Annotation of www/errata65.html, Revision 1.44
1.5 bentley 1: <!doctype html>
2: <html lang=en id=errata>
3: <meta charset=utf-8>
4:
1.1 deraadt 5: <title>OpenBSD 6.5 Errata</title>
6: <meta name="description" content="the OpenBSD errata page">
7: <meta name="viewport" content="width=device-width, initial-scale=1">
8: <link rel="stylesheet" type="text/css" href="openbsd.css">
9: <link rel="canonical" href="https://www.openbsd.org/errata65.html">
10:
11: <!--
12: IMPORTANT REMINDER
13: IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
14: -->
15:
1.5 bentley 16: <h2 id=OpenBSD>
1.1 deraadt 17: <a href="index.html">
1.5 bentley 18: <i>Open</i><b>BSD</b></a>
19: 6.5 Errata
1.1 deraadt 20: </h2>
21: <hr>
22:
23: For errata on a certain release, click below:<br>
1.32 schwarze 24: <a href="errata20.html">2.0</a>,
1.1 deraadt 25: <a href="errata21.html">2.1</a>,
26: <a href="errata22.html">2.2</a>,
27: <a href="errata23.html">2.3</a>,
28: <a href="errata24.html">2.4</a>,
29: <a href="errata25.html">2.5</a>,
30: <a href="errata26.html">2.6</a>,
31: <a href="errata27.html">2.7</a>,
32: <a href="errata28.html">2.8</a>,
33: <a href="errata29.html">2.9</a>,
34: <a href="errata30.html">3.0</a>,
35: <a href="errata31.html">3.1</a>,
36: <a href="errata32.html">3.2</a>,
37: <a href="errata33.html">3.3</a>,
38: <a href="errata34.html">3.4</a>,
39: <a href="errata35.html">3.5</a>,
1.32 schwarze 40: <br>
1.1 deraadt 41: <a href="errata36.html">3.6</a>,
42: <a href="errata37.html">3.7</a>,
43: <a href="errata38.html">3.8</a>,
44: <a href="errata39.html">3.9</a>,
45: <a href="errata40.html">4.0</a>,
46: <a href="errata41.html">4.1</a>,
47: <a href="errata42.html">4.2</a>,
48: <a href="errata43.html">4.3</a>,
49: <a href="errata44.html">4.4</a>,
50: <a href="errata45.html">4.5</a>,
51: <a href="errata46.html">4.6</a>,
52: <a href="errata47.html">4.7</a>,
53: <a href="errata48.html">4.8</a>,
54: <a href="errata49.html">4.9</a>,
55: <a href="errata50.html">5.0</a>,
56: <a href="errata51.html">5.1</a>,
1.32 schwarze 57: <br>
1.1 deraadt 58: <a href="errata52.html">5.2</a>,
59: <a href="errata53.html">5.3</a>,
60: <a href="errata54.html">5.4</a>,
61: <a href="errata55.html">5.5</a>,
62: <a href="errata56.html">5.6</a>,
63: <a href="errata57.html">5.7</a>,
64: <a href="errata58.html">5.8</a>,
65: <a href="errata59.html">5.9</a>,
66: <a href="errata60.html">6.0</a>,
67: <a href="errata61.html">6.1</a>,
68: <a href="errata62.html">6.2</a>,
69: <a href="errata63.html">6.3</a>,
1.13 deraadt 70: <a href="errata64.html">6.4</a>,
1.33 deraadt 71: <a href="errata66.html">6.6</a>,
1.37 deraadt 72: <a href="errata67.html">6.7</a>,
1.38 deraadt 73: <a href="errata68.html">6.8</a>,
1.39 tj 74: <br>
1.40 deraadt 75: <a href="errata69.html">6.9</a>,
1.41 deraadt 76: <a href="errata70.html">7.0</a>,
1.42 deraadt 77: <a href="errata71.html">7.1</a>,
1.43 tj 78: <a href="errata72.html">7.2</a>,
1.44 ! tj 79: <a href="errata73.html">7.3</a>,
! 80: <a href="errata74.html">7.4</a>.
