| version 1.38, 2019/04/02 12:46:57 |
version 1.39, 2019/05/27 22:55:20 |
|
|
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> |
<!doctype html> |
| <html> |
<html lang=en id=errata> |
| <head> |
<meta charset=utf-8> |
| |
|
| <title>OpenBSD 6.1 Errata</title> |
<title>OpenBSD 6.1 Errata</title> |
| <meta name="description" content="the OpenBSD errata page"> |
<meta name="description" content="the OpenBSD errata page"> |
| <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
|
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
<meta name="viewport" content="width=device-width, initial-scale=1"> |
| <link rel="stylesheet" type="text/css" href="openbsd.css"> |
<link rel="stylesheet" type="text/css" href="openbsd.css"> |
| <link rel="canonical" href="https://www.openbsd.org/errata61.html"> |
<link rel="canonical" href="https://www.openbsd.org/errata61.html"> |
| </head> |
|
| |
|
| <!-- |
<!-- |
| IMPORTANT REMINDER |
IMPORTANT REMINDER |
| IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE |
IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE |
| --> |
--> |
| <body bgcolor="#ffffff" text="#000000" link="#23238E"> |
|
| |
|
| <h2> |
<h2 id=OpenBSD> |
| <a href="index.html"> |
<a href="index.html"> |
| <font color="#0000ff"><i>Open</i></font><font color="#000084">BSD</font></a> |
<i>Open</i><b>BSD</b></a> |
| <font color="#e00000">6.1 Errata</font> |
6.1 Errata |
| </h2> |
</h2> |
| <hr> |
<hr> |
| |
|
|
|
| <ul> |
<ul> |
| |
|
| <li id="p001_dhcpd"> |
<li id="p001_dhcpd"> |
| <font color="#009000"> |
<strong>001: INTEROPERABILITY FIX: May 2, 2017</strong> |
| <strong>001: INTEROPERABILITY FIX: May 2, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| dhcpd unconditionally echoed the client identifier, preventing some devices |
dhcpd unconditionally echoed the client identifier, preventing some devices |
|
|
| <p> |
<p> |
| |
|
| <li id="p002_vmmfpu"> |
<li id="p002_vmmfpu"> |
| <font color="#009000"> |
<strong>002: SECURITY FIX: May 2, 2017</strong> |
| <strong>002: SECURITY FIX: May 2, 2017</strong></font> |
|
| <i>amd64</i> |
<i>amd64</i> |
| <br> |
<br> |
| vmm mismanaged floating point contexts. |
vmm mismanaged floating point contexts. |
|
|
| <p> |
<p> |
| |
|
| <li id="p003_libressl"> |
<li id="p003_libressl"> |
| <font color="#009000"> |
<strong>003: SECURITY FIX: May 2, 2017</strong> |
| <strong>003: SECURITY FIX: May 2, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| A consistency check error could cause programs to incorrectly verify |
A consistency check error could cause programs to incorrectly verify |
|
|
| <p> |
<p> |
| |
|
| <li id="p004_softraid_concat"> |
<li id="p004_softraid_concat"> |
| <font color="#009000"> |
<strong>004: RELIABILITY FIX: May 2, 2017</strong> |
| <strong>004: RELIABILITY FIX: May 2, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| softraid was unable to create usable concat volumes because |
softraid was unable to create usable concat volumes because |
|
|
| <p> |
<p> |
| |
|
| <li id="p005_pf_src_tracking"> |
<li id="p005_pf_src_tracking"> |
| <font color="#009000"> |
<strong>005: RELIABILITY FIX: May 6, 2017</strong> |
| <strong>005: RELIABILITY FIX: May 6, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| Expired pf source tracking entries never got removed, leading to |
Expired pf source tracking entries never got removed, leading to |
|
|
| <p> |
<p> |
| |
|
| <li id="p006_libssl"> |
<li id="p006_libssl"> |
| <font color="#009000"> |
<strong>006: RELIABILITY FIX: May 8, 2017</strong> |
| <strong>006: RELIABILITY FIX: May 8, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| Incorrect DTLS cookie handling can result in a NULL pointer dereference. |
Incorrect DTLS cookie handling can result in a NULL pointer dereference. |
|
|
| <p> |
<p> |
| |
|
| <li id="p007_freetype"> |
<li id="p007_freetype"> |
| <font color="#009000"> |
<strong>007: SECURITY FIX: May 13, 2017</strong> |
| <strong>007: SECURITY FIX: May 13, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| Heap-based buffer overflows in freetype can result in out-of-bounds writes. |
Heap-based buffer overflows in freetype can result in out-of-bounds writes. |
|
|
| <p> |
<p> |
| |
|
| <li id="p008_exec_subr"> |
<li id="p008_exec_subr"> |
| <font color="#009000"> |
