version 1.46, 2019/04/02 12:46:57 |
version 1.47, 2019/05/27 22:55:20 |
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> |
<!doctype html> |
<html> |
<html lang=en id=errata> |
<head> |
<meta charset=utf-8> |
|
|
<title>OpenBSD 6.0 Errata</title> |
<title>OpenBSD 6.0 Errata</title> |
<meta name="description" content="the OpenBSD CD errata page"> |
<meta name="description" content="the OpenBSD CD errata page"> |
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
|
<meta name="viewport" content="width=device-width, initial-scale=1"> |
<meta name="viewport" content="width=device-width, initial-scale=1"> |
<link rel="stylesheet" type="text/css" href="openbsd.css"> |
<link rel="stylesheet" type="text/css" href="openbsd.css"> |
<link rel="canonical" href="https://www.openbsd.org/errata60.html"> |
<link rel="canonical" href="https://www.openbsd.org/errata60.html"> |
</head> |
|
|
|
<!-- |
<!-- |
IMPORTANT REMINDER |
IMPORTANT REMINDER |
IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE |
IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE |
--> |
--> |
<body bgcolor="#ffffff" text="#000000" link="#23238E"> |
|
|
|
<h2> |
<h2 id=OpenBSD> |
<a href="index.html"> |
<a href="index.html"> |
<font color="#0000ff"><i>Open</i></font><font color="#000084">BSD</font></a> |
<i>Open</i><b>BSD</b></a> |
<font color="#e00000">6.0 Errata</font> |
6.0 Errata |
</h2> |
</h2> |
<hr> |
<hr> |
|
|
|
|
<ul> |
<ul> |
|
|
<li id="p001_uvmisavail"> |
<li id="p001_uvmisavail"> |
<font color="#009000"> |
<strong>001: RELIABILITY FIX: August 2, 2016</strong> |
<strong>001: RELIABILITY FIX: August 2, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Missing overflow checks in uvm may result in panics. |
Missing overflow checks in uvm may result in panics. |
|
|
<p> |
<p> |
|
|
<li id="p002_perl"> |
<li id="p002_perl"> |
<font color="#009000"> |
<strong>002: RELIABILITY FIX: August 6, 2016</strong> |
<strong>002: RELIABILITY FIX: August 6, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Fixes IO::Socket::IP complaining about non-numeric version numbers. |
Fixes IO::Socket::IP complaining about non-numeric version numbers. |
|
|
<p> |
<p> |
|
|
<li id="p003_relayd"> |
<li id="p003_relayd"> |
<font color="#009000"> |
<strong>003: RELIABILITY FIX: August 6, 2016</strong> |
<strong>003: RELIABILITY FIX: August 6, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Improve relayd's parsing of the Host-header by following RFC 7230 |
Improve relayd's parsing of the Host-header by following RFC 7230 |
|
|
<p> |
<p> |
|
|
<li id="p004_smtpd"> |
<li id="p004_smtpd"> |
<font color="#009000"> |
<strong>004: RELIABILITY FIX: August 23, 2016</strong> |
<strong>004: RELIABILITY FIX: August 23, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
A missing initialization can prevent mail headers from being altered as |
A missing initialization can prevent mail headers from being altered as |
|
|
<p> |
<p> |
|
|
<li id="p005_wsfont"> |
<li id="p005_wsfont"> |
<font color="#009000"> |
<strong>005: RELIABILITY FIX: September 17, 2016</strong> |
<strong>005: RELIABILITY FIX: September 17, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Limit the number of wscons fonts that can be loaded into the kernel. |
Limit the number of wscons fonts that can be loaded into the kernel. |
|
|
<p> |
<p> |
|
|
<li id="p006_iked"> |
<li id="p006_iked"> |
<font color="#009000"> |
<strong>006: RELIABILITY FIX: September 17, 2016</strong> |
<strong>006: RELIABILITY FIX: September 17, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
During parsing of the iked(8) configuration, a variable is set to 0 |
During parsing of the iked(8) configuration, a variable is set to 0 |
|
|
<p> |
<p> |
|
|
<li id="p007_libcrypto"> |
