!
! -
! 001: INSTALL ISSUE: November 12, 2001
All architectures
! A small bug in the installation script causes the /etc/hosts
file to
! be incorrectly formed.
! The resulting file contains a line which reads like:
! #.#.#.# hostname. hostname
! This line should actually read something like:
! #.#.#.# hostname.domainname.com hostname
!
! To correct this problem, simply edit the file and insert the domainname in
! the required place.
!
!
!
-
! 002: SECURITY FIX: November 12, 2001
All architectures
! sshd(8)
! is being upgraded from OpenSSH 3.0 to OpenSSH 3.0.2 to fix a few problems:
!
!
! - A security hole that may allow an attacker to partially authenticate
! if -- and only if -- the administrator has enabled KerberosV.
!
! By default, OpenSSH KerberosV support only becomes active after KerberosV
! has been properly configured.
!
!
- An excessive memory clearing bug (which we believe to be unexploitable)
! also exists, but since this may cause daemon crashes, we are providing a
! patch as well.
!
!
- A vulnerability in environment passing in the
UseLogin
! sshd option
!
!
- Various other non-critical fixes.
!
!
! Effectively an upgrade of OpenSSH 3.0 to OpenSSH 3.0.2.
!
A source code patch exists which remedies this problem.
+ This is the second version of this patch.
!
!
-
! 003: RELIABILITY FIX: November 12, 2001
!
! Access to a CD drive on the PCI ultrasparc machines results in a continuous stream
! of bogus interrupt messages, causing great user anguish.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 004: RELIABILITY FIX: November 12, 2001
!
! Hifn7751 based cards may stop working on certain motherboards due to
! DMA errors.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 005: RELIABILITY FIX: November 12, 2001
!
! Execution of Altivec instructions will crash the kernel.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 006: SECURITY FIX: November 13, 2001
All architectures
! pf(4)
! was incapable of dealing with certain ipv6 icmp packets, resulting in a crash.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 007: SECURITY FIX: November 13, 2001
All architectures
! A security issue exists in the vi.recover script that may allow an attacker
! to remove arbitrary zero-length files, regardless of ownership.
!
! A source code patch exists which remedies this problem.
!
!
-
! 008: SECURITY FIX: November 28, 2001
All architectures
! A security issue exists in the lpd daemon that may allow an attacker
! to create arbitrary new files in the root directory. Only machines
! with line printer access (ie: listed in either /etc/hosts.lpd or
! /etc/hosts.equiv) may be used to mount an attack and the attacker
! must have root access on the machine. OpenBSD does not start lpd
! in the default installation.
!
A source code patch exists which remedies this problem.
+
+
+
-
+ 009: INSTALLATION FIX: December 11, 2001
! The 3.0 CD2 was created with an error which means that the instructions
! for booting this architecture will not work. Instead, to boot the
! CD, press Option-Command-O-F during power up to get into OpenFirmware
! and then type:
!
! boot cd:,OFWBOOT /3.0/macppc/bsd.rd
!
!
-
! 010: RELIABILITY FIX: December 13, 2001
All architectures
! Systems running with IP-in-IP encapsulation can be made to crash by
! malformed packets.
!
A source code patch exists which remedies this problem.
!
!
-
! 011: SECURITY FIX: January 17, 2002
All architectures
! If the Postfix sendmail replacement is installed on a system an
! attacker may be able to gain root privileges on the local host via
! sudo(8) which runs the mailer as root with an environment inherited
! from the invoking user. While this is a bug in sudo it is not
! believed to be possible to exploit when sendmail (the mailer that
! ships with OpenBSD) is the mailer. As of version 1.6.5, sudo passes
! the mailer an environment that is not subject to influence from the
! invoking user.
!
A source code patch exists which remedies this problem.
!
!
-
! 012: SECURITY FIX: January 21, 2002
All architectures
! A race condition between the ptrace(2) and execve(2) system calls allows
! an attacker to modify the memory contents of suid/sgid processes which
! could lead to compromise of the super-user account.
