File: [local] / www / errata33.html (download) (as text)
Revision 1.94, Sun Mar 10 18:46:50 2024 UTC (2 months ago) by tj
Branch: MAIN
CVS Tags: HEAD
Changes since 1.93: +2 -1 lines
add 7.5 errata page
|
<!doctype html>
<html lang=en id=errata>
<meta charset=utf-8>
<title>OpenBSD 3.3 Errata</title>
<meta name="description" content="the OpenBSD CD errata page">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/errata33.html">
<!--
IMPORTANT REMINDER
IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
-->
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
3.3 Errata
</h2>
<hr>
For errata on a certain release, click below:<br>
<a href="errata20.html">2.0</a>,
<a href="errata21.html">2.1</a>,
<a href="errata22.html">2.2</a>,
<a href="errata23.html">2.3</a>,
<a href="errata24.html">2.4</a>,
<a href="errata25.html">2.5</a>,
<a href="errata26.html">2.6</a>,
<a href="errata27.html">2.7</a>,
<a href="errata28.html">2.8</a>,
<a href="errata29.html">2.9</a>,
<a href="errata30.html">3.0</a>,
<a href="errata31.html">3.1</a>,
<a href="errata32.html">3.2</a>,
<a href="errata34.html">3.4</a>,
<a href="errata35.html">3.5</a>,
<a href="errata36.html">3.6</a>,
<br>
<a href="errata37.html">3.7</a>,
<a href="errata38.html">3.8</a>,
<a href="errata39.html">3.9</a>,
<a href="errata40.html">4.0</a>,
<a href="errata41.html">4.1</a>,
<a href="errata42.html">4.2</a>,
<a href="errata43.html">4.3</a>,
<a href="errata44.html">4.4</a>,
<a href="errata45.html">4.5</a>,
<a href="errata46.html">4.6</a>,
<a href="errata47.html">4.7</a>,
<a href="errata48.html">4.8</a>,
<a href="errata49.html">4.9</a>,
<a href="errata50.html">5.0</a>,
<a href="errata51.html">5.1</a>,
<a href="errata52.html">5.2</a>,
<br>
<a href="errata53.html">5.3</a>,
<a href="errata54.html">5.4</a>,
<a href="errata55.html">5.5</a>,
<a href="errata56.html">5.6</a>,
<a href="errata57.html">5.7</a>,
<a href="errata58.html">5.8</a>,
<a href="errata59.html">5.9</a>,
<a href="errata60.html">6.0</a>,
<a href="errata61.html">6.1</a>,
<a href="errata62.html">6.2</a>,
<a href="errata63.html">6.3</a>,
<a href="errata64.html">6.4</a>,
<a href="errata65.html">6.5</a>,
<a href="errata66.html">6.6</a>,
<a href="errata67.html">6.7</a>,
<a href="errata68.html">6.8</a>,
<br>
<a href="errata69.html">6.9</a>,
<a href="errata70.html">7.0</a>,
<a href="errata71.html">7.1</a>,
<a href="errata72.html">7.2</a>,
<a href="errata73.html">7.3</a>,
<a href="errata74.html">7.4</a>,
<a href="errata75.html">7.5</a>.
<hr>
<p>
Patches for the OpenBSD base system are distributed as unified diffs.
Each patch contains usage instructions.
All the following patches are also available in one
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3.tar.gz">tar.gz file</a>
for convenience.
<p>
Patches for supported releases are also incorporated into the
<a href="stable.html">-stable branch</a>.
<hr>
<ul>
<li id="realpath">
<strong>001: SECURITY FIX: August 4, 2003</strong>
<i>All architectures</i><br>
An off-by-one error exists in the C library function
<a href="https://man.openbsd.org/OpenBSD-3.3/realpath.3">realpath(3)</a>.
