=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/errata30.html,v retrieving revision 1.105 retrieving revision 1.106 diff -c -r1.105 -r1.106 *** www/errata30.html 2019/05/27 22:55:19 1.105 --- www/errata30.html 2019/05/28 16:32:41 1.106 *************** *** 84,243 ****

! 036: SECURITY FIX: November 14, 2002 All architectures
! A buffer overflow in ! named(8) ! could allow an attacker to execute code with the privileges of named. ! On OpenBSD, named runs as a non-root user in a chrooted environment ! which mitigates the effects of this bug.
! ! A source code patch exists which remedies this problem.
!
! 035: SECURITY FIX: November 6, 2002 All architectures
! Incorrect argument checking in the ! getrlimit(2) ! system call may allow an attacker to crash the kernel.
! A source code patch exists which remedies this problem.
!
! 034: SECURITY FIX: November 6, 2002 ! All architectures
! An attacker can bypass the restrictions imposed by sendmail's restricted shell, ! smrsh(8), ! and execute arbitrary commands with the privileges of his own account.
! A source code patch exists which remedies this problem.
!
! 033: SECURITY FIX: October 21, 2002 ! All architectures
! A buffer overflow can occur in the ! kadmind(8) ! daemon, leading to possible remote crash or exploit.
! A source code patch exists which remedies this problem.
!
! 032: SECURITY FIX: October 7, 2002 ! All architectures
! Incorrect argument checking in the ! setitimer(2) system call may allow an attacker to write to kernel memory.
! A source code patch exists which remedies this problem.
!
! 031: SECURITY FIX: August 11, 2002 All architectures
! An insufficient boundary check in the ! select(2) ! system call allows an attacker to overwrite kernel memory and execute arbitrary ! code in kernel context.
! A source code patch exists which remedies this problem.
!
! 030: SECURITY FIX: July 30, 2002 All architectures
! Several remote buffer overflows can occur in the SSL2 server and SSL3 client of the ! ssl(8) ! library, as in the ASN.1 parser code in the ! crypto(3) ! library, all of them being potentially remotely exploitable.
! ! A source code patch exists which remedies this problem.
! This is the second version of the patch.
!
! 029: SECURITY FIX: July 29, 2002 All architectures
! A buffer overflow can occur in the ! xdr_array(3) ! RPC code, leading to possible remote crash.
! A source code patch exists which remedies this problem.
! This is the second version of the patch.
!
! 028: SECURITY FIX: July 29, 2002 All architectures
! A race condition exists in the ! pppd(8) ! daemon which may cause it to alter the file permissions of an arbitrary file.
! A source code patch exists which remedies this problem.
!
! 027: RELIABILITY FIX: July 5, 2002 All architectures
! Receiving IKE payloads out of sequence can cause ! isakmpd(8) to crash.
! A source code patch exists which remedies this problem. -
- This is the second version of the patch.
!
! 026: SECURITY FIX: June 27, 2002 All architectures
! The kernel would let any user ktrace(2) set[ug]id processes.
! A source code patch exists which remedies this problem.
!
! 025: SECURITY FIX: June 25, 2002 All architectures
! A potential buffer overflow in the DNS resolver has been found.
! A source code patch exists which remedies this problem.
!
! 024: SECURITY FIX: June 24, 2002 All architectures
! All versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation ! error that can result in an integer overflow and privilege escalation. ! This problem is fixed in OpenSSH ! 3.4, and a patch for the vulnerable releases is available as part of the ! security advisory.
!
! 023: SECURITY FIX: June 24, 2002 All architectures
! A buffer overflow can occur in the .htaccess parsing code in mod_ssl httpd ! module, leading to possible remote crash or exploit.
! A source code patch exists which remedies this problem.
!
! 022: SECURITY FIX: June 19, 2002 All architectures
! A buffer overflow can occur during the interpretation of chunked ! encoding in the http daemon, leading to possible remote crash or exploit.
! A source code patch exists which remedies this problem.
!
! 021: SECURITY FIX: May 8, 2002 All architectures
! A race condition exists where an attacker could fill the file descriptor ! table and defeat the kernel's protection of fd slots 0, 1, and 2 for a ! setuid or setgid process.
