+
+
+009: RELIABILITY FIX: Jun 23, 2001
+The XF86Setup(1) configuration tool for XFree86 3.3.6 is producing
+corrupted /etc/XF86Config files.
+
A source code patch exists which remedies this problem.
+It does so by linking XF86Setup against the XFree86 3.3.6 version of libXxf86vm.a.
-
-018: INSTALL PROBLEM: Dec 11, 2001
-The X binary sets shipped with OpenBSD 2.9 do not contain several files. These
-missing files can be added manually from the sparc tarballs after the
-installation:
-Grab the
-xbase29.tgz
-and
-xshare29.tgz
-files found in the 2.9/sparc directory on the CD, or any FTP site. The missing
-files can be installed by using the following commands:
-
- # cd /; tar xzpf xbase29.tgz ./usr/X11R6/lib/X11/{rgb.txt,xdm}
- # cd /; tar xzpf xserv29.tgz ./etc/X11/xserver ./usr/X11R6/lib/X11/xserver
- # cd /usr/X11R6/bin/; ln -fs Xmac68k X
-
+When using a PS/2 keyboard with an MSI K7T Pro2A motherboard, it may be
+necessary to disable the "USB Keyboard Support" and
+"USB Mouse Support" options in the BIOS. Otherwise, the i8042
+keyboard controller doesn't acknowledge commands, confusing OpenBSD.
-
-017: SECURITY FIX: November 28, 2001
+
+
+010: RELIABILITY FIX: Jul 9, 2001
+The NVIDIA driver for XFree86 4.0.3 is incorrectly restoring the text
+mode palette upon exit of the X server.
+A source code patch exists which remedies this problem.
+To avoid rebuilding the whole XFree86 tree, an updated binary driver
+is also available
+here.
+Just grab it, copy it to /usr/X11R6/lib/modules/drivers/ and
+restart your X server.
+
+
+
+011: RELIABILITY FIX: July 15, 2001
All architectures
-A security issue exists in the lpd daemon that may allow an attacker
-to create arbitrary new files in the root directory. Only machines
-with line printer access (ie: listed in either /etc/hosts.lpd or
-/etc/hosts.equiv) may be used to mount an attack and the attacker
-must have root access on the machine. OpenBSD does not start lpd
-in the default installation.
-
+The
+packages(7)
+subsystem incorrectly accepts some package dependencies as okay (see
+packages-specs(7)
+for details).
+
+
A source code patch exists which remedies this problem.
+by forcing /usr/sbin/pkg
to be more careful in checking
+version numbers.
-
-016: SECURITY FIX: November 13, 2001
+
+
+012: SECURITY FIX: July 30, 2001
All architectures
-A security issue exists in the vi.recover script that may allow an attacker
-to remove arbitrary zero-length files, regardless of ownership.
+A kernel buffer overflow exists in the NFS mount code. An attacker may
+use this overflow to execute arbitrary code in kernel mode. However,
+only users with mount(2)
+privileges can initiate this attack. In default installs, only super-user has
+mount privileges. The kern.usermount sysctl(3) controls whether other users have mount privileges.
-
+
A source code patch exists which remedies this problem.
-
-015: SECURITY FIX: September 11, 2001
+
+
+013: SECURITY FIX: August 21, 2001
All architectures
-A security hole exists in uuxqt(8)
-that may allow an attacker to run arbitrary commands as user uucp and
-use this to gain root access.
-The UUCP execution daemon, uuxqt(8), has a bug in its command line
-parsing routine that may allow arbitrary commands to be run. Because
-some UUCP commands are run as root (and daemon) from cron it is possible
-to leverage compromise of the UUCP user to gain root.
+A security hole exists in sendmail(8)
+that may allow an attacker on the local host to gain root privileges by
+specifying out-of-bounds debug parameters.
-
+
A source code patch exists which remedies this problem.
+
014: SECURITY FIX: August 29, 2001
All architectures
@@ -237,148 +255,158 @@
A source code patch exists which remedies this problem.
-
-013: SECURITY FIX: August 21, 2001
+
+
+015: SECURITY FIX: September 11, 2001
All architectures
-A security hole exists in sendmail(8)
-that may allow an attacker on the local host to gain root privileges by
-specifying out-of-bounds debug parameters.
