Annotation of www/errata61.html, Revision 1.33
1.1 tj 1: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2: <html>
3: <head>
4: <title>OpenBSD 6.1 Errata</title>
5: <meta name="description" content="the OpenBSD errata page">
6: <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
7: <meta name="viewport" content="width=device-width, initial-scale=1">
8: <link rel="stylesheet" type="text/css" href="openbsd.css">
9: <link rel="canonical" href="https://www.openbsd.org/errata61.html">
10: </head>
11:
12: <!--
13: IMPORTANT REMINDER
14: IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
15: -->
16: <body bgcolor="#ffffff" text="#000000" link="#23238E">
17:
18: <h2>
19: <a href="index.html">
20: <font color="#0000ff"><i>Open</i></font><font color="#000084">BSD</font></a>
21: <font color="#e00000">6.1 Errata</font>
22: </h2>
23: <hr>
24:
25: For errata on a certain release, click below:<br>
26: <a href="errata21.html">2.1</a>,
27: <a href="errata22.html">2.2</a>,
28: <a href="errata23.html">2.3</a>,
29: <a href="errata24.html">2.4</a>,
30: <a href="errata25.html">2.5</a>,
31: <a href="errata26.html">2.6</a>,
32: <a href="errata27.html">2.7</a>,
33: <a href="errata28.html">2.8</a>,
34: <a href="errata29.html">2.9</a>,
35: <a href="errata30.html">3.0</a>,
36: <a href="errata31.html">3.1</a>,
37: <a href="errata32.html">3.2</a>,
38: <a href="errata33.html">3.3</a>,
39: <a href="errata34.html">3.4</a>,
40: <a href="errata35.html">3.5</a>,
41: <a href="errata36.html">3.6</a>,
42: <br>
43: <a href="errata37.html">3.7</a>,
44: <a href="errata38.html">3.8</a>,
45: <a href="errata39.html">3.9</a>,
46: <a href="errata40.html">4.0</a>,
47: <a href="errata41.html">4.1</a>,
48: <a href="errata42.html">4.2</a>,
49: <a href="errata43.html">4.3</a>,
50: <a href="errata44.html">4.4</a>,
51: <a href="errata45.html">4.5</a>,
52: <a href="errata46.html">4.6</a>,
53: <a href="errata47.html">4.7</a>,
54: <a href="errata48.html">4.8</a>,
55: <a href="errata49.html">4.9</a>,
56: <a href="errata50.html">5.0</a>,
57: <a href="errata51.html">5.1</a>,
58: <a href="errata52.html">5.2</a>,
59: <br>
60: <a href="errata53.html">5.3</a>,
61: <a href="errata54.html">5.4</a>,
62: <a href="errata55.html">5.5</a>,
63: <a href="errata56.html">5.6</a>,
64: <a href="errata57.html">5.7</a>,
65: <a href="errata58.html">5.8</a>,
66: <a href="errata59.html">5.9</a>,
1.23 deraadt 67: <a href="errata60.html">6.0</a>,
68: <a href="errata62.html">6.2</a>.
1.1 tj 69: <hr>
70:
71: <p>
72: Patches for the OpenBSD base system are distributed as unified diffs.
73: Each patch is cryptographically signed with the
1.15 tb 74: <a href="https://man.openbsd.org/OpenBSD-6.1/signify.1">signify(1)</a> tool and contains
1.1 tj 75: usage instructions.
76: All the following patches are also available in one
77: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1.tar.gz">tar.gz file</a>
78: for convenience.
79:
80: <p>
1.32 tj 81: Alternatively, the <a href="https://man.openbsd.org/syspatch">syspatch(8)</a>
82: utility can be used to apply binary updates on the following architectures:
83: amd64, i386. <!-- arm64.-->
84:
85: <p>
1.1 tj 86: Patches for supported releases are also incorporated into the
87: <a href="stable.html">-stable branch</a>, which is maintained for one year
88: after release.
89:
90: <hr>
91:
92: <ul>
93:
1.4 tj 94: <li id="p001_dhcpd">
95: <font color="#009000">
96: <strong>001: INTEROPERABILITY FIX: May 2, 2017</strong></font>
97: <i>All architectures</i>
98: <br>
99: dhcpd unconditionally echoed the client identifier, preventing some devices
1.5 tb 100: from acquiring a lease.