<strong>008: SECURITY FIX: May 19, 2017</strong> |
| <strong>008: SECURITY FIX: May 19, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| An additional mitigation is added by placing a gap of 1 MB between the |
An additional mitigation is added by placing a gap of 1 MB between the |
|
|
| <p> |
<p> |
| |
|
| <li id="p009_icmp_opts"> |
<li id="p009_icmp_opts"> |
| <font color="#009000"> |
<strong>009: RELIABILITY FIX: May 22, 2017</strong> |
| <strong>009: RELIABILITY FIX: May 22, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| The kernel could leak memory when processing ICMP packets with IP options. |
The kernel could leak memory when processing ICMP packets with IP options. |
|
|
| <p> |
<p> |
| |
|
| <li id="p010_perl"> |
<li id="p010_perl"> |
| <font color="#009000"> |
<strong>010: SECURITY FIX: June 4, 2017</strong> |
| <strong>010: SECURITY FIX: June 4, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| A race condition exists in the File::Path perl module. |
A race condition exists in the File::Path perl module. |
|
|
| <p> |
<p> |
| |
|
| <li id="p011_sti"> |
<li id="p011_sti"> |
| <font color="#009000"> |
<strong>011: SECURITY FIX: June 12, 2017</strong> |
| <strong>011: SECURITY FIX: June 12, 2017</strong></font> |
|
| <i>hppa</i> |
<i>hppa</i> |
| <br> |
<br> |
| An integer overflow exists in two range checks of the sti(4) display driver. |
An integer overflow exists in two range checks of the sti(4) display driver. |
|
|
| <p> |
<p> |
| |
|
| <li id="p012_wsmux"> |
<li id="p012_wsmux"> |
| <font color="#009000"> |
<strong>012: RELIABILITY FIX: June 12, 2017</strong> |
| <strong>012: RELIABILITY FIX: June 12, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| An unprivileged user can cause a kernel crash. |
An unprivileged user can cause a kernel crash. |
|
|
| <p> |
<p> |
| |
|
| <li id="p013_icmp6_linklocal"> |
<li id="p013_icmp6_linklocal"> |
| <font color="#009000"> |
<strong>013: RELIABILITY FIX: June 27, 2017</strong> |
| <strong>013: RELIABILITY FIX: June 27, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| When pinging an IPv6 link-local address, the reflected packet had |
When pinging an IPv6 link-local address, the reflected packet had |
|
|
| <p> |
<p> |
| |
|
| <li id="p014_libcrypto"> |
<li id="p014_libcrypto"> |
| <font color="#009000"> |
<strong>014: RELIABILITY FIX: July 5, 2017</strong> |
| <strong>014: RELIABILITY FIX: July 5, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| Self-issued certificates are improperly treated as self-signed certificates, |
Self-issued certificates are improperly treated as self-signed certificates, |
|
|
| <p> |
<p> |
| |
|
| <li id="p015_sigio"> |
<li id="p015_sigio"> |
| <font color="#009000"> |
<strong>015: RELIABILITY FIX: August 3, 2017</strong> |
| <strong>015: RELIABILITY FIX: August 3, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| A SIGIO-related use-after-free can occur in two drivers. |
A SIGIO-related use-after-free can occur in two drivers. |
|
|
| <p> |
<p> |
| |
|
| <li id="p016_sendsyslog"> |
<li id="p016_sendsyslog"> |
| <font color="#009000"> |
<strong>016: RELIABILITY FIX: August 3, 2017</strong> |
| <strong>016: RELIABILITY FIX: August 3, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| A missing length check in sendsyslog() may result in a kernel panic. |
A missing length check in sendsyslog() may result in a kernel panic. |
|
|
| <p> |
<p> |
| |
|
| <li id="p017_fuse"> |
<li id="p017_fuse"> |
| <font color="#009000"> |
<strong>017: SECURITY FIX: August 3, 2017</strong> |
| <strong>017: SECURITY FIX: August 3, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| An out-of-bound read in vfs_getcwd_scandir() (mainly used for FUSE) |
An out-of-bound read in vfs_getcwd_scandir() (mainly used for FUSE) |
|
|
| <p> |
<p> |
| |
|
| <li id="p018_recv"> |
<li id="p018_recv"> |
| <font color="#009000"> |
<strong>018: SECURITY FIX: August 3, 2017</strong> |
| <strong>018: SECURITY FIX: August 3, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| An alignment issue in recv() may result in an info leak via ktrace(). |
An alignment issue in recv() may result in an info leak via ktrace(). |
|
|
| <p> |
<p> |
| |
|
| <li id="p019_tcp_usrreq"> |
<li id="p019_tcp_usrreq"> |
| <font color="#009000"> |
