Annotation of www/errata66.html, Revision 1.30
1.1 deraadt 1: <!doctype html>
2: <html lang=en id=errata>
3: <meta charset=utf-8>
4:
5: <title>OpenBSD 6.6 Errata</title>
6: <meta name="description" content="the OpenBSD errata page">
7: <meta name="viewport" content="width=device-width, initial-scale=1">
8: <link rel="stylesheet" type="text/css" href="openbsd.css">
9: <link rel="canonical" href="https://www.openbsd.org/errata66.html">
10:
11: <!--
12: IMPORTANT REMINDER
13: IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
14: -->
15:
16: <h2 id=OpenBSD>
17: <a href="index.html">
18: <i>Open</i><b>BSD</b></a>
19: 6.6 Errata
20: </h2>
21: <hr>
22:
23: For errata on a certain release, click below:<br>
1.21 schwarze 24: <a href="errata20.html">2.0</a>,
1.1 deraadt 25: <a href="errata21.html">2.1</a>,
26: <a href="errata22.html">2.2</a>,
27: <a href="errata23.html">2.3</a>,
28: <a href="errata24.html">2.4</a>,
29: <a href="errata25.html">2.5</a>,
30: <a href="errata26.html">2.6</a>,
31: <a href="errata27.html">2.7</a>,
32: <a href="errata28.html">2.8</a>,
33: <a href="errata29.html">2.9</a>,
34: <a href="errata30.html">3.0</a>,
35: <a href="errata31.html">3.1</a>,
36: <a href="errata32.html">3.2</a>,
37: <a href="errata33.html">3.3</a>,
38: <a href="errata34.html">3.4</a>,
39: <a href="errata35.html">3.5</a>,
1.21 schwarze 40: <br>
1.1 deraadt 41: <a href="errata36.html">3.6</a>,
42: <a href="errata37.html">3.7</a>,
43: <a href="errata38.html">3.8</a>,
44: <a href="errata39.html">3.9</a>,
45: <a href="errata40.html">4.0</a>,
46: <a href="errata41.html">4.1</a>,
47: <a href="errata42.html">4.2</a>,
48: <a href="errata43.html">4.3</a>,
49: <a href="errata44.html">4.4</a>,
50: <a href="errata45.html">4.5</a>,
51: <a href="errata46.html">4.6</a>,
52: <a href="errata47.html">4.7</a>,
53: <a href="errata48.html">4.8</a>,
54: <a href="errata49.html">4.9</a>,
55: <a href="errata50.html">5.0</a>,
56: <a href="errata51.html">5.1</a>,
1.21 schwarze 57: <br>
1.1 deraadt 58: <a href="errata52.html">5.2</a>,
59: <a href="errata53.html">5.3</a>,
60: <a href="errata54.html">5.4</a>,
61: <a href="errata55.html">5.5</a>,
62: <a href="errata56.html">5.6</a>,
63: <a href="errata57.html">5.7</a>,
64: <a href="errata58.html">5.8</a>,
65: <a href="errata59.html">5.9</a>,
66: <a href="errata60.html">6.0</a>,
67: <a href="errata61.html">6.1</a>,
68: <a href="errata62.html">6.2</a>,
69: <a href="errata63.html">6.3</a>,
70: <a href="errata64.html">6.4</a>,
1.22 deraadt 71: <a href="errata65.html">6.5</a>,
72: <a href="errata67.html">6.7</a>.
1.1 deraadt 73: <hr>
74:
75: <p>
76: Patches for the OpenBSD base system are distributed as unified diffs.
77: Each patch is cryptographically signed with the
78: <a href="https://man.openbsd.org/OpenBSD-6.6/signify.1">signify(1)</a> tool and contains
79: usage instructions.
80: All the following patches are also available in one
81: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6.tar.gz">tar.gz file</a>
82: for convenience.
83:
84: <p>
85: Alternatively, the <a href="https://man.openbsd.org/syspatch">syspatch(8)</a>
86: utility can be used to apply binary updates on the following architectures:
87: amd64, i386, arm64.
88:
89: <p>
90: Patches for supported releases are also incorporated into the
91: <a href="stable.html">-stable branch</a>, which is maintained for one year
92: after release.
93:
94: <hr>
95:
96: <ul>
97:
1.2 tj 98: <li id="p001_bpf">
99: <strong>001: RELIABILITY FIX: October 28, 2019</strong>
100: <i>All architectures</i>
101: <br>
102: bpf(4) has a race condition during device removal.