1.4 tj 101: <br>
102: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/001_dhcpd.patch.sig">
103: A source code patch exists which remedies this problem.</a>
104: <p>
105:
106: <li id="p002_vmmfpu">
107: <font color="#009000">
108: <strong>002: SECURITY FIX: May 2, 2017</strong></font>
1.6 mlarkin 109: <i>amd64</i>
1.4 tj 110: <br>
111: vmm mismanaged floating point contexts.
112: <br>
113: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/002_vmmfpu.patch.sig">
114: A source code patch exists which remedies this problem.</a>
115: <p>
116:
117: <li id="p003_libressl">
118: <font color="#009000">
119: <strong>003: SECURITY FIX: May 2, 2017</strong></font>
120: <i>All architectures</i>
121: <br>
122: A consistency check error could cause programs to incorrectly verify
123: TLS certificates when using callbacks that always return 1.
124: <br>
125: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/003_libressl.patch.sig">
126: A source code patch exists which remedies this problem.</a>
127: <p>
128:
129: <li id="p004_softraid_concat">
130: <font color="#009000">
131: <strong>004: RELIABILITY FIX: May 2, 2017</strong></font>
132: <i>All architectures</i>
133: <br>
134: softraid was unable to create usable concat volumes because
135: it always set the size of the volume to zero sectors.
136: <br>
137: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/004_softraid_concat.patch.sig">
138: A source code patch exists which remedies this problem.</a>
139: <p>
1.1 tj 140:
1.7 tj 141: <li id="p005_pf_src_tracking">
142: <font color="#009000">
143: <strong>005: RELIABILITY FIX: May 6, 2017</strong></font>
144: <i>All architectures</i>
145: <br>
146: Expired pf source tracking entries never got removed, leading to
147: memory exhaustion.
148: <br>
149: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/005_pf_src_tracking.patch.sig">
150: A source code patch exists which remedies this problem.</a>
151: <p>
152:
1.8 tj 153: <li id="p006_libssl">
154: <font color="#009000">
155: <strong>006: RELIABILITY FIX: May 8, 2017</strong></font>
156: <i>All architectures</i>
157: <br>
158: Incorrect DTLS cookie handling can result in a NULL pointer dereference.
159: <br>
160: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/006_libssl.patch.sig">
161: A source code patch exists which remedies this problem.</a>
162: <p>
163:
1.9 tj 164: <li id="p007_freetype">
165: <font color="#009000">
1.10 tj 166: <strong>007: SECURITY FIX: May 13, 2017</strong></font>
1.9 tj 167: <i>All architectures</i>
168: <br>
169: Heap-based buffer overflows in freetype can result in out-of-bounds writes.
170: <br>
171: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/007_freetype.patch.sig">
172: A source code patch exists which remedies this problem.</a>
173: <p>
174:
1.11 tj 175: <li id="p008_exec_subr">
176: <font color="#009000">
177: <strong>008: SECURITY FIX: May 19, 2017</strong></font>
178: <i>All architectures</i>
179: <br>
180: An additional mitigation is added by placing a gap of 1 MB between the
181: stack and mmap spaces.
182: <br>
183: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/008_exec_subr.patch.sig">
184: A source code patch exists which remedies this problem.</a>
185: <p>
186:
1.12 tj 187: <li id="p009_icmp_opts">
188: <font color="#009000">
189: <strong>009: RELIABILITY FIX: May 22, 2017</strong></font>
190: <i>All architectures</i>
191: <br>
1.14 tj 192: The kernel could leak memory when processing ICMP packets with IP options.
1.12 tj 193: Note that pf blocks such packets by default.
194: <br>
195: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/009_icmp_opts.patch.sig">
196: A source code patch exists which remedies this problem.</a>
197: <p>
198:
1.13 tj 199: <li id="p010_perl">
200: <font color="#009000">
201: <strong>010: SECURITY FIX: June 4, 2017</strong></font>
202: <i>All architectures</i>
203: <br>
204: A race condition exists in the File::Path perl module.