Since this same bug resulted in a root compromise in the wu-ftpd ftp server
it is possible that this bug may allow an attacker to gain escalated privileges
on OpenBSD.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/001_realpath.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="semget">
<strong>002: RELIABILITY FIX: August 20, 2003</strong>
<i>All architectures</i><br>
An improper bounds check in the
<a href="https://man.openbsd.org/OpenBSD-3.3/semget.2">semget(2)</a>
system call can allow a local user to cause a kernel panic.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/002_semget.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="sysvsem">
<strong>003: SECURITY FIX: September 10, 2003</strong>
<i>All architectures</i><br>
Root may be able to reduce the security level by taking advantage of
an integer overflow when the semaphore limits are made very large.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/003_sysvsem.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="sshbuffer">
<strong>004: SECURITY FIX: September 16, 2003</strong>
<i>All architectures</i><br>
All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error.
It is unclear whether or not this bug is exploitable.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/004_sshbuffer.patch">
A source code patch exists which remedies this problem.</a>
NOTE: this is the <em>second</em> revision of the patch that fixes an additional
problem.
<p>
<li id="sendmail">
<strong>005: SECURITY FIX: September 17, 2003</strong>
<i>All architectures</i><br>
A buffer overflow in the address parsing in
<a href="https://man.openbsd.org/OpenBSD-3.3/sendmail.8">sendmail(8)</a>
may allow an attacker to gain root privileges.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/005_sendmail.patch">
A source code patch exists which remedies this problem.</a>
NOTE: this is the <em>second</em> revision of the patch that fixes an additional
problem.
<p>
<li id="pfnorm">
<strong>006: SECURITY FIX: September 24, 2003</strong>
<i>All architectures</i><br>
Three cases of potential access to freed memory have been found in
<a href="https://man.openbsd.org/OpenBSD-3.3/pf.4">pf(4)</a>.
At least one of them could be used to panic pf with active scrub rules remotely.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/006_pfnorm.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="asn1">
<strong>007: SECURITY FIX: October 1, 2003</strong>
<i>All architectures</i><br>
The use of certain ASN.1 encodings or malformed public keys may allow an
attacker to mount a denial of service attack against applications linked with
<a href="https://man.openbsd.org/OpenBSD-3.3/ssl.3">ssl(3)</a>.
This does not affect OpenSSH.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/007_asn1.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="arp">
<strong>008: RELIABILITY FIX: October 1, 2003</strong>
<i>All architectures</i><br>
It is possible for a local user to cause a system panic by flooding it with spoofed ARP
requests.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/008_arp.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="httpd">
<strong>009: RELIABILITY FIX: October 29, 2003</strong>
<i>All architectures</i><br>
A user with write permission to <code>httpd.conf</code> or a <code>.htaccess</code>
file can crash
<a href="https://man.openbsd.org/OpenBSD-3.3/httpd.8">httpd(8)</a>
or potentially run arbitrary code as the user <code>www</code> (although it
is believed that ProPolice will prevent code execution).
