File: [local] / www / errata38.html (download) (as text)
Revision 1.85, Sun Mar 10 18:46:50 2024 UTC (2 months ago) by tj
Branch: MAIN
CVS Tags: HEAD
Changes since 1.84: +2 -1 lines
add 7.5 errata page
|
<!doctype html>
<html lang=en id=errata>
<meta charset=utf-8>
<title>OpenBSD 3.8 Errata</title>
<meta name="description" content="the OpenBSD CD errata page">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/errata38.html">
<!--
IMPORTANT REMINDER
IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
-->
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
3.8 Errata
</h2>
<hr>
For errata on a certain release, click below:<br>
<a href="errata20.html">2.0</a>,
<a href="errata21.html">2.1</a>,
<a href="errata22.html">2.2</a>,
<a href="errata23.html">2.3</a>,
<a href="errata24.html">2.4</a>,
<a href="errata25.html">2.5</a>,
<a href="errata26.html">2.6</a>,
<a href="errata27.html">2.7</a>,
<a href="errata28.html">2.8</a>,
<a href="errata29.html">2.9</a>,
<a href="errata30.html">3.0</a>,
<a href="errata31.html">3.1</a>,
<a href="errata32.html">3.2</a>,
<a href="errata33.html">3.3</a>,
<a href="errata34.html">3.4</a>,
<a href="errata35.html">3.5</a>,
<br>
<a href="errata36.html">3.6</a>,
<a href="errata37.html">3.7</a>,
<a href="errata39.html">3.9</a>,
<a href="errata40.html">4.0</a>,
<a href="errata41.html">4.1</a>,
<a href="errata42.html">4.2</a>,
<a href="errata43.html">4.3</a>,
<a href="errata44.html">4.4</a>,
<a href="errata45.html">4.5</a>,
<a href="errata46.html">4.6</a>,
<a href="errata47.html">4.7</a>,
<a href="errata48.html">4.8</a>,
<a href="errata49.html">4.9</a>,
<a href="errata50.html">5.0</a>,
<a href="errata51.html">5.1</a>,
<a href="errata52.html">5.2</a>,
<br>
<a href="errata53.html">5.3</a>,
<a href="errata54.html">5.4</a>,
<a href="errata55.html">5.5</a>,
<a href="errata56.html">5.6</a>,
<a href="errata57.html">5.7</a>,
<a href="errata58.html">5.8</a>,
<a href="errata59.html">5.9</a>,
<a href="errata60.html">6.0</a>,
<a href="errata61.html">6.1</a>,
<a href="errata62.html">6.2</a>,
<a href="errata63.html">6.3</a>,
<a href="errata64.html">6.4</a>,
<a href="errata65.html">6.5</a>,
<a href="errata66.html">6.6</a>,
<a href="errata67.html">6.7</a>,
<a href="errata68.html">6.8</a>,
<br>
<a href="errata69.html">6.9</a>,
<a href="errata70.html">7.0</a>,
<a href="errata71.html">7.1</a>,
<a href="errata72.html">7.2</a>,
<a href="errata73.html">7.3</a>,
<a href="errata74.html">7.4</a>,
<a href="errata75.html">7.5</a>.
<hr>
<p>
Patches for the OpenBSD base system are distributed as unified diffs.
Each patch contains usage instructions.
All the following patches are also available in one
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8.tar.gz">tar.gz file</a>
for convenience.
<p>
Patches for supported releases are also incorporated into the
<a href="stable.html">-stable branch</a>.
<hr>
<ul>
<li id="perl">
<strong>001: SECURITY FIX: January 5, 2006</strong>
<i>All architectures</i><br>
A buffer overflow has been found in the Perl interpreter with the sprintf function which
may be exploitable under certain conditions.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/001_perl.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="fd">
<strong>002: SECURITY FIX: January 5, 2006</strong>
<i>All architectures</i><br>
Do not allow users to trick suid programs into re-opening files via /dev/fd.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/002_fd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="i386pmap">
<strong>003: RELIABILITY FIX: January 13, 2006</strong>
<i>i386 architecture</i><br>
Change the implementation of i386 W^X so that the "execute line" can move around.