103: <br>
104: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/001_bpf.patch.sig">
105: A source code patch exists which remedies this problem.</a>
106: <p>
107:
108: <li id="p002_ber">
109: <strong>002: RELIABILITY FIX: October 28, 2019</strong>
110: <i>All architectures</i>
111: <br>
112: Various third party applications may crash due to symbol collision.
113: <br>
114: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/002_ber.patch.sig">
115: A source code patch exists which remedies this problem.</a>
116: <p>
1.1 deraadt 117:
1.4 tj 118: <li id="p003_bgpd">
119: <strong>003: RELIABILITY FIX: October 31, 2019</strong>
120: <i>All architectures</i>
121: <br>
122: bgpd(8) can crash on nexthop changes or during startup in certain
123: configurations.
124: <br>
125: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/003_bgpd.patch.sig">
126: A source code patch exists which remedies this problem.</a>
127: <p>
128:
1.5 tj 129: <li id="p004_net80211">
130: <strong>004: RELIABILITY FIX: November 16, 2019</strong>
131: <i>All architectures</i>
132: <br>
133: The kernel could crash due to a NULL pointer dereference in net80211.
134: <br>
135: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/004_net80211.patch.sig">
136: A source code patch exists which remedies this problem.</a>
137: <p>
138:
139: <li id="p005_sysupgrade">
140: <strong>005: RELIABILITY FIX: November 16, 2019</strong>
141: <i>All architectures</i>
142: <br>
143: A new kernel may require newer firmware images when using sysupgrade.
144: <br>
145: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/005_sysupgrade.patch.sig">
146: A source code patch exists which remedies this problem.</a>
147: <p>
148:
149: <li id="p006_ifioctl">
150: <strong>006: SECURITY FIX: November 16, 2019</strong>
151: <i>All architectures</i>
152: <br>
153: A regular user could change some network interface parameters due
154: to missing checks in the ioctl(2) system call.
155: <br>
156: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/006_ifioctl.patch.sig">
157: A source code patch exists which remedies this problem.</a>
158: <p>
159:
1.6 tj 160: <li id="p007_inteldrm">
161: <strong>007: SECURITY FIX: November 22, 2019</strong>
162: <i>i386 and amd64</i>
163: <br>
164: A local user could cause the system to hang by reading specific
165: registers when Intel Gen8/Gen9 graphics hardware is in a low power state.
166: A local user could perform writes to memory that should be blocked with
167: Intel Gen9 graphics hardware.
168: <br>
169: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/007_inteldrm.patch.sig">
170: A source code patch exists which remedies this problem.</a>
171: <p>
172:
173: <li id="p008_mesa">
174: <strong>008: SECURITY FIX: November 22, 2019</strong>
175: <i>All architectures</i>
176: <br>
177: Shared memory regions used by some Mesa drivers had permissions which
178: allowed others to access that memory.
179: <br>
180: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/008_mesa.patch.sig">
181: A source code patch exists which remedies this problem.</a>
182: <p>
183:
1.7 tb 184: <li id="p009_mesaxlock">
185: <strong>009: SECURITY FIX: December 4, 2019</strong>
186: <i>All architectures</i>
187: <br>
188: Environment-provided paths are used for dlopen() in mesa, resulting in
189: escalation to the auth group in xlock(1).
190: <br>
191: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/009_mesaxlock.patch.sig">
192: A source code patch exists which remedies this problem.</a>
193: <p>
194:
195: <li id="p010_libcauth">
196: <strong>010: SECURITY FIX: December 4, 2019</strong>
197: <i>All architectures</i>
198: <br>
199: libc's authentication layer performed insufficient username validation.
200: <br>
201: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/010_libcauth.patch.sig">
202: A source code patch exists which remedies this problem.</a>
203: <p>
204:
205: <li id="p011_xenodm">
206: <strong>011: SECURITY FIX: December 4, 2019</strong>
207: <i>All architectures</i>
208: <br>
209: xenodm uses the libc authentication layer incorrectly.
210: <br>
211: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/011_xenodm.patch.sig">
212: A source code patch exists which remedies this problem.</a>
213: <p>
214:
1.8 tj 215: <li id="p012_suauth">
216: <strong>012: SECURITY FIX: December 8, 2019</strong>
217: <i>All architectures</i>
218: <br>
219: A user can log in with a different user's login class.