<li id="p007_libcrypto"> |
<font color="#009000"> |
<strong>007: RELIABILITY FIX: September 22, 2016</strong> |
<strong>007: RELIABILITY FIX: September 22, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Revert change that cleans up the EVP cipher context in EVP_EncryptFinal() |
Revert change that cleans up the EVP cipher context in EVP_EncryptFinal() |
|
|
<p> |
<p> |
|
|
<li id="p008_libssl"> |
<li id="p008_libssl"> |
<font color="#009000"> |
<strong>008: RELIABILITY FIX: September 22, 2016</strong> |
<strong>008: RELIABILITY FIX: September 22, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Avoid unbounded memory growth in libssl, which can be triggered by a TLS |
Avoid unbounded memory growth in libssl, which can be triggered by a TLS |
|
|
<p> |
<p> |
|
|
<li id="p009_libssl"> |
<li id="p009_libssl"> |
<font color="#009000"> |
<strong>009: SECURITY FIX: September 22, 2016</strong> |
<strong>009: SECURITY FIX: September 22, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Avoid falling back to a weak digest for (EC)DH when using SNI with libssl. |
Avoid falling back to a weak digest for (EC)DH when using SNI with libssl. |
|
|
<p> |
<p> |
|
|
<li id="p010_smtpd"> |
<li id="p010_smtpd"> |
<font color="#009000"> |
<strong>010: RELIABILITY FIX: October 3, 2016</strong> |
<strong>010: RELIABILITY FIX: October 3, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
A bug in the smtp session logic can lead to a server crash. |
A bug in the smtp session logic can lead to a server crash. |
|
|
<p> |
<p> |
|
|
<li id="p011_xorg_libs"> |
<li id="p011_xorg_libs"> |
<font color="#009000"> |
<strong>011: SECURITY FIX: October 4, 2016</strong> |
<strong>011: SECURITY FIX: October 4, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Fix a number of issues in the way various X client libraries handle |
Fix a number of issues in the way various X client libraries handle |
|
|
<p> |
<p> |
|
|
<li id="p012_amap"> |
<li id="p012_amap"> |
<font color="#009000"> |
<strong>012: RELIABILITY FIX: October 8, 2016</strong> |
<strong>012: RELIABILITY FIX: October 8, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Allocation of an amap with at least 131072 slots causes an integer overflow |
Allocation of an amap with at least 131072 slots causes an integer overflow |
|
|
<p> |
<p> |
|
|
<li id="p013_ssh_kexinit"> |
<li id="p013_ssh_kexinit"> |
<font color="#009000"> |
<strong>013: RELIABILITY FIX: October 10, 2016</strong> |
<strong>013: RELIABILITY FIX: October 10, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
A protocol parsing bug in sshd can lead to unauthenticated memory |
A protocol parsing bug in sshd can lead to unauthenticated memory |
|
|
<p> |
<p> |
|
|
<li id="p014_smtpd.patch"> |
<li id="p014_smtpd.patch"> |
<font color="#009000"> |
<strong>014: RELIABILITY FIX: October 13, 2016</strong> |
<strong>014: RELIABILITY FIX: October 13, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
A logic issue in smtpd's header parsing can cause SMTP sessions to hang. |
A logic issue in smtpd's header parsing can cause SMTP sessions to hang. |
|
|
<p> |
<p> |
|
|
<li id="p015_libssl.patch"> |
<li id="p015_libssl.patch"> |
<font color="#009000"> |
<strong>015: RELIABILITY FIX: November 5, 2016</strong> |
<strong>015: RELIABILITY FIX: November 5, 2016</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Avoid continual processing of an unlimited number of TLS records. |
Avoid continual processing of an unlimited number of TLS records. |
|
|
<p> |
<p> |
|
|
<li id="p016_libcrypto.patch"> |
<li id="p016_libcrypto.patch"> |
<font color="#009000"> |
<strong>016: SECURITY FIX: January 5, 2017</strong> |
<strong>016: SECURITY FIX: January 5, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Avoid possible side-channel leak of ECDSA private keys when signing. |