! A source code patch exists which remedies this problem.
!
! 020: SECURITY FIX: April 25, 2002 All architectures
! A bug in sudo(8) may allow an attacker to corrupt the heap by specifying a custom prompt.
! A source code patch exists which remedies this problem.
019: SECURITY FIX: April 22, 2002 All architectures
--- 84,310 ----
- ! 001: INSTALL ISSUE: November 12, 2001 All architectures
  ! A small bug in the installation script causes the /etc/hosts file to ! be incorrectly formed.
  ! The resulting file contains a line which reads like:
  ! #.#.#.# hostname. hostname
  ! This line should actually read something like:
  ! #.#.#.# hostname.domainname.com hostname !
  ! To correct this problem, simply edit the file and insert the domainname in ! the required place. !
  ! !
- ! 002: SECURITY FIX: November 12, 2001 All architectures
  ! sshd(8) ! is being upgraded from OpenSSH 3.0 to OpenSSH 3.0.2 to fix a few problems: !
  !
  - A security hole that may allow an attacker to partially authenticate ! if -- and only if -- the administrator has enabled KerberosV. !
    ! By default, OpenSSH KerberosV support only becomes active after KerberosV ! has been properly configured. !
    !
  - An excessive memory clearing bug (which we believe to be unexploitable) ! also exists, but since this may cause daemon crashes, we are providing a ! patch as well. !
    !
  - A vulnerability in environment passing in the UseLogin ! sshd option !
    !
  - Various other non-critical fixes. !
  !
  ! Effectively an upgrade of OpenSSH 3.0 to OpenSSH 3.0.2. ! A source code patch exists which remedies this problem. + This is the second version of this patch.
  ! !
- ! 003: RELIABILITY FIX: November 12, 2001 !
  ! Access to a CD drive on the PCI ultrasparc machines results in a continuous stream ! of bogus interrupt messages, causing great user anguish. !
  ! A source code patch exists which remedies this problem.
  ! !
- ! 004: RELIABILITY FIX: November 12, 2001 !
  ! Hifn7751 based cards may stop working on certain motherboards due to ! DMA errors. !
  ! A source code patch exists which remedies this problem.
  ! !
- ! 005: RELIABILITY FIX: November 12, 2001 !
  ! Execution of Altivec instructions will crash the kernel. !
  ! A source code patch exists which remedies this problem.
  ! !
- ! 006: SECURITY FIX: November 13, 2001 All architectures
  ! pf(4) ! was incapable of dealing with certain ipv6 icmp packets, resulting in a crash. !
  ! A source code patch exists which remedies this problem.
  ! !
- ! 007: SECURITY FIX: November 13, 2001 All architectures
  ! A security issue exists in the vi.recover script that may allow an attacker ! to remove arbitrary zero-length files, regardless of ownership.
  ! ! A source code patch exists which remedies this problem.
  ! !
- ! 008: SECURITY FIX: November 28, 2001 All architectures
  ! A security issue exists in the lpd daemon that may allow an attacker ! to create arbitrary new files in the root directory. Only machines ! with line printer access (ie: listed in either /etc/hosts.lpd or ! /etc/hosts.equiv) may be used to mount an attack and the attacker ! must have root access on the machine. OpenBSD does not start lpd ! in the default installation.
  ! A source code patch exists which remedies this problem. +
  + +
- + 009: INSTALLATION FIX: December 11, 2001
  ! The 3.0 CD2 was created with an error which means that the instructions ! for booting this architecture will not work. Instead, to boot the ! CD, press Option-Command-O-F during power up to get into OpenFirmware ! and then type: !
  ! boot cd:,OFWBOOT /3.0/macppc/bsd.rd
  ! !