220: <br>
221: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/012_suauth.patch.sig">
222: A source code patch exists which remedies this problem.</a>
223: <p>
224:
1.9 tj 225: <li id="p013_ldso">
226: <strong>013: SECURITY FIX: December 11, 2019</strong>
227: <i>All architectures</i>
228: <br>
229: ld.so may fail to remove the LD_LIBRARY_PATH environment variable for
230: set-user-ID and set-group-ID executables in low memory conditions.
231: <br>
232: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/013_ldso.patch.sig">
233: A source code patch exists which remedies this problem.</a>
234: <p>
235:
1.10 tj 236: <li id="p014_eret">
237: <strong>014: SECURITY FIX: December 18, 2019</strong>
238: <i>arm64</i>
239: <br>
240: ARM64 CPUs speculatively execute instructions after ERET.
241: <br>
242: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/014_eret.patch.sig">
243: A source code patch exists which remedies this problem.</a>
244: <p>
245:
1.11 tj 246: <li id="p015_ftp">
247: <strong>015: SECURITY FIX: December 20, 2019</strong>
248: <i>All architectures</i>
249: <br>
250: ftp(1) will follow remote redirects to local files.
251: <br>
252: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/015_ftp.patch.sig">
253: A source code patch exists which remedies this problem.</a>
254: <p>
255:
256: <li id="p016_ripd">
257: <strong>016: SECURITY FIX: December 20, 2019</strong>
258: <i>All architectures</i>
259: <br>
260: ripd(8) fails to validate authentication lengths.
261: <br>
262: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/016_ripd.patch.sig">
263: A source code patch exists which remedies this problem.</a>
264: <p>
265:
1.12 tj 266: <li id="p017_inteldrmctx">
267: <strong>017: SECURITY FIX: January 17, 2020</strong>
268: <i>i386 and amd64</i>
269: <br>
270: Execution Unit state was not cleared on context switch with Intel Gen9
271: graphics hardware.
272: <br>
273: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/017_inteldrmctx.patch.sig">
274: A source code patch exists which remedies this problem.</a>
275: <p>
276:
1.13 tj 277: <li id="p018_smtpd_tls">
278: <strong>018: RELIABILITY FIX: January 30, 2020</strong>
279: <i>All architectures</i>
280: <br>
281: smtpd can crash on opportunistic TLS downgrade, causing a denial of service.
282: <br>
283: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/018_smtpd_tls.patch.sig">
284: A source code patch exists which remedies this problem.</a>
285: <p>
286:
287: <li id="p019_smtpd_exec">
288: <strong>019: SECURITY FIX: January 30, 2020</strong>
289: <i>All architectures</i>
290: <br>
291: An incorrect check allows an attacker to trick mbox delivery into executing
292: arbitrary commands as root and lmtp delivery into executing arbitrary commands
293: as an unprivileged user.
294: <br>
295: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/019_smtpd_exec.patch.sig">
296: A source code patch exists which remedies this problem.</a>
297: <p>
298:
1.14 tj 299: <li id="p020_vmm_pvclock">
300: <strong>020: SECURITY FIX: February 17, 2020</strong>
301: <i>amd64</i>
302: <br>
303: A missing range check in the vmm pvclock allows a guest to write
304: to host memory.
305: <br>
306: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/020_vmm_pvclock.patch.sig">
307: A source code patch exists which remedies this problem.</a>
308: <p>
309:
1.15 tj 310: <li id="p021_smtpd_envelope">
311: <strong>021: SECURITY FIX: February 24, 2020</strong>
312: <i>All architectures</i>
313: <br>
314: An out of bounds read in smtpd allows an attacker to inject arbitrary
315: commands into the envelope file which are then executed as root.
316: Separately, missing privilege revocation in smtpctl allows arbitrary
317: commands to be run with the _smtpq group.
318: <br>
319: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig">
320: A source code patch exists which remedies this problem.</a>
321: <p>
1.14 tj 322:
1.16 tj 323: <li id="p022_sysctl">
324: <strong>022: RELIABILITY FIX: March 10, 2020</strong>
325: <i>All architectures</i>
326: <br>
327: Missing input validation in sysctl(2) can be used to crash the kernel.