<strong>019: SECURITY FIX: August 3, 2017</strong> |
| <strong>019: SECURITY FIX: August 3, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| With an invalid address family, tcp_usrreq() may take an unintended code path. |
With an invalid address family, tcp_usrreq() may take an unintended code path. |
|
|
| <p> |
<p> |
| |
|
| <li id="p020_sockaddr"> |
<li id="p020_sockaddr"> |
| <font color="#009000"> |
<strong>020: SECURITY FIX: August 3, 2017</strong> |
| <strong>020: SECURITY FIX: August 3, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| Missing socket address validation from userland may result in an info leak. |
Missing socket address validation from userland may result in an info leak. |
|
|
| <p> |
<p> |
| |
|
| <li id="p021_ptrace"> |
<li id="p021_ptrace"> |
| <font color="#009000"> |
<strong>021: SECURITY FIX: August 3, 2017</strong> |
| <strong>021: SECURITY FIX: August 3, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| An uninitialized variable in ptrace() may result in an info leak. |
An uninitialized variable in ptrace() may result in an info leak. |
|
|
| <p> |
<p> |
| |
|
| <li id="p022_fcntl"> |
<li id="p022_fcntl"> |
| <font color="#009000"> |
<strong>022: SECURITY FIX: August 3, 2017</strong> |
| <strong>022: SECURITY FIX: August 3, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| An uninitialized variable in fcntl() may result in an info leak. |
An uninitialized variable in fcntl() may result in an info leak. |
|
|
| <p> |
<p> |
| |
|
| <li id="p023_wsdisplay"> |
<li id="p023_wsdisplay"> |
| <font color="#009000"> |
<strong>023: RELIABILITY FIX: August 3, 2017</strong> |
| <strong>023: RELIABILITY FIX: August 3, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| An integer overflow in wsdisplay_cfg_ioctl() may result in an out-of-bounds |
An integer overflow in wsdisplay_cfg_ioctl() may result in an out-of-bounds |
|
|
| <p> |
<p> |
| |
|
| <li id="p024_sosplice"> |
<li id="p024_sosplice"> |
| <font color="#009000"> |
<strong>024: SECURITY FIX: August 3, 2017</strong> |
| <strong>024: SECURITY FIX: August 3, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| A race condition in sosplice() may result in a kernel memory leak. |
A race condition in sosplice() may result in a kernel memory leak. |
|
|
| <p> |
<p> |
| |
|
| <li id="p025_ieee80211"> |
<li id="p025_ieee80211"> |
| <font color="#009000"> |
<strong>025: SECURITY FIX: August 3, 2017</strong> |
| <strong>025: SECURITY FIX: August 3, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| An out of bounds read could occur during processing of EAPOL frames in |
An out of bounds read could occur during processing of EAPOL frames in |
|
|
| <p> |
<p> |
| |
|
| <li id="p026_smap"> |
<li id="p026_smap"> |
| <font color="#009000"> |
<strong>026: SECURITY FIX: August 26, 2017</strong> |
| <strong>026: SECURITY FIX: August 26, 2017</strong></font> |
|
| <i>amd64 and i386</i> |
<i>amd64 and i386</i> |
| <br> |
<br> |
| SMAP enforcement could be bypassed by userland code. |
SMAP enforcement could be bypassed by userland code. |
|
|
| <p> |
<p> |
| |
|
| <li id="p027_net80211_replay"> |
<li id="p027_net80211_replay"> |
| <font color="#009000"> |
<strong>027: SECURITY FIX: August 30, 2017</strong> |
| <strong>027: SECURITY FIX: August 30, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| State transition errors could cause reinstallation of old WPA keys. |
State transition errors could cause reinstallation of old WPA keys. |
|
|
| <p> |
<p> |
| |
|
| <li id="p028_perl"> |
<li id="p028_perl"> |
| <font color="#009000"> |
<strong>028: SECURITY FIX: September 22, 2017</strong> |
| <strong>028: SECURITY FIX: September 22, 2017</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| A buffer over-read and heap overflow in perl's regexp may result in |
A buffer over-read and heap overflow in perl's regexp may result in |
|
|
| <p> |
<p> |
| |
|
| <li id="p029_tcb"> |
<li id="p029_tcb"> |
| <font color="#009000"> |
<strong>029: RELIABILITY FIX: September 27, 2017</strong> |
| <strong>029: RELIABILITY FIX: September 27, 2017</strong></font> |
|
| <i>amd64</i> |
<i>amd64</i> |
| <br> |
<br> |
| Out of bounds TCB settings may result in a kernel panic. |
Out of bounds TCB settings may result in a kernel panic. |
|
|
| <p> |