- ! 010: RELIABILITY FIX: December 13, 2001 All architectures
  ! Systems running with IP-in-IP encapsulation can be made to crash by ! malformed packets.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 011: SECURITY FIX: January 17, 2002 All architectures
  ! If the Postfix sendmail replacement is installed on a system an ! attacker may be able to gain root privileges on the local host via ! sudo(8) which runs the mailer as root with an environment inherited ! from the invoking user. While this is a bug in sudo it is not ! believed to be possible to exploit when sendmail (the mailer that ! ships with OpenBSD) is the mailer. As of version 1.6.5, sudo passes ! the mailer an environment that is not subject to influence from the ! invoking user.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 012: SECURITY FIX: January 21, 2002 All architectures
  ! A race condition between the ptrace(2) and execve(2) system calls allows ! an attacker to modify the memory contents of suid/sgid processes which ! could lead to compromise of the super-user account.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 013: RELIABILITY FIX: February 4, 2002 All architectures
  ! The wrong filedescriptors are released when pipe(2) failed.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 014: SECURITY FIX: March 8, 2002 All architectures
  ! A local user can gain super-user privileges due to an off-by-one check ! in the channel forwarding code of OpenSSH.
  ! ! A source code patch exists which remedies this problem.
  ! !
- ! 015: RELIABILITY FIX: March 13, 2002 All architectures
  ! Under some circumstances the zlib compression library can free dynamically ! allocated memory twice. This is not a security issue on OpenBSD since the BSD ! free(3) ! function detects this. ! There is also a kernel zlib component that may be used by pppd and IPsec. ! The feasibility of attacking the kernel this way is currently unknown.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 016: SECURITY FIX: March 19, 2002 All architectures
  ! Under certain conditions, on systems using YP with netgroups in the password ! database, it is possible for the ! rexecd(8) ! and ! rshd(8) ! daemons to execute the shell from a different user's password entry. ! Due to a similar problem, ! atrun(8) ! may change to the wrong home directory when running ! at(1) ! jobs.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 017: RELIABILITY FIX: March 26, 2002 All architectures
  ! isakmpd(8) ! will crash when receiving a zero length IKE packet due to a too-late length check. !
  ! A source code patch exists which remedies this problem.
  ! !
- ! 018: SECURITY FIX: April 11, 2002 All architectures
  ! mail(1) ! will process tilde escapes even in non-interactive mode. ! This can lead to a local root compromise. !
  ! A source code patch exists which remedies this problem.
  +
- 019: SECURITY FIX: April 22, 2002 All architectures
  *************** *** 250,456 **** A source code patch exists which remedies this problem.
  !
- ! 018: SECURITY FIX: April 11, 2002 All architectures
  ! mail(1) ! will process tilde escapes even in non-interactive mode. ! This can lead to a local root compromise. !
  ! A source code patch exists which remedies this problem.
  !
- ! 017: RELIABILITY FIX: March 26, 2002 All architectures
  ! isakmpd(8) ! will crash when receiving a zero length IKE packet due to a too-late length check. !
  ! A source code patch exists which remedies this problem.
  !
- ! 016: SECURITY FIX: March 19, 2002 All architectures
  ! Under certain conditions, on systems using YP with netgroups in the password ! database, it is possible for the ! rexecd(8) ! and ! rshd(8) ! daemons to execute the shell from a different user's password entry. ! Due to a similar problem, ! atrun(8) ! may change to the wrong home directory when running ! at(1) ! jobs.
  ! A source code patch exists which remedies this problem.
  !
- ! 015: RELIABILITY FIX: March 13, 2002 All architectures
  ! Under some circumstances the zlib compression library can free dynamically ! allocated memory twice. This is not a security issue on OpenBSD since the BSD ! free(3) ! function detects this. ! There is also a kernel zlib component that may be used by pppd and IPsec. ! The feasibility of attacking the kernel this way is currently unknown.
  ! A source code patch exists which remedies this problem.
  !
- ! 014: SECURITY FIX: March 8, 2002 All architectures
  ! A local user can gain super-user privileges due to an off-by-one check ! in the channel forwarding code of OpenSSH.
  ! ! A source code patch exists which remedies this problem.
  !
- ! 013: RELIABILITY FIX: February 4, 2002 All architectures
  ! The wrong filedescriptors are released when pipe(2) failed.
  ! A source code patch exists which remedies this problem.
  !
- ! 012: SECURITY FIX: January 21, 2002 All architectures
  ! A race condition between the ptrace(2) and execve(2) system calls allows ! an attacker to modify the memory contents of suid/sgid processes which ! could lead to compromise of the super-user account.
  ! A source code patch exists which remedies this problem.