Avoid possible side-channel leak of ECDSA private keys when signing. |
|
|
<p> |
<p> |
|
|
<li id="p017_httpd.patch"> |
<li id="p017_httpd.patch"> |
<font color="#009000"> |
<strong>017: RELIABILITY FIX: January 31, 2017</strong> |
<strong>017: RELIABILITY FIX: January 31, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
A bug in the processing of range headers in httpd can lead to memory |
A bug in the processing of range headers in httpd can lead to memory |
|
|
<p> |
<p> |
|
|
<li id="p018_net80211.patch"> |
<li id="p018_net80211.patch"> |
<font color="#009000"> |
<strong>018: SECURITY FIX: March 1, 2017</strong> |
<strong>018: SECURITY FIX: March 1, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
WiFi clients using WPA1 or WPA2 are vulnerable to a man-in-the-middle attack |
WiFi clients using WPA1 or WPA2 are vulnerable to a man-in-the-middle attack |
|
|
<p> |
<p> |
|
|
<li id="p019_pf.patch"> |
<li id="p019_pf.patch"> |
<font color="#009000"> |
<strong>019: RELIABILITY FIX: March 9, 2017</strong> |
<strong>019: RELIABILITY FIX: March 9, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Prevent integer overflow in PF when calculating the adaptive timeout, |
Prevent integer overflow in PF when calculating the adaptive timeout, |
|
|
<p> |
<p> |
|
|
<li id="p020_exec_elf.patch"> |
<li id="p020_exec_elf.patch"> |
<font color="#009000"> |
<strong>020: SECURITY FIX: March 20, 2017</strong> |
<strong>020: SECURITY FIX: March 20, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
ELF auxiliary vector storage leaks piece of kernel stack. |
ELF auxiliary vector storage leaks piece of kernel stack. |
|
|
<p> |
<p> |
|
|
<li id="p021_softraid_concat"> |
<li id="p021_softraid_concat"> |
<font color="#009000"> |
<strong>021: RELIABILITY FIX: May 2, 2017</strong> |
<strong>021: RELIABILITY FIX: May 2, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
softraid was unable to create usable concat volumes because |
softraid was unable to create usable concat volumes because |
|
|
<p> |
<p> |
|
|
<li id="p022_libssl"> |
<li id="p022_libssl"> |
<font color="#009000"> |
<strong>022: RELIABILITY FIX: May 8, 2017</strong> |
<strong>022: RELIABILITY FIX: May 8, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Incorrect DTLS cookie handling can result in a NULL pointer dereference. |
Incorrect DTLS cookie handling can result in a NULL pointer dereference. |
|
|
<p> |
<p> |
|
|
<li id="p023_freetype"> |
<li id="p023_freetype"> |
<font color="#009000"> |
<strong>023: SECURITY FIX: May 13, 2017</strong> |
<strong>023: SECURITY FIX: May 13, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Heap-based buffer overflows in freetype can result in out-of-bounds writes. |
Heap-based buffer overflows in freetype can result in out-of-bounds writes. |
|
|
<p> |
<p> |
|
|
<li id="p024_exec_subr"> |
<li id="p024_exec_subr"> |
<font color="#009000"> |
<strong>024: SECURITY FIX: May 19, 2017</strong> |
<strong>024: SECURITY FIX: May 19, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
An additional mitigation is added by placing a gap of 1 MB between the |
An additional mitigation is added by placing a gap of 1 MB between the |
|
|
<p> |
<p> |
|
|
<li id="p025_icmp_opts"> |
<li id="p025_icmp_opts"> |
<font color="#009000"> |
<strong>025: RELIABILITY FIX: May 22, 2017</strong> |
<strong>025: RELIABILITY FIX: May 22, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
The kernel could leak memory when processing ICMP packets with IP options. |
The kernel could leak memory when processing ICMP packets with IP options. |
|
|
<p> |
<p> |
|
|
<li id="p026_perl"> |
<li id="p026_perl"> |
<font color="#009000"> |
<strong>026: SECURITY FIX: June 4, 2017</strong> |