205: <br>
206: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/010_perl.patch.sig">
1.14 tj 207: A source code patch exists which remedies this problem.</a>
208: <p>
209:
210: <li id="p011_sti">
211: <font color="#009000">
212: <strong>011: SECURITY FIX: June 12, 2017</strong></font>
213: <i>hppa</i>
214: <br>
215: An integer overflow exists in two range checks of the sti(4) display driver.
216: <br>
217: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/011_sti.patch.sig">
218: A source code patch exists which remedies this problem.</a>
219: <p>
220:
221: <li id="p012_wsmux">
222: <font color="#009000">
223: <strong>012: RELIABILITY FIX: June 12, 2017</strong></font>
224: <i>All architectures</i>
225: <br>
226: An unprivileged user can cause a kernel crash.
227: <br>
228: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/012_wsmux.patch.sig">
1.13 tj 229: A source code patch exists which remedies this problem.</a>
230: <p>
231:
1.16 tj 232: <li id="p013_icmp6_linklocal">
233: <font color="#009000">
234: <strong>013: RELIABILITY FIX: June 27, 2017</strong></font>
235: <i>All architectures</i>
236: <br>
237: When pinging an IPv6 link-local address, the reflected packet had
238: ::1 as source address. The echo reply was ignored as it must be
239: from the link-local address.
240: <br>
241: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/013_icmp6_linklocal.patch.sig">
242: A source code patch exists which remedies this problem.</a>
243: <p>
244:
1.17 tj 245: <li id="p014_libcrypto">
246: <font color="#009000">
247: <strong>014: RELIABILITY FIX: July 5, 2017</strong></font>
248: <i>All architectures</i>
249: <br>
250: Self-issued certificates are improperly treated as self-signed certificates,
251: leading to possible verification failures.
252: <br>
253: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/014_libcrypto.patch.sig">
254: A source code patch exists which remedies this problem.</a>
255: <p>
256:
1.18 tj 257: <li id="p015_sigio">
258: <font color="#009000">
259: <strong>015: RELIABILITY FIX: August 3, 2017</strong></font>
260: <i>All architectures</i>
261: <br>
262: A SIGIO-related use-after-free can occur in two drivers.
263: <br>
264: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/015_sigio.patch.sig">
265: A source code patch exists which remedies this problem.</a>
266: <p>
267:
268: <li id="p016_sendsyslog">
269: <font color="#009000">
270: <strong>016: RELIABILITY FIX: August 3, 2017</strong></font>
271: <i>All architectures</i>
272: <br>
273: A missing length check in sendsyslog() may result in a kernel panic.
274: <br>
275: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/016_sendsyslog.patch.sig">
276: A source code patch exists which remedies this problem.</a>
277: <p>
278:
279: <li id="p017_fuse">
280: <font color="#009000">
281: <strong>017: SECURITY FIX: August 3, 2017</strong></font>
282: <i>All architectures</i>
283: <br>
284: An out-of-bound read in vfs_getcwd_scandir() (mainly used for FUSE)
285: may result in a kernel panic or info leak.
286: <br>
287: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/017_fuse.patch.sig">
288: A source code patch exists which remedies this problem.</a>
289: <p>
290:
291: <li id="p018_recv">
292: <font color="#009000">
293: <strong>018: SECURITY FIX: August 3, 2017</strong></font>
294: <i>All architectures</i>
295: <br>
296: An alignment issue in recv() may result in an info leak via ktrace().
297: <br>
298: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/018_recv.patch.sig">
299: A source code patch exists which remedies this problem.</a>
300: <p>
301:
302: <li id="p019_tcp_usrreq">
303: <font color="#009000">
304: <strong>019: SECURITY FIX: August 3, 2017</strong></font>
305: <i>All architectures</i>
306: <br>
307: With an invalid address family, tcp_usrreq() may take an unintended code path.
308: <br>
309: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/019_tcp_usrreq.patch.sig">
310: A source code patch exists which remedies this problem.</a>
311: <p>
312:
313: <li id="p020_sockaddr">
314: <font color="#009000">
315: <strong>020: SECURITY FIX: August 3, 2017</strong></font>
316: <i>All architectures</i>
317: <br>
318: Missing socket address validation from userland may result in an info leak.