<p> |
| |
|
| <li id="p030_xrstor"> |
<li id="p030_xrstor"> |
| <font color="#009000"> |
<strong>030: RELIABILITY FIX: October 4, 2017</strong> |
| <strong>030: RELIABILITY FIX: October 4, 2017</strong></font> |
|
| <i>amd64</i> |
<i>amd64</i> |
| <br> |
<br> |
| An unprivileged user can cause a kernel crash. |
An unprivileged user can cause a kernel crash. |
|
|
| <p> |
<p> |
| |
|
| <li id="p031_xrstor_resume"> |
<li id="p031_xrstor_resume"> |
| <font color="#009000"> |
<strong>031: SECURITY FIX: October 4, 2017</strong> |
| <strong>031: SECURITY FIX: October 4, 2017</strong></font> |
|
| <i>amd64</i> |
<i>amd64</i> |
| <br> |
<br> |
| A kernel executable address was leaked to userland. |
A kernel executable address was leaked to userland. |
|
|
| <p> |
<p> |
| |
|
| <li id="p032_tcb_invalid"> |
<li id="p032_tcb_invalid"> |
| <font color="#009000"> |
<strong>032: RELIABILITY FIX: October 13, 2017</strong> |
| <strong>032: RELIABILITY FIX: October 13, 2017</strong></font> |
|
| <i>amd64</i> |
<i>amd64</i> |
| <br> |
<br> |
| A local user could trigger a kernel panic by using an invalid TCB value. |
A local user could trigger a kernel panic by using an invalid TCB value. |
|
|
| <p> |
<p> |
| |
|
| <li id="p033_mpls"> |
<li id="p033_mpls"> |
| <font color="#009000"> |
<strong>033: RELIABILITY FIX: December 10, 2017</strong> |
| <strong>033: RELIABILITY FIX: December 10, 2017</strong></font> |
|
| All architectures |
All architectures |
| <br> |
<br> |
| A number of bugs were discovered in the MPLS stack that can be used to |
A number of bugs were discovered in the MPLS stack that can be used to |
|
|
| <p> |
<p> |
| |
|
| <li id="p034_ahopts"> |
<li id="p034_ahopts"> |
| <font color="#009000"> |
<strong>034: RELIABILITY FIX: February 2, 2018</strong> |
| <strong>034: RELIABILITY FIX: February 2, 2018</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| Specially crafted IPsec AH packets with IP options or IPv6 extension |
Specially crafted IPsec AH packets with IP options or IPv6 extension |
|
|
| <p> |
<p> |
| |
|
| <li id="p035_prevhdr"> |
<li id="p035_prevhdr"> |
| <font color="#009000"> |
<strong>035: RELIABILITY FIX: February 2, 2018</strong> |
| <strong>035: RELIABILITY FIX: February 2, 2018</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| Processing IPv6 fragments could incorrectly access memory of an mbuf |
Processing IPv6 fragments could incorrectly access memory of an mbuf |
|
|
| <p> |
<p> |
| |
|
| <li id="p036_etherip"> |
<li id="p036_etherip"> |
| <font color="#009000"> |
<strong>036: SECURITY FIX: February 2, 2018</strong> |
| <strong>036: SECURITY FIX: February 2, 2018</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| If the EtherIP tunnel protocol was disabled, IPv6 packets were not |
If the EtherIP tunnel protocol was disabled, IPv6 packets were not |
|
|
| <p> |
<p> |
| |
|
| <li id="p037_meltdown"> |
<li id="p037_meltdown"> |
| <font color="#009000"> |
<strong>037: SECURITY FIX: March 1, 2018</strong> |
| <strong>037: SECURITY FIX: March 1, 2018</strong></font> |
|
| <i>amd64</i> |
<i>amd64</i> |
| <br> |
<br> |
| Intel CPUs contain a speculative execution flaw called Meltdown which |
Intel CPUs contain a speculative execution flaw called Meltdown which |
|
|
| <p> |
<p> |
| |
|
| <li id="p038_ahauth"> |
<li id="p038_ahauth"> |
| <font color="#009000"> |
<strong>038: RELIABILITY FIX: March 20, 2018</strong> |
| <strong>038: RELIABILITY FIX: March 20, 2018</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| The IPsec AH header could be longer than the network packet, resulting in |
The IPsec AH header could be longer than the network packet, resulting in |
|
|
| <p> |
<p> |
| |
|
| <li id="p039_perl"> |
<li id="p039_perl"> |
| <font color="#009000"> |
<strong>039: SECURITY FIX: April 14, 2018</strong> |
| <strong>039: SECURITY FIX: April 14, 2018</strong></font> |
|
| <i>All architectures</i> |
<i>All architectures</i> |
| <br> |
<br> |
| Heap overflows exist in perl which can lead to segmentation faults, |
Heap overflows exist in perl which can lead to segmentation faults, |
|
|
| </ul> |
</ul> |
| |
|
| <hr> |
<hr> |
| |
|
| </body> |
|
| </html> |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to errata61.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www