- ! 021: SECURITY FIX: March 8, 2002
  A local user can gain super-user privileges due to an off-by-one check in the channel forwarding code of OpenSSH.
  A source code patch exists which remedies the problem.
  !
- ! 020: SECURITY FIX: February 20, 2002
  A race condition between the ptrace(2) and execve(2) system calls allows an attacker to modify the memory contents of suid/sgid processes which could lead to compromise of the super-user account.
  A source code patch exists which remedies the problem.
  !
- ! 019: SECURITY FIX: January 17, 2002
  If the Postfix sendmail replacement is installed on a system an attacker may be able to gain root privileges on the local host via sudo(8) which runs the mailer as root with an environment inherited *************** *** 127,134 **** A source code patch exists which remedies the problem.
  ! !
- 017: SECURITY FIX: November 28, 2001
  A security issue exists in the lpd daemon that may allow an attacker to create arbitrary new files in the root directory. Only machines with line printer access (ie: listed in either /etc/hosts.lpd or --- 127,134 ---- A source code patch exists which remedies the problem.
  !
- ! 017: SECURITY FIX: November 28, 2001
  A security issue exists in the lpd daemon that may allow an attacker to create arbitrary new files in the root directory. Only machines with line printer access (ie: listed in either /etc/hosts.lpd or *************** *** 137,151 **** in the default installation. A source code patch exists which remedies the problem.
  ! !
- 016: SECURITY FIX: November 13, 2001
  A security issue exists in the vi.recover script that may allow an attacker to remove arbitrary zero-length files, regardless of ownership.
  A source code patch exists which remedies the problem.
  ! !
- 015: SECURITY FIX: September 11, 2001
  A security hole exists in uuxqt(8) that may allow an attacker to run arbitrary commands as user uucp and use this to gain root access. --- 137,151 ---- in the default installation. A source code patch exists which remedies the problem.
  !
- ! 016: SECURITY FIX: November 13, 2001
  A security issue exists in the vi.recover script that may allow an attacker to remove arbitrary zero-length files, regardless of ownership.
  A source code patch exists which remedies the problem.
  !
- ! 015: SECURITY FIX: September 11, 2001
  A security hole exists in uuxqt(8) that may allow an attacker to run arbitrary commands as user uucp and use this to gain root access. *************** *** 156,163 ****
  A source code patch exists which remedies the problem.
  ! !
- 014: SECURITY FIX: August 29, 2001
  A security hole exists in lpd(8) that may allow an attacker with line printer access to gain root privileges. A machine must be running lpd to be vulnerable (OpenBSD --- 156,163 ----
  A source code patch exists which remedies the problem.
  !
- ! 014: SECURITY FIX: August 29, 2001
  A security hole exists in lpd(8) that may allow an attacker with line printer access to gain root privileges. A machine must be running lpd to be vulnerable (OpenBSD *************** *** 167,182 ****
  A source code patch exists which remedies the problem.
  ! !
- 013: SECURITY FIX: August 21, 2001
  A security hole exists in sendmail(8) that may allow an attacker on the local host to gain root privileges by specifying out-of-bounds debug parameters.
  A source code patch exists which remedies the problem.
  ! !
- 012: SECURITY FIX: July 30, 2001
  A kernel buffer overflow exists in the NFS mount code. An attacker may use this overflow to execute arbitrary code in kernel mode. However, only users with mount(2) --- 167,182 ----
  A source code patch exists which remedies the problem.
  !
- ! 013: SECURITY FIX: August 21, 2001
  A security hole exists in sendmail(8) that may allow an attacker on the local host to gain root privileges by specifying out-of-bounds debug parameters.
  A source code patch exists which remedies the problem.
  !
- ! 012: SECURITY FIX: July 30, 2001
  A kernel buffer overflow exists in the NFS mount code. An attacker may use this overflow to execute arbitrary code in kernel mode. However, only users with mount(2) *************** *** 185,192 ****
  A source code patch exists which remedies the problem.
  ! !
- 011: RELIABILITY FIX: July 15, 2001
  The packages(7) --- 185,192 ----
  A source code patch exists which remedies the problem.
  !
- ! 011: RELIABILITY FIX: July 15, 2001
  The packages(7) *************** *** 198,205 **** by forcing /usr/sbin/pkg to be more careful in checking version numbers.
  ! !
- 008: RELIABILITY FIX: June 15, 2001
  twe(4) mishandles the DMA mapping resulting in a kernel panic on unaligned data --- 198,205 ---- by forcing /usr/sbin/pkg to be more careful in checking version numbers.
  !
- ! 008: RELIABILITY FIX: June 15, 2001
  twe(4) mishandles the DMA mapping resulting in a kernel panic on unaligned data *************** *** 211,239 **** A source code patch exists which remedies the problem. This is the second version of the patch.
  ! !
- 007: SECURITY FIX: June 15, 2001