  !
- ! 011: SECURITY FIX: January 17, 2002 All architectures
  ! If the Postfix sendmail replacement is installed on a system an ! attacker may be able to gain root privileges on the local host via ! sudo(8) which runs the mailer as root with an environment inherited ! from the invoking user. While this is a bug in sudo it is not ! believed to be possible to exploit when sendmail (the mailer that ! ships with OpenBSD) is the mailer. As of version 1.6.5, sudo passes ! the mailer an environment that is not subject to influence from the ! invoking user.
  ! A source code patch exists which remedies this problem.
  !
- ! 010: RELIABILITY FIX: December 13, 2001 All architectures
  ! Systems running with IP-in-IP encapsulation can be made to crash by ! malformed packets.
  ! A source code patch exists which remedies this problem.
  !
- ! 009: INSTALLATION FIX: December 11, 2001
  ! The 3.0 CD2 was created with an error which means that the instructions ! for booting this architecture will not work. Instead, to boot the ! CD, press Option-Command-O-F during power up to get into OpenFirmware ! and then type: !
  ! boot cd:,OFWBOOT /3.0/macppc/bsd.rd
  !
- ! 008: SECURITY FIX: November 28, 2001 All architectures
  ! A security issue exists in the lpd daemon that may allow an attacker ! to create arbitrary new files in the root directory. Only machines ! with line printer access (ie: listed in either /etc/hosts.lpd or ! /etc/hosts.equiv) may be used to mount an attack and the attacker ! must have root access on the machine. OpenBSD does not start lpd ! in the default installation.
  ! A source code patch exists which remedies this problem.
  !
- ! 007: SECURITY FIX: November 13, 2001 All architectures
  ! A security issue exists in the vi.recover script that may allow an attacker ! to remove arbitrary zero-length files, regardless of ownership. !
  ! A source code patch exists which remedies this problem.
  !
- ! 006: SECURITY FIX: November 13, 2001 All architectures
  ! pf(4) ! was incapable of dealing with certain ipv6 icmp packets, resulting in a crash. !
  ! A source code patch exists which remedies this problem.
  !
- ! 005: RELIABILITY FIX: November 12, 2001 !
  ! Execution of Altivec instructions will crash the kernel. !
  ! A source code patch exists which remedies this problem.
  !
- ! 004: RELIABILITY FIX: November 12, 2001 !
  ! Hifn7751 based cards may stop working on certain motherboards due to ! DMA errors. !
  ! A source code patch exists which remedies this problem.
  !
- ! 003: RELIABILITY FIX: November 12, 2001 !
  ! Access to a CD drive on the PCI ultrasparc machines results in a continuous stream ! of bogus interrupt messages, causing great user anguish. !
  ! ! A source code patch exists which remedies this problem. !
  !
- ! 002: SECURITY FIX: November 12, 2001 All architectures
  ! sshd(8) ! is being upgraded from OpenSSH 3.0 to OpenSSH 3.0.2 to fix a few problems: !
  !
  - A security hole that may allow an attacker to partially authenticate ! if -- and only if -- the administrator has enabled KerberosV. !
    ! By default, OpenSSH KerberosV support only becomes active after KerberosV ! has been properly configured. !
    !
  - An excessive memory clearing bug (which we believe to be unexploitable) ! also exists, but since this may cause daemon crashes, we are providing a ! patch as well. !
    !
  - A vulnerability in environment passing in the UseLogin ! sshd option !
    !
  - Various other non-critical fixes. !
  !
  ! Effectively an upgrade of OpenSSH 3.0 to OpenSSH 3.0.2. ! A source code patch exists which remedies this problem. - This is the second version of this patch.
  !
- ! 001: INSTALL ISSUE: November 12, 2001 All architectures
  ! A small bug in the installation script causes the /etc/hosts file to ! be incorrectly formed.
  ! The resulting file contains a line which reads like:
  ! #.#.#.# hostname. hostname !
  ! This line should actually read something like:
  ! #.#.#.# hostname.domainname.com hostname !
  ! To correct this problem, simply edit the file and insert the domainname in ! the required place.
--- 317,492 ---- A source code patch exists which remedies this problem.
! !
