| version 1.3, 2005/03/24 13:09:56 |
version 1.4, 2005/05/17 16:21:22 |
|
|
| <li>Fix <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&sektion=8">tcpdump(8)</a>'s <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bpf&sektion=4">bpf(4)</a> attachment on <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=atw&sektion=4">atw(4)</a> devices. |
<li>Fix <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&sektion=8">tcpdump(8)</a>'s <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bpf&sektion=4">bpf(4)</a> attachment on <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=atw&sektion=4">atw(4)</a> devices. |
| <!-- ^ 20040912 --> |
<!-- ^ 20040912 --> |
| <li><font color="#e00000"><strong>SECURITY FIX: Eilko Bos reported that radius authentication, as implemented by login_radius(8), was not checking the shared secret used for replies sent by the radius server.</strong></font> This could allow an attacker to spoof a reply granting access to the attacker. Note that OpenBSD does not ship with radius authentication enabled.<br> |
<li><font color="#e00000"><strong>SECURITY FIX: Eilko Bos reported that radius authentication, as implemented by login_radius(8), was not checking the shared secret used for replies sent by the radius server.</strong></font> This could allow an attacker to spoof a reply granting access to the attacker. Note that OpenBSD does not ship with radius authentication enabled.<br> |
| <a href="errata.html#radius">A source code patch is available</a>.<br> |
<a href="errata36.html#radius">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <!-- ^ 20040911 --> |
<!-- ^ 20040911 --> |
| <li>Bail out of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=newfs&sektion=8">newfs(8)</a> on errors when making very small filesystems. |
<li>Bail out of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=newfs&sektion=8">newfs(8)</a> on errors when making very small filesystems. |
|
|
| <!-- ^ 20040909 --> |
<!-- ^ 20040909 --> |
| <li>Stop <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=routed&sektion=8">routed(8)</a> fiddling with routes controlled by <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bgpd&sektion=8">bgpd(8)</a>. |
<li>Stop <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=routed&sektion=8">routed(8)</a> fiddling with routes controlled by <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bgpd&sektion=8">bgpd(8)</a>. |
| <li><font color="#e00000"><strong>SECURITY FIX: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=httpd&sektion=8">httpd(8)</a>'s mod_rewrite module can be made to write one zero byte in an arbitrary memory position outside of a char array,</strong></font> causing a DoS or possibly buffer overflows. This would require enabling dbm for mod_rewrite and making use of a malicious dbm file.<br> |
<li><font color="#e00000"><strong>SECURITY FIX: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=httpd&sektion=8">httpd(8)</a>'s mod_rewrite module can be made to write one zero byte in an arbitrary memory position outside of a char array,</strong></font> causing a DoS or possibly buffer overflows. This would require enabling dbm for mod_rewrite and making use of a malicious dbm file.<br> |
| <a href="errata.html#httpd2">A source code patch is available</a>.<br> |
<a href="errata36.html#httpd2">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <li>Stop <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=telnetd&sektion=8">telnetd(8)</a> closing the slave fd from <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openpty&sektion=3">openpty(3)</a> and then reopening it. |
<li>Stop <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=telnetd&sektion=8">telnetd(8)</a> closing the slave fd from <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openpty&sektion=3">openpty(3)</a> and then reopening it. |
| <!-- ^ 20040908 --> |
<!-- ^ 20040908 --> |
|
|
| <!-- ^ 20040902 --> |
<!-- ^ 20040902 --> |
| <li>Make sure kernfs_xread() isn't called with a negative offset. |
<li>Make sure kernfs_xread() isn't called with a negative offset. |
| <li><font color="#e00000"><strong>SECURITY FIX: Chris Evans reported several flaws (stack and integer overflows) in the Xpm library code that parses image files (CAN-2004-0687, CAN-2004-0688).</strong></font> Some of these would be exploitable when parsing malicious image files in an application that handles XPM images, if they could escape ProPolice.<br> |
<li><font color="#e00000"><strong>SECURITY FIX: Chris Evans reported several flaws (stack and integer overflows) in the Xpm library code that parses image files (CAN-2004-0687, CAN-2004-0688).</strong></font> Some of these would be exploitable when parsing malicious image files in an application that handles XPM images, if they could escape ProPolice.<br> |