1.1 deraadt 81: <hr>
82:
83: <p>
84: Patches for the OpenBSD base system are distributed as unified diffs.
85: Each patch is cryptographically signed with the
86: <a href="https://man.openbsd.org/OpenBSD-6.5/signify.1">signify(1)</a> tool and contains
87: usage instructions.
88: All the following patches are also available in one
89: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5.tar.gz">tar.gz file</a>
90: for convenience.
91:
92: <p>
93: Alternatively, the <a href="https://man.openbsd.org/syspatch">syspatch(8)</a>
94: utility can be used to apply binary updates on the following architectures:
95: amd64, i386, arm64.
96:
97: <p>
98: Patches for supported releases are also incorporated into the
1.36 tj 99: <a href="stable.html">-stable branch</a>.
1.1 deraadt 100:
101: <hr>
102:
103: <ul>
104:
1.2 tj 105: <li id="p001_rip6cksum">
1.5 bentley 106: <strong>001: RELIABILITY FIX: May 3, 2019</strong>
1.2 tj 107: <i>All architectures</i>
108: <br>
109: If a userland program sets the IPv6 checksum offset on a raw socket,
110: an incoming packet could crash the kernel. ospf6d is such a program.
111: <br>
1.3 tj 112: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/001_rip6cksum.patch.sig">
1.2 tj 113: A source code patch exists which remedies this problem.</a>
114: <p>
1.1 deraadt 115:
1.4 tj 116: <li id="p002_srtp">
1.5 bentley 117: <strong>002: RELIABILITY FIX: May 16, 2019</strong>
1.4 tj 118: <i>All architectures</i>
119: <br>
120: LibreSSL servers did not provide an SRTP profile, so DTLS negotiation failed.
121: <br>
122: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/002_srtp.patch.sig">
123: A source code patch exists which remedies this problem.</a>
124: <p>
125:
1.6 tj 126: <li id="p003_mds">
127: <strong>003: SECURITY FIX: May 29, 2019</strong>
128: <i>amd64</i>
129: <br>
130: Intel CPUs have a cross privilege side-channel attack (MDS).
131: <br>
132: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/003_mds.patch.sig">
133: A source code patch exists which remedies this problem.</a>
134: <p>
135:
1.7 tj 136: <li id="p004_bgpd">
137: <strong>004: RELIABILITY FIX: June 10, 2019</strong>
138: <i>All architectures</i>
139: <br>
140: Several issues were corrected in bgpd: "network" statements with no fixed
141: prefix were incorrectly removed when configuration was reloaded, "export
142: default-route" did not work, and "network 0.0.0.0/0" could not be used
143: in some cases.
144: <br>
145: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/004_bgpd.patch.sig">
146: A source code patch exists which remedies these problems.</a>
147: <p>
148:
149: <li id="p005_libssl">
150: <strong>005: RELIABILITY FIX: June 10, 2019</strong>
151: <i>All architectures</i>
152: <br>
153: TLS handshakes fail if a client supporting TLS 1.3 tries to connect to
154: an OpenBSD server and sends a key share extension that does not include
155: X25519.
156: <br>
157: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/005_libssl.patch.sig">
158: A source code patch exists which remedies this problem.</a>
159: <p>
160:
1.8 tj 161: <li id="p006_tcpsack">
162: <strong>006: RELIABILITY FIX: July 25, 2019</strong>
163: <i>All architectures</i>
164: <br>
165: By creating long chains of TCP SACK holes, an attacker could possibly
166: slow down the system temporarily.
167: <br>
168: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/006_tcpsack.patch.sig">
169: A source code patch exists which remedies this problem.</a>
170: <p>
171:
1.9 tj 172: <li id="p007_smtpd">
173: <strong>007: RELIABILITY FIX: August 2, 2019</strong>
174: <i>All architectures</i>
175: <br>
176: smtpd can crash on excessively large input, causing a denial of service.