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/009_httpd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="exec">
<strong>010: RELIABILITY FIX: November 4, 2003</strong>
<i>All architectures</i><br>
It is possible for a local user to cause a system panic by executing a specially crafted binary with an invalid header.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/010_exec.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="ibcs2">
<strong>011: SECURITY FIX: November 17, 2003</strong>
<i>i386 only</i><br>
It is possible for a local user to execute arbitrary code resulting in escalation of
privileges due to a stack overrun in
<a href="https://man.openbsd.org/OpenBSD-3.3/compat_ibcs2.8">compat_ibcs2(8)</a>.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/i386/011_ibcs2.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="uvm">
<strong>012: RELIABILITY FIX: November 20, 2003</strong>
<i>All architectures</i><br>
It is possible for a local user to cause a crash via
<a href="https://man.openbsd.org/OpenBSD-3.3/sysctl.3">sysctl(3)</a> with certain arguments.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/012_uvm.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="sem">
<strong>013: RELIABILITY FIX: November 20, 2003</strong>
<i>All architectures</i><br>
An improper bounds check makes it possible for a local user to cause a crash
by passing the
<a href="https://man.openbsd.org/OpenBSD-3.3/semctl.2">semctl(2)</a> and
<a href="https://man.openbsd.org/OpenBSD-3.3/semop.2">semop(2)</a> functions
certain arguments.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/013_sem.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="isakmpd">
<strong>014: SECURITY FIX: January 15, 2004</strong>
<i>All architectures</i><br>
Several message handling flaws in
<a href="https://man.openbsd.org/OpenBSD-3.3/isakmpd.8">isakmpd(8)</a>
have been reported by Thomas Walpuski. These allow an attacker to delete arbitrary SAs.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/014_isakmpd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="sysvshm">
<strong>015: SECURITY FIX: February 5, 2004</strong>
<i>All architectures</i><br>
A reference counting bug exists in the
<a href="https://man.openbsd.org/OpenBSD-3.3/shmat.2">shmat(2)</a>
system call that could be used by an attacker to write to kernel memory
under certain circumstances.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/015_sysvshm.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="ip6">
<strong>016: SECURITY FIX: February 8, 2004</strong>
<i>All architectures</i><br>
An IPv6 MTU handling problem exists that could be used by an attacker
to cause a denial of service attack against hosts with reachable IPv6
TCP ports.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/016_ip6.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="font">
<strong>017: RELIABILITY FIX: February 14, 2004</strong>
<i>All architectures</i><br>
Several buffer overflows exist in the code parsing
font.aliases files in XFree86. Thanks to ProPolice, these cannot be
exploited to gain privileges, but they can cause the X server to abort.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/017_font.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="tcp">
<strong>018: RELIABILITY FIX: March 8, 2004</strong>
<i>All architectures</i><br>
OpenBSD's TCP/IP stack did not impose limits on how many out-of-order
TCP segments are queued in the system. An attacker could
send out-of-order TCP segments and trick the system into using all
available memory buffers.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/018_tcp.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="httpd2">
<strong>019: SECURITY FIX: March 13, 2004</strong>
<i>All architectures</i><br>
Due to a bug in the parsing of Allow/Deny rules for
<a href="https://man.openbsd.org/OpenBSD-3.3/httpd.8">httpd(8)'s</a>
access module, using IP addresses without a netmask on big endian 64-bit
platforms causes the rules to fail to match. This only affects sparc64.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/019_httpd2.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="isakmpd2">
<strong>020: RELIABILITY FIX: March 17, 2004</strong>
<i>All architectures</i><br>
Defects in the payload validation and processing functions of
<a href="https://man.openbsd.org/OpenBSD-3.3/isakmpd.8">isakmpd(8)</a>
have been discovered. An attacker could send malformed ISAKMP messages and
cause isakmpd to crash or to loop endlessly. This patch fixes these problems
and removes some memory leaks.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/020_isakmpd2.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="openssl">
<strong>021: RELIABILITY FIX: March 17, 2004</strong>
<i>All architectures</i><br>
A missing check for a NULL-pointer dereference has been found in
<a href="https://man.openbsd.org/OpenBSD-3.3/ssl.3">ssl(3)</a>.
A remote attacker can use the bug to cause an OpenSSL application to crash;
this may lead to a denial of service.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/021_openssl.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="cvs">
<strong>022: SECURITY FIX: May 5, 2004</strong>
<i>All architectures</i><br>
Pathname validation problems have been found in
<a href="https://man.openbsd.org/OpenBSD-3.3/cvs.1">cvs(1)</a>,
allowing malicious clients to create files outside the repository, allowing
malicious servers to overwrite files outside the local CVS tree on
the client and allowing clients to check out files outside the CVS
repository.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/022_cvs.patch">
A source code patch exists which remedies this problem.</a>
<p>
</ul>
<hr>
![[BACK]](/icons/back.gif){kind=icon}
Return to errata33.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www