<strong>026: SECURITY FIX: June 4, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
A race condition exists in the File::Path perl module. |
A race condition exists in the File::Path perl module. |
|
|
<p> |
<p> |
|
|
<li id="p027_sti"> |
<li id="p027_sti"> |
<font color="#009000"> |
<strong>027: SECURITY FIX: June 12, 2017</strong> |
<strong>027: SECURITY FIX: June 12, 2017</strong></font> |
|
<i>hppa</i> |
<i>hppa</i> |
<br> |
<br> |
An integer overflow exists in two range checks of the sti(4) display driver. |
An integer overflow exists in two range checks of the sti(4) display driver. |
|
|
<p> |
<p> |
|
|
<li id="p028_wsmux"> |
<li id="p028_wsmux"> |
<font color="#009000"> |
<strong>028: RELIABILITY FIX: June 12, 2017</strong> |
<strong>028: RELIABILITY FIX: June 12, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
An unprivileged user can cause a kernel crash. |
An unprivileged user can cause a kernel crash. |
|
|
<p> |
<p> |
|
|
<li id="p029_sigio"> |
<li id="p029_sigio"> |
<font color="#009000"> |
<strong>029: RELIABILITY FIX: August 3, 2017</strong> |
<strong>029: RELIABILITY FIX: August 3, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
A SIGIO-related use-after-free can occur in two drivers. |
A SIGIO-related use-after-free can occur in two drivers. |
|
|
<p> |
<p> |
|
|
<li id="p030_sendsyslog"> |
<li id="p030_sendsyslog"> |
<font color="#009000"> |
<strong>030: RELIABILITY FIX: August 3, 2017</strong> |
<strong>030: RELIABILITY FIX: August 3, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
A missing length check in sendsyslog() may result in a kernel panic. |
A missing length check in sendsyslog() may result in a kernel panic. |
|
|
<p> |
<p> |
|
|
<li id="p031_fuse"> |
<li id="p031_fuse"> |
<font color="#009000"> |
<strong>031: SECURITY FIX: August 3, 2017</strong> |
<strong>031: SECURITY FIX: August 3, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
An out-of-bound read in vfs_getcwd_scandir() (mainly used for FUSE) |
An out-of-bound read in vfs_getcwd_scandir() (mainly used for FUSE) |
|
|
<p> |
<p> |
|
|
<li id="p032_recv"> |
<li id="p032_recv"> |
<font color="#009000"> |
<strong>032: SECURITY FIX: August 3, 2017</strong> |
<strong>032: SECURITY FIX: August 3, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
An alignment issue in recv() may result in an info leak via ktrace(). |
An alignment issue in recv() may result in an info leak via ktrace(). |
|
|
<p> |
<p> |
|
|
<li id="p033_tcp_usrreq"> |
<li id="p033_tcp_usrreq"> |
<font color="#009000"> |
<strong>033: SECURITY FIX: August 3, 2017</strong> |
<strong>033: SECURITY FIX: August 3, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
With an invalid address family, tcp_usrreq() may take an unintended code path. |
With an invalid address family, tcp_usrreq() may take an unintended code path. |
|
|
<p> |
<p> |
|
|
<li id="p034_sockaddr"> |
<li id="p034_sockaddr"> |
<font color="#009000"> |
<strong>034: SECURITY FIX: August 3, 2017</strong> |
<strong>034: SECURITY FIX: August 3, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
Missing socket address validation from userland may result in an info leak. |
Missing socket address validation from userland may result in an info leak. |
|
|
<p> |
<p> |
|
|
<li id="p035_ptrace"> |
<li id="p035_ptrace"> |
<font color="#009000"> |
<strong>035: SECURITY FIX: August 3, 2017</strong> |
<strong>035: SECURITY FIX: August 3, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
An uninitialized variable in ptrace() may result in an info leak. |
An uninitialized variable in ptrace() may result in an info leak. |
|
|
<p> |
<p> |
|
|
<li id="p036_fcntl"> |
<li id="p036_fcntl"> |
<font color="#009000"> |
<strong>036: SECURITY FIX: August 3, 2017</strong> |