! 020: SECURITY FIX: April 25, 2002 All architectures
! A bug in sudo(8) may allow an attacker to corrupt the heap by specifying a custom prompt.
! A source code patch exists which remedies this problem.
! !
! 021: SECURITY FIX: May 8, 2002 All architectures
! A race condition exists where an attacker could fill the file descriptor ! table and defeat the kernel's protection of fd slots 0, 1, and 2 for a ! setuid or setgid process.
! A source code patch exists which remedies this problem.
! !
! 022: SECURITY FIX: June 19, 2002 All architectures
! A buffer overflow can occur during the interpretation of chunked ! encoding in the http daemon, leading to possible remote crash or exploit.
! A source code patch exists which remedies this problem.
! !
! 023: SECURITY FIX: June 24, 2002 All architectures
! A buffer overflow can occur in the .htaccess parsing code in mod_ssl httpd ! module, leading to possible remote crash or exploit.
! A source code patch exists which remedies this problem.
! !
! 024: SECURITY FIX: June 24, 2002 All architectures
! All versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation ! error that can result in an integer overflow and privilege escalation. ! This problem is fixed in OpenSSH ! 3.4, and a patch for the vulnerable releases is available as part of the ! security advisory.
! !
! 025: SECURITY FIX: June 25, 2002 All architectures
! A potential buffer overflow in the DNS resolver has been found.
! A source code patch exists which remedies this problem.
! !
! 026: SECURITY FIX: June 27, 2002 All architectures
! The kernel would let any user ktrace(2) set[ug]id processes.
! A source code patch exists which remedies this problem.
! !
! 027: RELIABILITY FIX: July 5, 2002 All architectures
! Receiving IKE payloads out of sequence can cause ! isakmpd(8) to crash.
! A source code patch exists which remedies this problem. +
+ This is the second version of the patch.
! !
! 028: SECURITY FIX: July 29, 2002 All architectures
! A race condition exists in the ! pppd(8) ! daemon which may cause it to alter the file permissions of an arbitrary file.
! A source code patch exists which remedies this problem.
! !
! 029: SECURITY FIX: July 29, 2002 ! All architectures
! A buffer overflow can occur in the ! xdr_array(3) ! RPC code, leading to possible remote crash.
! ! A source code patch exists which remedies this problem.
! This is the second version of the patch.
! !
! 030: SECURITY FIX: July 30, 2002 All architectures
! Several remote buffer overflows can occur in the SSL2 server and SSL3 client of the ! ssl(8) ! library, as in the ASN.1 parser code in the ! crypto(3) ! library, all of them being potentially remotely exploitable.
! A source code patch exists which remedies this problem. +
+ This is the second version of the patch.
! !
! 031: SECURITY FIX: August 11, 2002 All architectures
! An insufficient boundary check in the ! select(2) ! system call allows an attacker to overwrite kernel memory and execute arbitrary ! code in kernel context.
! A source code patch exists which remedies this problem.
! !
! 032: SECURITY FIX: October 7, 2002 All architectures
! Incorrect argument checking in the ! setitimer(2) system call may allow an attacker to write to kernel memory.
! A source code patch exists which remedies this problem.
! !
! 033: SECURITY FIX: October 21, 2002 ! All architectures
! A buffer overflow can occur in the ! kadmind(8) ! daemon, leading to possible remote crash or exploit.
! A source code patch exists which remedies this problem.
! !
! 034: SECURITY FIX: November 6, 2002 ! All architectures
! An attacker can bypass the restrictions imposed by sendmail's restricted shell, ! smrsh(8), ! and execute arbitrary commands with the privileges of his own account.
! A source code patch exists which remedies this problem.
! !
! 035: SECURITY FIX: November 6, 2002 All architectures
! Incorrect argument checking in the ! getrlimit(2) ! system call may allow an attacker to crash the kernel.
! A source code patch exists which remedies this problem.
! !
! 036: SECURITY FIX: November 14, 2002 All architectures
! A buffer overflow in ! named(8) ! could allow an attacker to execute code with the privileges of named. ! On OpenBSD, named runs as a non-root user in a chrooted environment ! which mitigates the effects of this bug.
! ! A source code patch exists which remedies this problem.