328: <br>
329: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/022_sysctl.patch.sig">
330: A source code patch exists which remedies this problem.</a>
331: <p>
332:
1.17 tj 333: <li id="p023_sosplice">
334: <strong>023: RELIABILITY FIX: March 13, 2020</strong>
335: <i>All architectures</i>
336: <br>
337: Local outbound UDP broadcast or multicast packets sent by a spliced
338: socket can crash the kernel.
339: <br>
340: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/023_sosplice.patch.sig">
341: A source code patch exists which remedies this problem.</a>
342: <p>
343:
1.18 tj 344: <li id="p024_dhcpd">
345: <strong>024: SECURITY FIX: April 7, 2020</strong>
346: <i>All architectures</i>
347: <br>
348: dhcpd could reference freed memory after releasing a lease with an
349: unusually long uid.
350: <br>
351: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/024_dhcpd.patch.sig">
352: A source code patch exists which remedies this problem.</a>
353: <p>
354:
1.19 tj 355: <li id="p025_drm">
356: <strong>025: SECURITY FIX: April 19, 2020</strong>
357: <i>i386, amd64, arm64, loongson, macppc, sparc64</i>
358: <br>
1.20 tj 359: There was an incorrect test for root in the DRM Linux compatibility code.
1.19 tj 360: <br>
361: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/025_drm.patch.sig">
362: A source code patch exists which remedies this problem.</a>
363: <p>
364:
1.23 tj 365: <li id="p026_ospfd_lsa">
366: <strong>026: RELIABILITY FIX: May 10, 2020</strong>
367: <i>All architectures</i>
368: <br>
369: ospfd could generate corrupt OSPF Router (Type 1) LSAs in certain situations.
370: <br>
371: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/026_ospfd_lsa.patch.sig">
372: A source code patch exists which remedies this problem.</a>
373: <p>
374:
1.24 tj 375: <li id="p027_wscons">
376: <strong>027: SECURITY FIX: May 13, 2020</strong>
377: <i>All architectures</i>
378: <br>
379: An out-of-bounds index access in wscons(4) can cause a kernel crash.
380: <br>
381: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/027_wscons.patch.sig">
382: A source code patch exists which remedies this problem.</a>
383: <p>
384:
1.26 tj 385: <li id="p028_unbound">
386: <strong>028: SECURITY FIX: May 22, 2020</strong>
1.25 tj 387: <i>All architectures</i>
388: <br>
389: Specially crafted queries may crash unbound and unwind.
390: Both can be tricked into amplifying an incoming query.
391: <br>
1.26 tj 392: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/028_unbound.patch.sig">
1.25 tj 393: A source code patch exists which remedies this problem.</a>
394: <p>
395:
1.27 tj 396: <li id="p029_perl">
397: <strong>029: SECURITY FIX: June 1, 2020</strong>
398: <i>All architectures</i>
399: <br>
400: Several problems in Perl's regular expression compiler could lead to
401: corruption of the intermediate language state of a compiled regular
402: expression.
403: <br>
404: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/029_perl.patch.sig">
405: A source code patch exists which remedies this problem.</a>
406: <p>
407:
1.28 tj 408: <li id="p030_hid">
409: <strong>030: SECURITY FIX: June 5, 2020</strong>
410: <i>All architectures</i>
411: <br>
412: Malicious HID descriptors could be misparsed.
413: <br>
414: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/030_hid.patch.sig">
415: A source code patch exists which remedies this problem.</a>
416: <p>
417:
1.29 tj 418: <li id="p031_asr">
419: <strong>031: RELIABILITY FIX: June 8, 2020</strong>
420: <i>All architectures</i>
421: <br>
422: libc's resolver could get into a corrupted state.
423: <br>
424: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/031_asr.patch.sig">
425: A source code patch exists which remedies this problem.</a>
426: <p>
427:
1.30 ! tj 428: <li id="p032_x509">
! 429: <strong>032: RELIABILITY FIX: June 11, 2020</strong>
! 430: <i>All architectures</i>
! 431: <br>
! 432: libcrypto may fail to build a valid certificate chain due to
! 433: expired untrusted issuer certificates.
! 434: <br>
! 435: <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/032_x509.patch.sig">
! 436: A source code patch exists which remedies this problem.</a>
! 437: <p>
! 438:
1.1 deraadt 439: </ul>
440:
1.17 tj 441: <hr>