177: <br>
178: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/007_smtpd.patch.sig">
179: A source code patch exists which remedies this problem.</a>
180: <p>
181:
1.10 tj 182: <li id="p008_swapgs">
183: <strong>008: SECURITY FIX: August 9, 2019</strong>
184: <i>amd64</i>
185: <br>
186: Intel CPUs have another cross privilege side-channel attack. (SWAPGS)
187: <br>
188: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/008_swapgs.patch.sig">
189: A source code patch exists which remedies this problem.</a>
190: <p>
191:
1.11 tj 192: <li id="p009_resume">
193: <strong>009: RELIABILITY FIX: September 2, 2019</strong>
194: <i>amd64</i>
195: <br>
196: Resume forgot to restore MSR/PAT configuration.
197: <br>
198: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/009_resume.patch.sig">
199: A source code patch exists which remedies this problem.</a>
200: <p>
201:
202: <li id="p010_frag6ecn">
203: <strong>010: RELIABILITY FIX: September 2, 2019</strong>
1.16 tb 204: <i>All architectures</i>
1.11 tj 205: <br>
206: When processing ECN bits on incoming IPv6 fragments, the kernel
207: could crash. Per default pf fragment reassemble prevents the crash.
208: <br>
209: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/010_frag6ecn.patch.sig">
210: A source code patch exists which remedies this problem.</a>
211: <p>
212:
1.12 tj 213: <li id="p011_expat">
214: <strong>011: SECURITY FIX: September 14, 2019</strong>
215: <i>All architectures</i>
216: <br>
217: Libexpat 2.2.6 was affected by the heap overflow CVE-2019-15903.
218: <br>
219: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/011_expat.patch.sig">
220: A source code patch exists which remedies this problem.</a>
221: <p>
222:
1.14 tj 223: <li id="p012_sysupgrade">
224: <strong>012: RELIABILITY FIX: October 3, 2019</strong>
225: <i>All architectures</i>
226: <br>
227: The sysupgrade utility can be used to upgrade the system to the next
228: release or to a new snapshot.
229: <br>
230: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/012_sysupgrade.patch.sig">
231: A source code patch exists which adds this utility.</a>
232: <p>
233:
1.15 tj 234: <li id="p013_unbound">
235: <strong>013: RELIABILITY FIX: October 5, 2019</strong>
236: <i>All architectures</i>
237: <br>
238: Specially crafted queries may crash unwind and unbound.
239: <br>
240: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/013_unbound.patch.sig">
241: A source code patch exists which remedies this problem.</a>
242: <p>
243:
244: <li id="p014_dhcpd">
245: <strong>014: SECURITY FIX: October 5, 2019</strong>
246: <i>All architectures</i>
247: <br>
248: dhcpd leaks 4 bytes of stack to the network.
249: <br>
250: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/014_dhcpd.patch.sig">
251: A source code patch exists which remedies this problem.</a>
252: <p>
253:
1.17 tj 254: <li id="p015_net80211">
255: <strong>015: RELIABILITY FIX: November 16, 2019</strong>
256: <i>All architectures</i>
257: <br>
258: The kernel could crash due to a NULL pointer dereference in net80211.
259: <br>
260: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/015_net80211.patch.sig">
261: A source code patch exists which remedies this problem.</a>
262: <p>
263:
264: <li id="p016_sysupgrade">
265: <strong>016: RELIABILITY FIX: November 16, 2019</strong>
266: <i>All architectures</i>
267: <br>
268: A new kernel may require newer firmware images when using sysupgrade.
269: <br>
270: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/016_sysupgrade.patch.sig">
271: A source code patch exists which remedies this problem.</a>
272: <p>
273:
274: <li id="p017_ifioctl">
275: <strong>017: SECURITY FIX: November 16, 2019</strong>
276: <i>All architectures</i>
277: <br>
278: A regular user could change some network interface parameters due
279: to missing checks in the ioctl(2) system call.
280: <br>
281: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/017_ifioctl.patch.sig">
282: A source code patch exists which remedies this problem.</a>
283: <p>
284:
1.18 tj 285: <li id="p018_inteldrm">
286: <strong>018: SECURITY FIX: November 22, 2019</strong>
287: <i>i386 and amd64</i>
288: <br>
289: A local user could cause the system to hang by reading specific
290: registers when Intel Gen8/Gen9 graphics hardware is in a low power state.
