=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/errata29.html,v retrieving revision 1.79 retrieving revision 1.80 diff -c -r1.79 -r1.80 *** www/errata29.html 2016/02/20 14:18:42 1.79 --- www/errata29.html 2016/03/21 05:46:19 1.80 *************** *** 101,107 ****
  • 025: SECURITY FIX: April 25, 2002   All architectures
    ! A bug in sudo(8) may allow an attacker to corrupt the heap by specifying a custom prompt.
    A source code patch exists which remedies this problem.

    --- 101,107 ----

  • 025: SECURITY FIX: April 25, 2002   All architectures
    ! A bug in sudo(8) may allow an attacker to corrupt the heap by specifying a custom prompt.
    A source code patch exists which remedies this problem.

    *************** *** 109,115 **** 024: SECURITY FIX: April 22, 2002   All architectures
    A local user can gain super-user privileges due to a buffer overflow ! in sshd(8) if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled --- 109,115 ---- 024: SECURITY FIX: April 22, 2002   All architectures
    A local user can gain super-user privileges due to a buffer overflow ! in sshd(8) if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled *************** *** 120,126 ****

  • 023: SECURITY FIX: April 11, 2002   All architectures
    ! mail(1) will process tilde escapes even in non-interactive mode. This can lead to a local root compromise.
    --- 120,126 ----
  • 023: SECURITY FIX: April 11, 2002   All architectures
    ! mail(1) will process tilde escapes even in non-interactive mode. This can lead to a local root compromise.
    *************** *** 132,138 ****   All architectures
    Under some circumstances the zlib compression library can free dynamically allocated memory twice. This is not a security issue on OpenBSD since the BSD ! free(3) function detects this. There is also a kernel zlib component that may be used by pppd and IPsec. The feasibility of attacking the kernel this way is currently unknown.
    --- 132,138 ----   All architectures
    Under some circumstances the zlib compression library can free dynamically allocated memory twice. This is not a security issue on OpenBSD since the BSD ! free(3) function detects this. There is also a kernel zlib component that may be used by pppd and IPsec. The feasibility of attacking the kernel this way is currently unknown.
    *************** *** 211,217 ****
  • 015: SECURITY FIX: September 11, 2001   All architectures
    ! A security hole exists in uuxqt(8) that may allow an attacker to run arbitrary commands as user uucp and use this to gain root access. The UUCP execution daemon, uuxqt(8), has a bug in its command line --- 211,217 ----
  • 015: SECURITY FIX: September 11, 2001   All architectures
    ! A security hole exists in uuxqt(8) that may allow an attacker to run arbitrary commands as user uucp and use this to gain root access. The UUCP execution daemon, uuxqt(8), has a bug in its command line *************** *** 225,231 ****
  • 014: SECURITY FIX: August 29, 2001   All architectures
    ! A security hole exists in lpd(8) that may allow an attacker with line printer access to gain root privileges. A machine must be running lpd to be vulnerable (OpenBSD does not start lpd by default). Only machines with line printer --- 225,231 ----
  • 014: SECURITY FIX: August 29, 2001   All architectures
    ! A security hole exists in lpd(8) that may allow an attacker with line printer access to gain root privileges. A machine must be running lpd to be vulnerable (OpenBSD does not start lpd by default). Only machines with line printer *************** *** 238,244 ****
  • 013: SECURITY FIX: August 21, 2001   All architectures
    ! A security hole exists in sendmail(8) that may allow an attacker on the local host to gain root privileges by specifying out-of-bounds debug parameters.
    --- 238,244 ----
  • 013: SECURITY FIX: August 21, 2001   All architectures
    ! A security hole exists in sendmail(8) that may allow an attacker on the local host to gain root privileges by specifying out-of-bounds debug parameters.
    *************** *** 250,258 ****   All architectures
    A kernel buffer overflow exists in the NFS mount code. An attacker may use this overflow to execute arbitrary code in kernel mode. However, ! only users with mount(2) privileges can initiate this attack. In default installs, only super-user has ! mount privileges. The kern.usermount sysctl(3) controls whether other users have mount privileges.
    A source code patch exists which remedies this problem. --- 250,258 ----   All architectures