Before it was limited to being either at 512MB (below which all code normally
lands) or at the top of the stack. Now the line can float as
<a href="https://man.openbsd.org/OpenBSD-3.8/mprotect.2">mprotect(2)</a>
and
<a href="https://man.openbsd.org/OpenBSD-3.8/mmap.2">mmap(2)</a>
requests need it to. This is now implemented using only GDT selectors
instead of the LDT so that it is more robust as well.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/i386/003_i386pmap.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="i386machdep">
<strong>004: RELIABILITY FIX: January 13, 2006</strong>
<i>i386 architecture</i><br>
Constrain
<a href="https://man.openbsd.org/OpenBSD-3.8/i386/i386_set_ioperm.2">i386_set_ioperm(2)</a>
so even root is blocked from accessing the ioports
unless the machine is running at lower securelevels or with an open X11 aperture.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/i386/004_i386machdep.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="ssh">
<strong>005: SECURITY FIX: February 12, 2006</strong>
<i>All architectures</i><br>
Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the
<a href="https://man.openbsd.org/OpenBSD-3.8/system.3">system(3)</a>
function in
<a href="https://man.openbsd.org/OpenBSD-3.8/scp.1">scp(1)</a>
when performing copy operations using filenames that are supplied by the user from the command line.
This can be exploited to execute shell commands with privileges of the user running
<a href="https://man.openbsd.org/OpenBSD-3.8/scp.1">scp(1)</a>.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/005_ssh.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="sendmail">
<strong>006: SECURITY FIX: March 25, 2006</strong>
<i>All architectures</i><br>
A race condition has been reported to exist in the handling by sendmail of
asynchronous signals. A remote attacker may be able to execute arbitrary code with the
privileges of the user running sendmail, typically root.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/006_sendmail.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="xorg">
<strong>007: SECURITY FIX: May 2, 2006</strong>
<i>All architectures</i><br>
A security vulnerability has been found in the X.Org server --
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1526">CVE-2006-1526</a>.
Clients authorized to connect to the X server are able to crash it and to execute
malicious code within the X server.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/007_xorg.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="sendmail2">
<strong>008: SECURITY FIX: June 15, 2006</strong>
<i>All architectures</i><br>
A potential denial of service problem has been found in sendmail. A malformed MIME
message could trigger excessive recursion which will lead to stack exhaustion.
This denial of service attack only affects delivery of mail from the queue and
delivery of a malformed message. Other incoming mail is still accepted and
delivered. However, mail messages in the queue may not be reattempted if a
malformed MIME message exists.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/008_sendmail2.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="httpd">
<strong>009: SECURITY FIX: July 30, 2006</strong>
<i>All architectures</i><br>
<a href="https://man.openbsd.org/OpenBSD-3.8/httpd.8">httpd(8)</a>'s
mod_rewrite has a potentially exploitable off-by-one buffer overflow.