291: A local user could perform writes to memory that should be blocked with
292: Intel Gen9 graphics hardware.
293: <br>
294: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/018_inteldrm.patch.sig">
295: A source code patch exists which remedies this problem.</a>
296: <p>
297:
298: <li id="p019_mesa">
299: <strong>019: SECURITY FIX: November 22, 2019</strong>
300: <i>All architectures</i>
301: <br>
302: Shared memory regions used by some Mesa drivers had permissions which
303: allowed others to access that memory.
304: <br>
305: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/019_mesa.patch.sig">
306: A source code patch exists which remedies this problem.</a>
307: <p>
308:
1.19 tb 309: <li id="p020_mesaxlock">
310: <strong>020: SECURITY FIX: December 4, 2019</strong>
311: <i>All architectures</i>
312: <br>
313: Environment-provided paths are used for dlopen() in mesa, resulting in
314: escalation to the auth group in xlock(1).
315: <br>
316: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/020_mesaxlock.patch.sig">
317: A source code patch exists which remedies this problem.</a>
318: <p>
319:
320: <li id="p021_libcauth">
321: <strong>021: SECURITY FIX: December 4, 2019</strong>
322: <i>All architectures</i>
323: <br>
324: libc's authentication layer performed insufficient username validation.
325: <br>
326: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/021_libcauth.patch.sig">
327: A source code patch exists which remedies this problem.</a>
328: <p>
329:
330: <li id="p022_xenodm">
331: <strong>022: SECURITY FIX: December 4, 2019</strong>
332: <i>All architectures</i>
333: <br>
334: xenodm uses the libc authentication layer incorrectly.
335: <br>
336: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/022_xenodm.patch.sig">
337: A source code patch exists which remedies this problem.</a>
338: <p>
339:
1.20 tj 340: <li id="p023_suauth">
341: <strong>023: SECURITY FIX: December 8, 2019</strong>
342: <i>All architectures</i>
343: <br>
344: A user can log in with a different user's login class.
345: <br>
346: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/023_suauth.patch.sig">
347: A source code patch exists which remedies this problem.</a>
348: <p>
349:
1.21 tj 350: <li id="p024_ldso">
351: <strong>024: SECURITY FIX: December 11, 2019</strong>
352: <i>All architectures</i>
353: <br>
354: ld.so may fail to remove the LD_LIBRARY_PATH environment variable for
355: set-user-ID and set-group-ID executables in low memory conditions.
356: <br>
357: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/024_ldso.patch.sig">
358: A source code patch exists which remedies this problem.</a>
359: <p>
360:
1.22 tj 361: <li id="p025_eret">
362: <strong>025: SECURITY FIX: December 18, 2019</strong>
363: <i>arm64</i>
364: <br>
365: ARM64 CPUs speculatively execute instructions after ERET.
366: <br>
367: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/025_eret.patch.sig">
368: A source code patch exists which remedies this problem.</a>
369: <p>
370:
1.23 tj 371: <li id="p026_ftp">
372: <strong>026: SECURITY FIX: December 20, 2019</strong>
373: <i>All architectures</i>
374: <br>
375: ftp(1) will follow remote redirects to local files.
376: <br>
377: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/026_ftp.patch.sig">
378: A source code patch exists which remedies this problem.</a>
379: <p>
380:
381: <li id="p027_ripd">
382: <strong>027: SECURITY FIX: December 20, 2019</strong>
383: <i>All architectures</i>
384: <br>
385: ripd(8) fails to validate authentication lengths.
386: <br>
387: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/027_ripd.patch.sig">
388: A source code patch exists which remedies this problem.</a>
389: <p>
390:
1.24 tj 391: <li id="p028_inteldrmctx">
392: <strong>028: SECURITY FIX: January 17, 2020</strong>
393: <i>i386 and amd64</i>
394: <br>
395: Execution Unit state was not cleared on context switch with Intel Gen9
396: graphics hardware.