+A security hole exists in uuxqt(8)
+that may allow an attacker to run arbitrary commands as user uucp and
+use this to gain root access.
+The UUCP execution daemon, uuxqt(8), has a bug in its command line
+parsing routine that may allow arbitrary commands to be run. Because
+some UUCP commands are run as root (and daemon) from cron it is possible
+to leverage compromise of the UUCP user to gain root.
-
+
A source code patch exists which remedies this problem.
-
-012: SECURITY FIX: July 30, 2001
+
+
+016: SECURITY FIX: November 13, 2001
All architectures
-A kernel buffer overflow exists in the NFS mount code. An attacker may
-use this overflow to execute arbitrary code in kernel mode. However,
-only users with mount(2)
-privileges can initiate this attack. In default installs, only super-user has
-mount privileges. The kern.usermount sysctl(3) controls whether other users have mount privileges.
+A security issue exists in the vi.recover script that may allow an attacker
+to remove arbitrary zero-length files, regardless of ownership.
-
+
A source code patch exists which remedies this problem.
-
-011: RELIABILITY FIX: July 15, 2001
+
+
+017: SECURITY FIX: November 28, 2001
All architectures
-The
-packages(7)
-subsystem incorrectly accepts some package dependencies as okay (see
-packages-specs(7)
-for details).
-
-
+A security issue exists in the lpd daemon that may allow an attacker
+to create arbitrary new files in the root directory. Only machines
+with line printer access (ie: listed in either /etc/hosts.lpd or
+/etc/hosts.equiv) may be used to mount an attack and the attacker
+must have root access on the machine. OpenBSD does not start lpd
+in the default installation.
+
A source code patch exists which remedies this problem.
-by forcing /usr/sbin/pkg
to be more careful in checking
-version numbers.
-
-010: RELIABILITY FIX: Jul 9, 2001
-The NVIDIA driver for XFree86 4.0.3 is incorrectly restoring the text
-mode palette upon exit of the X server.
-A source code patch exists which remedies this problem.
-To avoid rebuilding the whole XFree86 tree, an updated binary driver
-is also available
-here.
-Just grab it, copy it to /usr/X11R6/lib/modules/drivers/ and
-restart your X server.
+
+
+018: INSTALL PROBLEM: Dec 11, 2001
+The X binary sets shipped with OpenBSD 2.9 do not contain several files. These
+missing files can be added manually from the sparc tarballs after the
+installation:
+Grab the
+xbase29.tgz
+and
+xshare29.tgz
+files found in the 2.9/sparc directory on the CD, or any FTP site. The missing
+files can be installed by using the following commands:
+
+ # cd /; tar xzpf xbase29.tgz ./usr/X11R6/lib/X11/{rgb.txt,xdm}
+ # cd /; tar xzpf xserv29.tgz ./etc/X11/xserver ./usr/X11R6/lib/X11/xserver
+ # cd /usr/X11R6/bin/; ln -fs Xmac68k X
+
-
-009: RELIABILITY FIX: Jun 23, 2001
-The XF86Setup(1) configuration tool for XFree86 3.3.6 is producing
-corrupted /etc/XF86Config files.
-
+
+
+019: SECURITY FIX: January 17, 2002
+ All architectures
+If the Postfix sendmail replacement is installed on a system an
+attacker may be able to gain root privileges on the local host via
+sudo(8) which runs the mailer as root with an environment inherited
+from the invoking user. While this is a bug in sudo it is not
+believed to be possible to exploit when sendmail (the mailer that
+ships with OpenBSD) is the mailer. As of version 1.6.5, sudo passes
+the mailer an environment that is not subject to influence from the
+invoking user.
+
A source code patch exists which remedies this problem.
-It does so by linking XF86Setup against the XFree86 3.3.6 version of libXxf86vm.a.
-
When using a PS/2 keyboard with an MSI K7T Pro2A motherboard, it may be
-necessary to disable the "USB Keyboard Support" and
-"USB Mouse Support" options in the BIOS. Otherwise, the i8042
-keyboard controller doesn't acknowledge commands, confusing OpenBSD.