  A race condition exists in the kernel execve(2) implementation that opens a small window of vulnerability for a non-privileged user to ptrace(2) attach to a suid/sgid process.
  A source code patch exists which remedies the problem.
  ! !
- 006: SECURITY FIX: June 12, 2001
  sshd(8) allows users to delete arbitrary files named "cookies" if X11 forwarding is enabled. X11 forwarding is disabled by default.
  A source code patch exists which remedies the problem.
  ! !
- 005: RELIABILITY FIX: June 7, 2001
  pwd_mkdb(8) corrupts /etc/pwd.db when modifying an existing user.
  A source code patch exists which remedies the problem.
  ! !
- 004: RELIABILITY FIX: June 5, 2001
  isakmpd(8) will fail to use a certificate with an identity string that is exactly N * 8 bytes long. --- 211,239 ---- A source code patch exists which remedies the problem. This is the second version of the patch.
  !
- ! 007: SECURITY FIX: June 15, 2001
  A race condition exists in the kernel execve(2) implementation that opens a small window of vulnerability for a non-privileged user to ptrace(2) attach to a suid/sgid process.
  A source code patch exists which remedies the problem.
  !
- ! 006: SECURITY FIX: June 12, 2001
  sshd(8) allows users to delete arbitrary files named "cookies" if X11 forwarding is enabled. X11 forwarding is disabled by default.
  A source code patch exists which remedies the problem.
  !
- ! 005: RELIABILITY FIX: June 7, 2001
  pwd_mkdb(8) corrupts /etc/pwd.db when modifying an existing user.
  A source code patch exists which remedies the problem.
  !
- ! 004: RELIABILITY FIX: June 5, 2001
  isakmpd(8) will fail to use a certificate with an identity string that is exactly N * 8 bytes long. *************** *** 246,253 **** 3.3.6 Xservers have also been included, because 4.0.3 still has weak support for some devices which 3.3.6 supported better.
  ! !
- 002: SECURITY FIX: May 30, 2001
  Programs using the fts(3) routines (such as rm, find, and most programs that take a -R flag) can be tricked into changing into the wrong directory if the --- 246,253 ---- 3.3.6 Xservers have also been included, because 4.0.3 still has weak support for some devices which 3.3.6 supported better.
  !
- ! 002: SECURITY FIX: May 30, 2001
  Programs using the fts(3) routines (such as rm, find, and most programs that take a -R flag) can be tricked into changing into the wrong directory if the *************** *** 258,265 **** A source code patch exists which remedies the problem. This is the second version of the patch.
  ! !
- 001: SECURITY FIX: May 29, 2001
  The signal handlers in sendmail(8) contain code that is unsafe in the context of a signal handler. This leads to potentially serious race conditions. At the moment this is a theoretical attack only --- 258,265 ---- A source code patch exists which remedies the problem. This is the second version of the patch.
  !
- ! 001: SECURITY FIX: May 29, 2001
  The signal handlers in sendmail(8) contain code that is unsafe in the context of a signal handler. This leads to potentially serious race conditions. At the moment this is a theoretical attack only *************** *** 267,278 **** A source code patch exists which remedies the problem by updating sendmail to version 8.11.4.
! !
i386
- 010: RELIABILITY FIX: Jul 9, ! 2001
  The nVidia driver for XFree86 4.0.3 is incorrectly restoring the text mode palette upon exit of the X server. --- 267,278 ---- A source code patch exists which remedies the problem by updating sendmail to version 8.11.4.
! !
i386
- ! 010: RELIABILITY FIX: Jul 9, ! 2001
  The nVidia driver for XFree86 4.0.3 is incorrectly restoring the text mode palette upon exit of the X server. *************** *** 284,291 **** . Just grab it, copy it to /usr/X11R6/lib/modules/drivers/ and restart your X server.
  ! !
- 009: RELIABILITY FIX: Jun 23, 2001
  The XF86Setup(1) configuration tool for XFree86 3.3.6 is producing corrupted /etc/XF86Config files. --- 284,291 ---- . Just grab it, copy it to /usr/X11R6/lib/modules/drivers/ and restart your X server.
  !
- ! 009: RELIABILITY FIX: Jun 23, 2001
  The XF86Setup(1) configuration tool for XFree86 3.3.6 is producing corrupted /etc/XF86Config files. *************** *** 299,312 **** keyboard controller doesn't acknowledge commands, confusing OpenBSD.
! !
alpha
- No problems identified yet.
! !
mac68k
- 018: INSTALL PROBLEM: Dec 11, 2001
  The X binary sets shipped with OpenBSD 2.9 do not contain several files. These --- 299,312 ---- keyboard controller doesn't acknowledge commands, confusing OpenBSD.
! !
alpha
- No problems identified yet.
! !
mac68k
- 018: INSTALL PROBLEM: Dec 11, 2001
  The X binary sets shipped with OpenBSD 2.9 do not contain several files. These *************** *** 318,380 **** xshare29.tgz files found in the 2.9/sparc directory on the CD, or any FTP site. The missing files can be installed by using the following commands: ! # cd /; tar xzpf xbase29.tgz ./usr/X11R6/lib/X11/{rgb.txt,xdm} # cd /; tar xzpf xserv29.tgz ./etc/X11/xserver ./usr/X11R6/lib/X11/xserver # cd /usr/X11R6/bin/; ln -fs Xmac68k X ! !