The buffer overflow may result in a vulnerability which, in combination
with certain types of Rewrite rules in the web server configuration files,
could be triggered remotely. The default install is not affected by the
buffer overflow. CVE-2006-3747
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/009_httpd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="sendmail3">
<strong>010: SECURITY FIX: August 25, 2006</strong>
<i>All architectures</i><br>
A potential denial of service problem has been found in sendmail. A message
with really long header lines could trigger a use-after-free bug causing
sendmail to crash.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/010_sendmail3.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="dhcpd">
<strong>011: SECURITY FIX: August 25, 2006</strong>
<i>All architectures</i><br>
Due to an off-by-one error in
<a href="https://man.openbsd.org/OpenBSD-3.8/dhcpd.8">dhcpd(8)</a>,
it is possible to cause
<a href="https://man.openbsd.org/OpenBSD-3.8/dhcpd.8">dhcpd(8)</a>
to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3122">CVE-2006-3122</a>
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/011_dhcpd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="sem">
<strong>012: SECURITY FIX: August 25, 2006</strong>
<i>All architectures</i><br>
It is possible to cause the kernel to panic when more than the default number of
semaphores have been allocated.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/012_sem.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="isakmpd">
<strong>013: SECURITY FIX: August 25, 2006</strong>
<i>All architectures</i><br>
A problem in
<a href="https://man.openbsd.org/OpenBSD-3.8/isakmpd.8">isakmpd(8)</a>
caused IPsec to run partly without replay protection. If
<a href="https://man.openbsd.org/OpenBSD-3.8/isakmpd.8">isakmpd(8)</a>
was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
replay counter.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/013_isakmpd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="sppp">
<strong>014: SECURITY FIX: September 2, 2006</strong>
<i>All architectures</i><br>
Due to the failure to correctly validate LCP configuration option lengths,
it is possible for an attacker to send LCP packets via an
<a href="https://man.openbsd.org/OpenBSD-3.8/sppp.4">sppp(4)</a>
connection causing the kernel to panic.
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4304">CVE-2006-4304</a>
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/014_sppp.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="bind">
<strong>015: SECURITY FIX: September 8, 2006</strong>
<i>All architectures</i><br>
Two Denial of Service issues have been found with BIND.
An attacker who can perform recursive lookups on a DNS server and is able
to send a sufficiently large number of recursive queries, or is able to
get the DNS server to return more than one SIG(covered) RRsets can stop
the functionality of the DNS service.
An attacker querying an authoritative DNS server serving a RFC 2535
DNSSEC zone may be able to crash the DNS server.
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4095">CVE-2006-4095</a>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4096">CVE-2006-4096</a>
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/015_bind.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="openssl">
<strong>016: SECURITY FIX: September 8, 2006</strong>
<i>All architectures</i><br>
Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
an attacker to construct an invalid signature which OpenSSL would accept as a
valid PKCS#1 v1.5 signature.
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339">CVE-2006-4339</a>
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/016_openssl.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="httpd2">
<strong>017: SECURITY FIX: October 7, 2006</strong>
<i>All architectures</i><br>
<a href="https://man.openbsd.org/OpenBSD-3.8/httpd.8">httpd(8)</a>
does not sanitize the Expect header from an HTTP request when it is
reflected back in an error message, which might allow cross-site scripting (XSS)
style attacks.
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918">CVE-2006-3918</a>
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/017_httpd2.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="openssl2">
<strong>018: SECURITY FIX: October 7, 2006</strong>
<i>All architectures</i><br>
Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
structures an error condition is mishandled, possibly resulting in an infinite
loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
pointer may be dereferenced in the SSL version 2 client code. In addition, many
applications using OpenSSL do not perform any validation of the lengths of
public keys being used.
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937">CVE-2006-2937</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738">CVE-2006-3738</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343">CVE-2006-4343</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940">CVE-2006-2940</a>
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/018_openssl2.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="systrace">
<strong>019: SECURITY FIX: October 7, 2006</strong>
<i>All architectures</i><br>
Fix for an integer overflow in
<a href="https://man.openbsd.org/OpenBSD-3.8/systrace.4">systrace(4)</a>'s
STRIOCREPLACE support, found by
Chris Evans. This could be exploited for DoS, limited kmem reads or local
privilege escalation.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/019_systrace.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="ssh2">
<strong>020: SECURITY FIX: October 12, 2006</strong>
<i>All architectures</i><br>
Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
by Tavis Ormandy) that would cause
<a href="https://man.openbsd.org/OpenBSD-3.8/sshd.8">sshd(8)</a>
to spin until the login grace time expired.
An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
that could be exploited to perform a pre-authentication denial of service.
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924">CVE-2006-4924</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051">CVE-2006-5051</a>
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/020_ssh2.patch">
A source code patch exists which remedies this problem.</a>
<p>
</ul>
<hr>
![[BACK]](/icons/back.gif){kind=icon}
Return to errata38.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www