!
A source code patch exists which remedies this problem.
!
!
-
! 013: RELIABILITY FIX: February 4, 2002
All architectures
! The wrong filedescriptors are released when pipe(2) failed.
!
A source code patch exists which remedies this problem.
!
!
-
! 014: SECURITY FIX: March 8, 2002
All architectures
! A local user can gain super-user privileges due to an off-by-one check
! in the channel forwarding code of OpenSSH.
!
! A source code patch exists which remedies this problem.
!
!
-
! 015: RELIABILITY FIX: March 13, 2002
All architectures
! Under some circumstances the zlib compression library can free dynamically
! allocated memory twice. This is not a security issue on OpenBSD since the BSD
! free(3)
! function detects this.
! There is also a kernel zlib component that may be used by pppd and IPsec.
! The feasibility of attacking the kernel this way is currently unknown.
!
A source code patch exists which remedies this problem.
!
!
-
! 016: SECURITY FIX: March 19, 2002
All architectures
! Under certain conditions, on systems using YP with netgroups in the password
! database, it is possible for the
! rexecd(8)
! and
! rshd(8)
! daemons to execute the shell from a different user's password entry.
! Due to a similar problem,
! atrun(8)
! may change to the wrong home directory when running
! at(1)
! jobs.
!
A source code patch exists which remedies this problem.
!
!
-
! 017: RELIABILITY FIX: March 26, 2002
All architectures
! isakmpd(8)
! will crash when receiving a zero length IKE packet due to a too-late length check.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 018: SECURITY FIX: April 11, 2002
All architectures
! mail(1)
! will process tilde escapes even in non-interactive mode.
! This can lead to a local root compromise.
!
!
A source code patch exists which remedies this problem.
+
-
019: SECURITY FIX: April 22, 2002
All architectures
***************
*** 250,456 ****
A source code patch exists which remedies this problem.
!
-
! 018: SECURITY FIX: April 11, 2002
All architectures
! mail(1)
! will process tilde escapes even in non-interactive mode.
! This can lead to a local root compromise.
!
!
A source code patch exists which remedies this problem.
!
-
! 017: RELIABILITY FIX: March 26, 2002
All architectures
! isakmpd(8)
! will crash when receiving a zero length IKE packet due to a too-late length check.
!
!
A source code patch exists which remedies this problem.
!
-
! 016: SECURITY FIX: March 19, 2002
All architectures
! Under certain conditions, on systems using YP with netgroups in the password
! database, it is possible for the
! rexecd(8)
! and
! rshd(8)
! daemons to execute the shell from a different user's password entry.
! Due to a similar problem,
! atrun(8)
! may change to the wrong home directory when running
! at(1)
! jobs.
!
A source code patch exists which remedies this problem.
!
-
! 015: RELIABILITY FIX: March 13, 2002
All architectures
! Under some circumstances the zlib compression library can free dynamically
! allocated memory twice. This is not a security issue on OpenBSD since the BSD
! free(3)
! function detects this.
! There is also a kernel zlib component that may be used by pppd and IPsec.
! The feasibility of attacking the kernel this way is currently unknown.
!
A source code patch exists which remedies this problem.
!
-
! 014: SECURITY FIX: March 8, 2002
All architectures
! A local user can gain super-user privileges due to an off-by-one check
! in the channel forwarding code of OpenSSH.
!
! A source code patch exists which remedies this problem.
!
-
! 013: RELIABILITY FIX: February 4, 2002
All architectures
! The wrong filedescriptors are released when pipe(2) failed.
!
A source code patch exists which remedies this problem.
!
-
! 012: SECURITY FIX: January 21, 2002
All architectures
! A race condition between the ptrace(2) and execve(2) system calls allows
! an attacker to modify the memory contents of suid/sgid processes which
! could lead to compromise of the super-user account.
!
A source code patch exists which remedies this problem.
!