| <a href="errata.html#xpm">A source code patch is available</a>.<br> |
<a href="errata36.html#xpm">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <!-- ^ 20040901 --> |
<!-- ^ 20040901 --> |
| <li>Stop non-MASTER <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=carp&sektion=4">carp(4)</a> hosts replying to ARP requests, as this upsets some layer 3 switches. |
<li>Stop non-MASTER <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=carp&sektion=4">carp(4)</a> hosts replying to ARP requests, as this upsets some layer 3 switches. |
|
|
| <li>Make sure <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_create&sektion=1">pkg_create(1)</a> keeps track of the current working directory. |
<li>Make sure <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_create&sektion=1">pkg_create(1)</a> keeps track of the current working directory. |
| <!-- ^ 20040827 --> |
<!-- ^ 20040827 --> |
| <li><font color="#e00000"><strong>RELIABILITY FIX: Due to incorrect error handling in zlib an attacker could potentially cause a denial of service attack (CAN-2004-0797).</strong></font><br> |
<li><font color="#e00000"><strong>RELIABILITY FIX: Due to incorrect error handling in zlib an attacker could potentially cause a denial of service attack (CAN-2004-0797).</strong></font><br> |
| <a href="errata.html#libz">A source code patch is available</a>.<br> |
<a href="errata36.html#libz">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <!-- ^ 20040826 --> |
<!-- ^ 20040826 --> |
| <li>Have /etc/<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=security&sektion=8">security(8)</a> store a copy of the disklabel and report any changes. |
<li>Have /etc/<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=security&sektion=8">security(8)</a> store a copy of the disklabel and report any changes. |
|
|
| <li>A stack of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ohci&sektion=4">ohci(4)</a> fixes from NetBSD. |
<li>A stack of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ohci&sektion=4">ohci(4)</a> fixes from NetBSD. |
| <!-- ^ 20040811 --> |
<!-- ^ 20040811 --> |
| <li><font color="#e00000"><strong>RELIABILITY FIX: Improved verification of ICMP errors in order to minimize the impact of ICMP attacks against TCP.</strong></font><br> |
<li><font color="#e00000"><strong>RELIABILITY FIX: Improved verification of ICMP errors in order to minimize the impact of ICMP attacks against TCP.</strong></font><br> |
| <a href="errata.html#icmp">A source code patch is available</a>.<br> |
<a href="errata36.html#icmp">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <li>Show the difference between the expected and received IP checksum in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&sektion=8">tcpdump(8)</a>. |
<li>Show the difference between the expected and received IP checksum in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&sektion=8">tcpdump(8)</a>. |
| <li>Now that <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&sektion=8">tcpdump(8)</a> decodes the IP fragment returned in an ICMP error message, allow the TCP parser to print the source and destination ports from incomplete TCP headers. |
<li>Now that <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&sektion=8">tcpdump(8)</a> decodes the IP fragment returned in an ICMP error message, allow the TCP parser to print the source and destination ports from incomplete TCP headers. |
|
|
| <!-- ^ 20040706 --> |
<!-- ^ 20040706 --> |
| <li>Keep track of historical offset and delay values in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ntpd&sektion=8">ntpd(8)</a>, for later use in filtering. |
<li>Keep track of historical offset and delay values in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ntpd&sektion=8">ntpd(8)</a>, for later use in filtering. |
| <li><font color="#e00000"><strong>RELIABILITY FIX: Under certain network load the kernel can run out of stack space.</strong></font> This was encountered in an environment using CARP on a VLAN interface. this issue initially manifested itself as an FPU-related crash on bootup.<br> |
<li><font color="#e00000"><strong>RELIABILITY FIX: Under certain network load the kernel can run out of stack space.</strong></font> This was encountered in an environment using CARP on a VLAN interface. this issue initially manifested itself as an FPU-related crash on bootup.<br> |
| <a href="errata.html#rnd">A source code patch is available</a>.<br> |
<a href="errata36.html#rnd">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <li>Fix a segfault in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=routed&sektion=8">routed(8)</a> with <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rtquery&sektion=8">rtquery(8)</a> messages from a non-local host (PR#3841). |