! !

sparc

No problems identified yet.

! !

amiga

No problems identified yet.

! !

pmax

No problems identified yet.

! !

hp300

No problems identified yet.

! !

mvme68k

No problems identified yet.

! !

powerpc

No problems identified yet.

! !

vax

No problems identified yet.

! !

sun3

No problems identified yet.

--- 318,378 ---- xshare29.tgz files found in the 2.9/sparc directory on the CD, or any FTP site. The missing files can be installed by using the following commands: !

     # cd /; tar xzpf xbase29.tgz ./usr/X11R6/lib/X11/{rgb.txt,xdm}
     # cd /; tar xzpf xserv29.tgz ./etc/X11/xserver ./usr/X11R6/lib/X11/xserver
     # cd /usr/X11R6/bin/; ln -fs Xmac68k X
!

! !

sparc

No problems identified yet.

! !

amiga

No problems identified yet.

! !

pmax

No problems identified yet.

! !

hp300

No problems identified yet.

! !

mvme68k

No problems identified yet.

! !

powerpc

No problems identified yet.

! !

vax

No problems identified yet.

! !

sun3

No problems identified yet.

*************** *** 399,405 ****

www@openbsd.org !
$OpenBSD: errata29.html,v 1.34 2003/10/24 22:12:40 david Exp $ --- 397,403 ----

www@openbsd.org !
$OpenBSD: errata29.html,v 1.35 2003/11/21 16:55:16 henning Exp $

All architectures

All architectures

i386

i386

alpha

mac68k

alpha

mac68k

sparc

amiga

pmax

hp300

mvme68k

powerpc

vax

sun3

sparc

amiga

pmax

hp300

mvme68k

powerpc

vax

sun3