<strong>036: SECURITY FIX: August 3, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
An uninitialized variable in fcntl() may result in an info leak. |
An uninitialized variable in fcntl() may result in an info leak. |
|
|
<p> |
<p> |
|
|
<li id="p037_wsdisplay"> |
<li id="p037_wsdisplay"> |
<font color="#009000"> |
<strong>037: RELIABILITY FIX: August 3, 2017</strong> |
<strong>037: RELIABILITY FIX: August 3, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
An integer overflow in wsdisplay_cfg_ioctl() may result in an out-of-bounds |
An integer overflow in wsdisplay_cfg_ioctl() may result in an out-of-bounds |
|
|
<p> |
<p> |
|
|
<li id="p038_sosplice"> |
<li id="p038_sosplice"> |
<font color="#009000"> |
<strong>038: SECURITY FIX: August 3, 2017</strong> |
<strong>038: SECURITY FIX: August 3, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
A race condition may result in a kernel memory leak. |
A race condition may result in a kernel memory leak. |
|
|
<p> |
<p> |
|
|
<li id="p039_ieee80211"> |
<li id="p039_ieee80211"> |
<font color="#009000"> |
<strong>039: SECURITY FIX: August 3, 2017</strong> |
<strong>039: SECURITY FIX: August 3, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
An out of bounds read could occur during processing of EAPOL frames in |
An out of bounds read could occur during processing of EAPOL frames in |
|
|
<p> |
<p> |
|
|
<li id="p040_smap"> |
<li id="p040_smap"> |
<font color="#009000"> |
<strong>040: SECURITY FIX: August 26, 2017</strong> |
<strong>040: SECURITY FIX: August 26, 2017</strong></font> |
|
<i>amd64 and i386</i> |
<i>amd64 and i386</i> |
<br> |
<br> |
SMAP enforcement could be bypassed by userland code. |
SMAP enforcement could be bypassed by userland code. |
|
|
<p> |
<p> |
|
|
<li id="p041_net80211_replay"> |
<li id="p041_net80211_replay"> |
<font color="#009000"> |
<strong>041: SECURITY FIX: August 30, 2017</strong> |
<strong>041: SECURITY FIX: August 30, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
State transition errors could cause reinstallation of old WPA keys. |
State transition errors could cause reinstallation of old WPA keys. |
|
|
<p> |
<p> |
|
|
<li id="p042_perl"> |
<li id="p042_perl"> |
<font color="#009000"> |
<strong>042: SECURITY FIX: September 22, 2017</strong> |
<strong>042: SECURITY FIX: September 22, 2017</strong></font> |
|
<i>All architectures</i> |
<i>All architectures</i> |
<br> |
<br> |
A buffer over-read and heap overflow in perl's regexp may result in |
A buffer over-read and heap overflow in perl's regexp may result in |
|
|
<p> |
<p> |
|
|
<li id="p043_tcb"> |
<li id="p043_tcb"> |
<font color="#009000"> |
<strong>043: RELIABILITY FIX: September 27, 2017</strong> |
<strong>043: RELIABILITY FIX: September 27, 2017</strong></font> |
|
<i>amd64</i> |
<i>amd64</i> |
<br> |
<br> |
Out of bounds TCB settings may result in a kernel panic. |
Out of bounds TCB settings may result in a kernel panic. |
|
|
<p> |
<p> |
|
|
<li id="p044_xrstor"> |
<li id="p044_xrstor"> |
<font color="#009000"> |
<strong>044: RELIABILITY FIX: October 4, 2017</strong> |
<strong>044: RELIABILITY FIX: October 4, 2017</strong></font> |
|
<i>amd64</i> |
<i>amd64</i> |
<br> |
<br> |
An unprivileged user can cause a kernel crash. |
An unprivileged user can cause a kernel crash. |
|
|
<p> |
<p> |
|
|
<li id="p045_xrstor_resume"> |
<li id="p045_xrstor_resume"> |
<font color="#009000"> |
<strong>045: SECURITY FIX: October 4, 2017</strong> |
<strong>045: SECURITY FIX: October 4, 2017</strong></font> |
|
<i>amd64</i> |
<i>amd64</i> |
<br> |
<br> |
A kernel executable address was leaked to userland. |
A kernel executable address was leaked to userland. |
|
|
</ul> |
</ul> |
|
|
<hr> |
<hr> |
|
|
</body> |
|
</html> |
|