319: <br>
320: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/020_sockaddr.patch.sig">
321: A source code patch exists which remedies this problem.</a>
322: <p>
323:
324: <li id="p021_ptrace">
325: <font color="#009000">
326: <strong>021: SECURITY FIX: August 3, 2017</strong></font>
327: <i>All architectures</i>
328: <br>
329: An uninitialized variable in ptrace() may result in an info leak.
330: <br>
331: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/021_ptrace.patch.sig">
332: A source code patch exists which remedies this problem.</a>
333: <p>
334:
335: <li id="p022_fcntl">
336: <font color="#009000">
337: <strong>022: SECURITY FIX: August 3, 2017</strong></font>
338: <i>All architectures</i>
339: <br>
340: An uninitialized variable in fcntl() may result in an info leak.
341: <br>
342: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/022_fcntl.patch.sig">
343: A source code patch exists which remedies this problem.</a>
344: <p>
345:
346: <li id="p023_wsdisplay">
347: <font color="#009000">
348: <strong>023: RELIABILITY FIX: August 3, 2017</strong></font>
349: <i>All architectures</i>
350: <br>
351: An integer overflow in wsdisplay_cfg_ioctl() may result in an out-of-bounds
352: read.
353: <br>
354: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/023_wsdisplay.patch.sig">
355: A source code patch exists which remedies this problem.</a>
356: <p>
357:
358: <li id="p024_sosplice">
359: <font color="#009000">
360: <strong>024: SECURITY FIX: August 3, 2017</strong></font>
361: <i>All architectures</i>
362: <br>
363: A race condition in sosplice() may result in a kernel memory leak.
364: <br>
365: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/024_sosplice.patch.sig">
366: A source code patch exists which remedies this problem.</a>
367: <p>
368:
369: <li id="p025_ieee80211">
370: <font color="#009000">
371: <strong>025: SECURITY FIX: August 3, 2017</strong></font>
372: <i>All architectures</i>
373: <br>
374: An out of bounds read could occur during processing of EAPOL frames in
375: the wireless stack. Information from kernel memory could be leaked to
376: root in userland via an ieee80211(9) ioctl.
377: <br>
378: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/025_ieee80211.patch.sig">
379: A source code patch exists which remedies this problem.</a>
380: <p>
381:
1.19 tj 382: <li id="p026_smap">
383: <font color="#009000">
384: <strong>026: SECURITY FIX: August 26, 2017</strong></font>
385: <i>amd64 and i386</i>
386: <br>
387: SMAP enforcement could be bypassed by userland code.
388: <br>
389: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/026_smap.patch.sig">
390: A source code patch exists which remedies this problem.</a>
391: <p>
392:
1.20 tj 393: <li id="p027_net80211_replay">
394: <font color="#009000">
395: <strong>027: SECURITY FIX: August 30, 2017</strong></font>
396: <i>All architectures</i>
397: <br>
398: State transition errors could cause reinstallation of old WPA keys.
399: <br>
400: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/027_net80211_replay.patch.sig">
401: A source code patch exists which remedies this problem.</a>
402: <p>
403:
1.21 tj 404: <li id="p028_perl">
405: <font color="#009000">
406: <strong>028: SECURITY FIX: September 22, 2017</strong></font>
407: <i>All architectures</i>
408: <br>
409: A buffer over-read and heap overflow in perl's regexp may result in
410: a crash or memory leak.
411: <br>
412: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/028_perl.patch.sig">
413: A source code patch exists which remedies this problem.</a>
414: <p>
415:
1.22 tj 416: <li id="p029_tcb">
417: <font color="#009000">
418: <strong>029: RELIABILITY FIX: September 27, 2017</strong></font>
419: <i>amd64</i>
420: <br>
421: Out of bounds TCB settings may result in a kernel panic.