-
-
-008: RELIABILITY FIX: June 15, 2001
+
+
+020: SECURITY FIX: February 20, 2002
All architectures
-twe(4)
-mishandles the DMA mapping resulting in a kernel panic on unaligned data
-transfers, induced by programs such as
-disklabel(8)
-and
-dump(8).
-
-
+A race condition between the ptrace(2) and execve(2) system calls allows
+an attacker to modify the memory contents of suid/sgid processes which
+could lead to compromise of the super-user account.
+
A source code patch exists which remedies this problem.
-This is the second version of the patch.
-
-007: SECURITY FIX: June 15, 2001
+
+
+021: SECURITY FIX: March 8, 2002
All architectures
-A race condition exists in the kernel execve(2) implementation that opens a small window of vulnerability for a non-privileged user to ptrace(2) attach to a suid/sgid process.
-
-
+A local user can gain super-user privileges due to an off-by-one check
+in the channel forwarding code of OpenSSH.
+
A source code patch exists which remedies this problem.
-
-006: SECURITY FIX: June 12, 2001
+
+
+022: RELIABILITY FIX: March 13, 2002
All architectures
-sshd(8)
-allows users to delete arbitrary files named "cookies" if X11
-forwarding is enabled. X11 forwarding is disabled by default.
-
-
+Under some circumstances the zlib compression library can free dynamically
+allocated memory twice. This is not a security issue on OpenBSD since the BSD
+free(3)
+function detects this.
+There is also a kernel zlib component that may be used by pppd and IPsec.
+The feasibility of attacking the kernel this way is currently unknown.
+
A source code patch exists which remedies this problem.
-
-005: RELIABILITY FIX: June 7, 2001
+
+
+023: SECURITY FIX: April 11, 2002
All architectures
-pwd_mkdb(8)
-corrupts /etc/pwd.db when modifying an existing user.
+mail(1)
+will process tilde escapes even in non-interactive mode.
+This can lead to a local root compromise.
-
+
A source code patch exists which remedies this problem.
-
-004: RELIABILITY FIX: June 5, 2001
+
+
+024: SECURITY FIX: April 22, 2002
All architectures
-isakmpd(8)
-will fail to use a certificate with an identity string that is
-exactly N * 8 bytes long.
-
-
+A local user can gain super-user privileges due to a buffer overflow
+in sshd(8)
+if AFS has been configured on the system or if
+KerberosTgtPassing or AFSTokenPassing has been enabled
+in the sshd_config file. Ticket and token passing is not enabled
+by default.
+
A source code patch exists which remedies this problem.
-
-003: DOCUMENTATION FIX: June 1, 2001
+
+
+
+025: SECURITY FIX: April 25, 2002
All architectures
-The 2.9 CD cover states that XFree86 3.3.6-current is included. This is only half-true.
-In fact, the XFree86 included for all architectures is 4.0.3. On the i386, the
-3.3.6 Xservers have also been included, because 4.0.3 still has weak support for
-some devices which 3.3.6 supported better.
+A bug in sudo(8) may allow an attacker to corrupt the heap by specifying a custom prompt.
+
+A source code patch exists which remedies this problem.
-
-002: SECURITY FIX: May 30, 2001
+
+
+026: SECURITY FIX: May 8, 2002
All architectures
-Programs using the fts(3)
-routines (such as rm, find, and most programs that take a -R
-flag) can be tricked into changing into the wrong directory if the
-parent dir is changed out from underneath it. This is similar to
-the old fts bug but happens when popping out of directories, as
-opposed to descending into them.
-
-
+A race condition exists where an attacker could fill the file descriptor
+table and defeat the kernel's protection of fd slots 0, 1, and 2 for a
+setuid or setgid process.
+
A source code patch exists which remedies this problem.
-This is the second version of the patch.
-
-001: SECURITY FIX: May 29, 2001
+
+
+027: SECURITY FIX: June 25, 2002
All architectures
-The signal handlers in sendmail(8) contain code that is unsafe in the
-context of a signal handler. This leads to potentially serious
-race conditions. At the moment this is a theoretical attack only
-and can only be exploited on the local host (if at all).
-
+A potential buffer overflow in the DNS resolver has been found.
+
A source code patch exists which remedies this problem.