=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/errata29.html,v retrieving revision 1.34 retrieving revision 1.35 diff -u -r1.34 -r1.35 --- www/errata29.html 2003/10/24 22:12:40 1.34 +++ www/errata29.html 2003/11/21 16:55:16 1.35 @@ -8,6 +8,7 @@ +
@@ -50,29 +51,28 @@ consult the OpenBSD FAQ.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
If the Postfix sendmail replacement is installed on a system an
attacker may be able to gain root privileges on the local host via
sudo(8) which runs the mailer as root with an environment inherited
@@ -127,8 +127,8 @@
A
source code patch exists which remedies the problem.
+
A security issue exists in the lpd daemon that may allow an attacker
to create arbitrary new files in the root directory. Only machines
with line printer access (ie: listed in either /etc/hosts.lpd or
@@ -137,15 +137,15 @@
in the default installation.
A source code patch exists which remedies the problem.
+
A security issue exists in the vi.recover script that may allow an attacker
to remove arbitrary zero-length files, regardless of ownership.
A source code patch exists which remedies the problem.
+
A security hole exists in uuxqt(8)
that may allow an attacker to run arbitrary commands as user uucp and
use this to gain root access.
@@ -156,8 +156,8 @@
A source code patch exists which remedies the problem.
+
A security hole exists in lpd(8)
that may allow an attacker with line printer access to gain root
privileges. A machine must be running lpd to be vulnerable (OpenBSD
@@ -167,16 +167,16 @@
A source code patch exists which remedies the problem.
+
A security hole exists in sendmail(8)
that may allow an attacker on the local host to gain root privileges by
specifying out-of-bounds debug parameters.
A source code patch exists which remedies the problem.
+
A kernel buffer overflow exists in the NFS mount code. An attacker may
use this overflow to execute arbitrary code in kernel mode. However,
only users with mount(2)
@@ -185,8 +185,8 @@
A source code patch exists which remedies the problem.
The
packages(7)
@@ -198,8 +198,8 @@
by forcing /usr/sbin/pkg
to be more careful in checking
version numbers.
twe(4)
mishandles the DMA mapping resulting in a kernel panic on unaligned data
@@ -211,29 +211,29 @@
A source code patch exists which remedies the problem.
This is the second version of the patch.
+
A race condition exists in the kernel execve(2) implementation that opens a small window of vulnerability for a non-privileged user to ptrace(2) attach to a suid/sgid process.
A source code patch exists which remedies the problem.
+
sshd(8)
allows users to delete arbitrary files named "cookies" if X11
forwarding is enabled. X11 forwarding is disabled by default.
A source code patch exists which remedies the problem.
+
pwd_mkdb(8)
corrupts /etc/pwd.db when modifying an existing user.
A source code patch exists which remedies the problem.
+
isakmpd(8)
will fail to use a certificate with an identity string that is
exactly N * 8 bytes long.
@@ -246,8 +246,8 @@
3.3.6 Xservers have also been included, because 4.0.3 still has weak support for
some devices which 3.3.6 supported better.
+
Programs using the fts(3)
routines (such as rm, find, and most programs that take a -R
flag) can be tricked into changing into the wrong directory if the
@@ -258,8 +258,8 @@
A source code patch exists which remedies the problem.
This is the second version of the patch.
+
The signal handlers in sendmail(8) contain code that is unsafe in the
context of a signal handler. This leads to potentially serious
race conditions. At the moment this is a theoretical attack only
@@ -267,12 +267,12 @@
A source code patch exists which remedies the problem by updating sendmail to version 8.11.4.
+-# cd /; tar xzpf xbase29.tgz ./usr/X11R6/lib/X11/{rgb.txt,xdm} # cd /; tar xzpf xserv29.tgz ./etc/X11/xserver ./usr/X11R6/lib/X11/xserver # cd /usr/X11R6/bin/; ln -fs Xmac68k X -