<li>Fix a segfault in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=routed&sektion=8">routed(8)</a> with <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rtquery&sektion=8">rtquery(8)</a> messages from a non-local host (PR#3841). |
| <li>Fix <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ntpd&sektion=8">ntpd(8)</a>'s conversion from seconds to microseconds. |
<li>Fix <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ntpd&sektion=8">ntpd(8)</a>'s conversion from seconds to microseconds. |
|
|
| <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488">CAN-2004-0488</a>: Stack-based buffer overflow ... in mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow attackers to execute arbitrary code via a client certificate with a long subject DN. |
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488">CAN-2004-0488</a>: Stack-based buffer overflow ... in mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow attackers to execute arbitrary code via a client certificate with a long subject DN. |
| <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492">CAN-2004-0492</a>: [mod_proxy] Reject responses from a remote server if sent an invalid (negative) Content-Length: header. |
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492">CAN-2004-0492</a>: [mod_proxy] Reject responses from a remote server if sent an invalid (negative) Content-Length: header. |
| </ul> |
</ul> |
| <a href="errata.html#httpd">A source code patch is available</a>.<br> |
<a href="errata36.html#httpd">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <li><font color="#e00000"><strong>SECURITY FIX: As <a href="http://seclists.org/lists/fulldisclosure/2004/Jun/0191.html">disclosed</a> by Thomas Walpuski, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a> is still vulnerable to unauthorized SA deletion.</strong></font> An attacker can delete IPsec tunnels at will.<br> |
<li><font color="#e00000"><strong>SECURITY FIX: As <a href="http://seclists.org/lists/fulldisclosure/2004/Jun/0191.html">disclosed</a> by Thomas Walpuski, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a> is still vulnerable to unauthorized SA deletion.</strong></font> An attacker can delete IPsec tunnels at will.<br> |
| <a href="errata.html#isakmpd">A source code patch is available</a>.<br> |
<a href="errata36.html#isakmpd">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <li>Add src/lib/libintl and libc i18n directories to the repository. |
<li>Add src/lib/libintl and libc i18n directories to the repository. |
| <!-- ^ 20040610 --> |
<!-- ^ 20040610 --> |
|
|
| <li>Fix IPv4 name-to-address translation, so invalid octet values won't be accepted and CIDR address/mask pairs finally work the way one expects. |
<li>Fix IPv4 name-to-address translation, so invalid octet values won't be accepted and CIDR address/mask pairs finally work the way one expects. |
| <li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&sektion=8">tcpdump(8)</a>'s privsep <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=localtime&sektion=3">localtime(3)</a> replacement, deal better with timezones with granularity of less than one hour. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&sektion=8">tcpdump(8)</a>'s privsep <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=localtime&sektion=3">localtime(3)</a> replacement, deal better with timezones with granularity of less than one hour. |
| <li><font color="#e00000"><strong>SECURITY FIX: Multiple remote vulnerabilities have been found in the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&sektion=1">cvs(1)</a> server</strong></font> that will allow an attacker to crash the server or possibly execute arbitrary code with the same privileges as the CVS server program.<br> |
<li><font color="#e00000"><strong>SECURITY FIX: Multiple remote vulnerabilities have been found in the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&sektion=1">cvs(1)</a> server</strong></font> that will allow an attacker to crash the server or possibly execute arbitrary code with the same privileges as the CVS server program.<br> |
| <a href="errata.html#cvs3">A source code patch is available</a>. |
<a href="errata36.html#cvs3">A source code patch is available</a>. |
| <li>On i386 (ppro and above), use the calibrated value for the CPU speed over the value returned by the CPU itself, fixing PR#3814. |
<li>On i386 (ppro and above), use the calibrated value for the CPU speed over the value returned by the CPU itself, fixing PR#3814. |
| <li>Use a dynamically allocated array of pollfds in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bgpd&sektion=8">bgpd(8)</a>. |