397: <br>
398: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/028_inteldrmctx.patch.sig">
399: A source code patch exists which remedies this problem.</a>
400: <p>
401:
1.25 tj 402: <li id="p029_smtpd_tls">
403: <strong>029: RELIABILITY FIX: January 30, 2020</strong>
404: <i>All architectures</i>
405: <br>
406: smtpd can crash on opportunistic TLS downgrade, causing a denial of service.
407: <br>
408: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/029_smtpd_tls.patch.sig">
409: A source code patch exists which remedies this problem.</a>
410: <p>
411:
412: <li id="p030_smtpd_exec">
413: <strong>030: SECURITY FIX: January 30, 2020</strong>
414: <i>All architectures</i>
415: <br>
416: An incorrect check allows an attacker to trick mbox delivery into executing
417: arbitrary commands as root and lmtp delivery into executing arbitrary commands
418: as an unprivileged user.
419: <br>
420: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/030_smtpd_exec.patch.sig">
421: A source code patch exists which remedies this problem.</a>
422: <p>
423:
1.26 tj 424: <li id="p031_smtpd_envelope">
425: <strong>031: SECURITY FIX: February 24, 2020</strong>
426: <i>All architectures</i>
427: <br>
428: An out of bounds read in smtpd allows an attacker to inject arbitrary
429: commands into the envelope file which are then executed as root.
430: Separately, missing privilege revocation in smtpctl allows arbitrary
431: commands to be run with the _smtpq group.
432: <br>
433: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/031_smtpd_envelope.patch.sig">
434: A source code patch exists which remedies this problem.</a>
435: <p>
1.27 tj 436:
437: <li id="p032_sysctl">
438: <strong>032: RELIABILITY FIX: March 10, 2020</strong>
439: <i>All architectures</i>
440: <br>
441: Missing input validation in sysctl(2) can be used to crash the kernel.
442: <br>
443: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/032_sysctl.patch.sig">
444: A source code patch exists which remedies this problem.</a>
445: <p>
446:
1.28 tj 447: <li id="p033_sosplice">
448: <strong>033: RELIABILITY FIX: March 13, 2020</strong>
449: <i>All architectures</i>
450: <br>
451: Local outbound UDP broadcast or multicast packets sent by a spliced
452: socket can crash the kernel.
453: <br>
454: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/033_sosplice.patch.sig">
455: A source code patch exists which remedies this problem.</a>
456: <p>
457:
1.29 tj 458: <li id="p034_dhcpd">
459: <strong>034: SECURITY FIX: April 7, 2020</strong>
460: <i>All architectures</i>
461: <br>
462: dhcpd could reference freed memory after releasing a lease with an
463: unusually long uid.
464: <br>
465: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/034_dhcpd.patch.sig">
466: A source code patch exists which remedies this problem.</a>
467: <p>
468:
1.30 tj 469: <li id="p035_drm">
470: <strong>035: SECURITY FIX: April 19, 2020</strong>
471: <i>i386, amd64, arm64, loongson, macppc, sparc64</i>
472: <br>
1.31 tj 473: There was an incorrect test for root in the DRM Linux compatibility code.
1.30 tj 474: <br>
475: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/035_drm.patch.sig">
476: A source code patch exists which remedies this problem.</a>
477: <p>
478:
1.34 tj 479: <li id="p036_ospfd_lsa">
480: <strong>036: RELIABILITY FIX: May 10, 2020</strong>
481: <i>All architectures</i>
482: <br>
483: ospfd could generate corrupt OSPF Router (Type 1) LSAs in certain situations.
484: <br>
485: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/036_ospfd_lsa.patch.sig">
486: A source code patch exists which remedies this problem.</a>
487: <p>
488:
1.35 tj 489: <li id="p037_wscons">
490: <strong>037: SECURITY FIX: May 13, 2020</strong>
491: <i>All architectures</i>
492: <br>
493: An out-of-bounds index access in wscons(4) can cause a kernel crash.
494: <br>
495: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/037_wscons.patch.sig">
496: A source code patch exists which remedies this problem.</a>
497: <p>
498:
1.1 deraadt 499: </ul>
500:
501: <hr>