422: <br>
423: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/029_tcb.patch.sig">
424: A source code patch exists which remedies this problem.</a>
425: <p>
426:
1.24 tj 427: <li id="p030_xrstor">
428: <font color="#009000">
429: <strong>030: RELIABILITY FIX: October 4, 2017</strong></font>
430: <i>amd64</i>
431: <br>
432: An unprivileged user can cause a kernel crash.
433: <br>
434: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/030_xrstor.patch.sig">
435: A source code patch exists which remedies this problem.</a>
436: <p>
437:
1.25 tj 438: <li id="p031_xrstor_resume">
439: <font color="#009000">
440: <strong>031: SECURITY FIX: October 4, 2017</strong></font>
441: <i>amd64</i>
442: <br>
443: A kernel executable address was leaked to userland.
444: <br>
1.26 tj 445: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/031_xrstor_resume.patch.sig">
1.25 tj 446: A source code patch exists which remedies this problem.</a>
447: <p>
448:
1.27 bluhm 449: <li id="p032_tcb_invalid">
450: <font color="#009000">
451: <strong>032: RELIABILITY FIX: October 13, 2017</strong></font>
452: <i>amd64</i>
453: <br>
454: A local user could trigger a kernel panic by using an invalid TCB value.
455: <br>
456: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/032_tcb_invalid.patch.sig">
457: A source code patch exists which remedies this problem.</a>
458: <p>
459:
1.29 tj 460: <li id="p033_mpls">
461: <font color="#009000">
462: <strong>033: RELIABILITY FIX: December 10, 2017</strong></font>
463: All architectures
464: <br>
465: A number of bugs were discovered in the MPLS stack that can be used to
466: remotely trigger a kernel panic.
467: <br>
468: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/033_mpls.patch.sig">
469: A source code patch exists which remedies this problem.</a>
470: <p>
471:
1.30 tj 472: <li id="p034_ahopts">
473: <font color="#009000">
474: <strong>034: RELIABILITY FIX: February 2, 2018</strong></font>
475: <i>All architectures</i>
476: <br>
477: Specially crafted IPsec AH packets with IP options or IPv6 extension
478: headers could crash or hang the kernel.
479: <br>
480: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/034_ahopts.patch.sig">
481: A source code patch exists which remedies this problem.</a>
482: <p>
483:
484: <li id="p035_prevhdr">
485: <font color="#009000">
486: <strong>035: RELIABILITY FIX: February 2, 2018</strong></font>
487: <i>All architectures</i>
488: <br>
489: Processing IPv6 fragments could incorrectly access memory of an mbuf
490: chain that is not within an mbuf. This may crash the kernel.
491: <br>
492: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/035_prevhdr.patch.sig">
493: A source code patch exists which remedies this problem.</a>
494: <p>
495:
496: <li id="p036_etherip">
497: <font color="#009000">
498: <strong>036: SECURITY FIX: February 2, 2018</strong></font>
499: <i>All architectures</i>
500: <br>
501: If the EtherIP tunnel protocol was disabled, IPv6 packets were not
502: discarded properly. This causes a double free in the kernel.
503: <br>
504: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/036_etherip.patch.sig">
505: A source code patch exists which remedies this problem.</a>
506: <p>
507:
1.31 tj 508: <li id="p037_meltdown">
509: <font color="#009000">
510: <strong>037: SECURITY FIX: March 1, 2018</strong></font>
511: <i>amd64</i>
512: <br>
513: Intel CPUs contain a speculative execution flaw called Meltdown which
514: allows userspace programs to access kernel memory.
515: <br>
516: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/037_meltdown.patch.sig">
517: A complex workaround solves the problem.</a>
518: <p>
519:
1.33 ! tj 520: <li id="p038_ahauth">
! 521: <font color="#009000">
! 522: <strong>038: RELIABILITY FIX: March 20, 2018</strong></font>
! 523: <i>All architectures</i>
! 524: <br>
! 525: The IPsec AH header could be longer than the network packet, resulting in
! 526: a kernel crash.
! 527: <br>
! 528: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/038_ahauth.patch.sig">
! 529: A source code patch exists which remedies this problem.</a>
! 530: <p>
! 531:
1.1 tj 532: </ul>
533:
534: <hr>
535:
536: </body>
537: </html>