-
! 011: SECURITY FIX: January 17, 2002
All architectures
! If the Postfix sendmail replacement is installed on a system an
! attacker may be able to gain root privileges on the local host via
! sudo(8) which runs the mailer as root with an environment inherited
! from the invoking user. While this is a bug in sudo it is not
! believed to be possible to exploit when sendmail (the mailer that
! ships with OpenBSD) is the mailer. As of version 1.6.5, sudo passes
! the mailer an environment that is not subject to influence from the
! invoking user.
!
A source code patch exists which remedies this problem.
!
-
! 010: RELIABILITY FIX: December 13, 2001
All architectures
! Systems running with IP-in-IP encapsulation can be made to crash by
! malformed packets.
!
A source code patch exists which remedies this problem.
!
-
! 009: INSTALLATION FIX: December 11, 2001
! The 3.0 CD2 was created with an error which means that the instructions
! for booting this architecture will not work. Instead, to boot the
! CD, press Option-Command-O-F during power up to get into OpenFirmware
! and then type:
!
! boot cd:,OFWBOOT /3.0/macppc/bsd.rd
!
-
! 008: SECURITY FIX: November 28, 2001
All architectures
! A security issue exists in the lpd daemon that may allow an attacker
! to create arbitrary new files in the root directory. Only machines
! with line printer access (ie: listed in either /etc/hosts.lpd or
! /etc/hosts.equiv) may be used to mount an attack and the attacker
! must have root access on the machine. OpenBSD does not start lpd
! in the default installation.
!
A source code patch exists which remedies this problem.
!
-
! 007: SECURITY FIX: November 13, 2001
All architectures
! A security issue exists in the vi.recover script that may allow an attacker
! to remove arbitrary zero-length files, regardless of ownership.
!
!
A source code patch exists which remedies this problem.
!
-
! 006: SECURITY FIX: November 13, 2001
All architectures
! pf(4)
! was incapable of dealing with certain ipv6 icmp packets, resulting in a crash.
!
!
A source code patch exists which remedies this problem.
!
-
! 005: RELIABILITY FIX: November 12, 2001
!
! Execution of Altivec instructions will crash the kernel.
!
!
A source code patch exists which remedies this problem.
!
-
! 004: RELIABILITY FIX: November 12, 2001
!
! Hifn7751 based cards may stop working on certain motherboards due to
! DMA errors.
!
!
A source code patch exists which remedies this problem.
!
-
! 003: RELIABILITY FIX: November 12, 2001
!
! Access to a CD drive on the PCI ultrasparc machines results in a continuous stream
! of bogus interrupt messages, causing great user anguish.
!
!
! A source code patch exists which remedies this problem.
!
!
-
! 002: SECURITY FIX: November 12, 2001
All architectures
! sshd(8)
! is being upgraded from OpenSSH 3.0 to OpenSSH 3.0.2 to fix a few problems:
!
!
! - A security hole that may allow an attacker to partially authenticate
! if -- and only if -- the administrator has enabled KerberosV.
!
! By default, OpenSSH KerberosV support only becomes active after KerberosV
! has been properly configured.
!
!
- An excessive memory clearing bug (which we believe to be unexploitable)
! also exists, but since this may cause daemon crashes, we are providing a
! patch as well.
!
!
- A vulnerability in environment passing in the
UseLogin
! sshd option
!
!
- Various other non-critical fixes.
!
!
! Effectively an upgrade of OpenSSH 3.0 to OpenSSH 3.0.2.
!
A source code patch exists which remedies this problem.
- This is the second version of this patch.
!
-
! 001: INSTALL ISSUE: November 12, 2001
All architectures
! A small bug in the installation script causes the /etc/hosts
file to
! be incorrectly formed.
! The resulting file contains a line which reads like:
! #.#.#.# hostname. hostname
!
! This line should actually read something like:
! #.#.#.# hostname.domainname.com hostname
!
! To correct this problem, simply edit the file and insert the domainname in
! the required place.
--- 317,492 ----