    A kernel buffer overflow exists in the NFS mount code. An attacker may use this overflow to execute arbitrary code in kernel mode. However, ! only users with mount(2) privileges can initiate this attack. In default installs, only super-user has ! mount privileges. The kern.usermount sysctl(3) controls whether other users have mount privileges.
    A source code patch exists which remedies this problem. *************** *** 261,269 **** 011: RELIABILITY FIX: July 15, 2001   All architectures
    The ! packages(7) subsystem incorrectly accepts some package dependencies as okay (see ! packages-specs(7) for details).
    --- 261,269 ---- 011: RELIABILITY FIX: July 15, 2001   All architectures
    The !     packages(7) subsystem incorrectly accepts some package dependencies as okay (see ! packages-specs(7) for details).
    *************** *** 299,310 ****
  • 008: RELIABILITY FIX: June 15, 2001   All architectures
    !     twe(4) mishandles the DMA mapping resulting in a kernel panic on unaligned data transfers, induced by programs such as ! disklabel(8) and ! dump(8).
    A source code patch exists which remedies this problem. --- 299,310 ----
  • 008: RELIABILITY FIX: June 15, 2001   All architectures
    ! twe(4) mishandles the DMA mapping resulting in a kernel panic on unaligned data transfers, induced by programs such as ! disklabel(8) and ! dump(8).
    A source code patch exists which remedies this problem. *************** *** 313,319 ****
  • 007: SECURITY FIX: June 15, 2001   All architectures
    ! A race condition exists in the kernel execve(2) implementation that opens a small window of vulnerability for a non-privileged user to ptrace(2) attach to a suid/sgid process.
    A source code patch exists which remedies this problem. --- 313,319 ----
  • 007: SECURITY FIX: June 15, 2001   All architectures
    ! A race condition exists in the kernel execve(2) implementation that opens a small window of vulnerability for a non-privileged user to ptrace(2) attach to a suid/sgid process.
    A source code patch exists which remedies this problem. *************** *** 321,327 ****
  • 006: SECURITY FIX: June 12, 2001   All architectures
    ! sshd(8) allows users to delete arbitrary files named "cookies" if X11 forwarding is enabled. X11 forwarding is disabled by default.
    --- 321,327 ----
  • 006: SECURITY FIX: June 12, 2001   All architectures
    ! sshd(8) allows users to delete arbitrary files named "cookies" if X11 forwarding is enabled. X11 forwarding is disabled by default.
    *************** *** 331,337 ****
  • 005: RELIABILITY FIX: June 7, 2001   All architectures
    ! pwd_mkdb(8) corrupts /etc/pwd.db when modifying an existing user.
    --- 331,337 ----
  • 005: RELIABILITY FIX: June 7, 2001   All architectures
    !     pwd_mkdb(8) corrupts /etc/pwd.db when modifying an existing user.
    *************** *** 340,346 ****
  • 004: RELIABILITY FIX: June 5, 2001   All architectures
    !     isakmpd(8) will fail to use a certificate with an identity string that is exactly N * 8 bytes long.
    --- 340,346 ----
  • 004: RELIABILITY FIX: June 5, 2001   All architectures
    ! isakmpd(8) will fail to use a certificate with an identity string that is exactly N * 8 bytes long.
    *************** *** 358,364 ****
  • 002: SECURITY FIX: May 30, 2001   All architectures
    ! Programs using the fts(3) routines (such as rm, find, and most programs that take a -R flag) can be tricked into changing into the wrong directory if the parent dir is changed out from underneath it. This is similar to --- 358,364 ----
  • 002: SECURITY FIX: May 30, 2001   All architectures
    ! Programs using the fts(3) routines (such as rm, find, and most programs that take a -R flag) can be tricked into changing into the wrong directory if the parent dir is changed out from underneath it. This is similar to *************** *** 372,378 ****
  • 001: SECURITY FIX: May 29, 2001   All architectures
    ! The signal handlers in sendmail(8) contain code that is unsafe in the context of a signal handler. This leads to potentially serious race conditions. At the moment this is a theoretical attack only and can only be exploited on the local host (if at all).
    --- 372,378 ----
  • 001: SECURITY FIX: May 29, 2001   All architectures
    ! The signal handlers in sendmail(8) contain code that is unsafe in the context of a signal handler. This leads to potentially serious race conditions. At the moment this is a theoretical attack only and can only be exploited on the local host (if at all).