<li>Use a dynamically allocated array of pollfds in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bgpd&sektion=8">bgpd(8)</a>. |
| <li>Try to prevent <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a> deleting SAs on receipt of malicious IKE messages. |
<li>Try to prevent <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a> deleting SAs on receipt of malicious IKE messages. |
|
|
| <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020</a>: Apache does not filter terminal escape sequences from its error logs. |
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020</a>: Apache does not filter terminal escape sequences from its error logs. |
| <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987">CAN-2003-0987</a>: Apache mod_digest does not properly verify the nonce of a client response by using an AuthNonce secret. |
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987">CAN-2003-0987</a>: Apache mod_digest does not properly verify the nonce of a client response by using an AuthNonce secret. |
| </ul> |
</ul> |
| <a href="errata.html#httpd">A source code patch is available</a>.<br> |
<a href="errata36.html#httpd">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <!-- ^ 20040607 --> |
<!-- ^ 20040607 --> |
| <li>Out-of-line <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=spl&sektion=9">spl(9)</a> functions in SMP on i386, mirroring the UP change to fix VFS corruption. |
<li>Out-of-line <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=spl&sektion=9">spl(9)</a> functions in SMP on i386, mirroring the UP change to fix VFS corruption. |
|
|
| <li>Let <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8">ipsecadm(8)</a> delete tcpmd5 SAs. |
<li>Let <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8">ipsecadm(8)</a> delete tcpmd5 SAs. |
| <li>Fix <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8">ipsecadm(8)</a> so that <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipcomp&sektion=4">ipcomp(4)</a> can be used. |
<li>Fix <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8">ipsecadm(8)</a> so that <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipcomp&sektion=4">ipcomp(4)</a> can be used. |
| <li><font color="#e00000"><strong>SECURITY FIX: With the introduction of IPv6 code in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xdm&sektion=1">xdm(1)</a>, one test on the 'requestPort' resource was deleted by accident.</strong></font> This makes xdm create the chooser socket even if XDMCP is disabled in xdm-config, by setting requestPort to 0. See <a href="http://bugs.xfree86.org/show_bug.cgi?id=1376">XFree86 bugzilla</a> for details.<br> |
<li><font color="#e00000"><strong>SECURITY FIX: With the introduction of IPv6 code in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xdm&sektion=1">xdm(1)</a>, one test on the 'requestPort' resource was deleted by accident.</strong></font> This makes xdm create the chooser socket even if XDMCP is disabled in xdm-config, by setting requestPort to 0. See <a href="http://bugs.xfree86.org/show_bug.cgi?id=1376">XFree86 bugzilla</a> for details.<br> |
| <a href="errata.html#xdm">A source code patch is available</a>.<br> |
<a href="errata36.html#xdm">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <li>Fix a boot-time crasher in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ahd&sektion=4">ahd(4)</a>. |
<li>Fix a boot-time crasher in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ahd&sektion=4">ahd(4)</a>. |
| <li>Add (to i386 and amd64) <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ehci&sektion=4">ehci(4)</a>, a USB Enhanced Host Controller Interface driver, for USB 2.0 support. |
<li>Add (to i386 and amd64) <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ehci&sektion=4">ehci(4)</a>, a USB Enhanced Host Controller Interface driver, for USB 2.0 support. |
|
|
| <li>Allow anchors within anchors in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a>. More work to come. |
<li>Allow anchors within anchors in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a>. More work to come. |
| <li>Don't recursively call nd6_output() when route allocation fails, just return a host unreachable error. |
<li>Don't recursively call nd6_output() when route allocation fails, just return a host unreachable error. |
| <li><font color="#e00000"><strong>SECURITY FIX: A heap overflow in the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&sektion=1">cvs(1)</a> server has been discovered that can be exploited by clients sending malformed requests.</strong></font> These clients can then run arbitrary code with the same privileges as the CVS server program.<br> |
<li><font color="#e00000"><strong>SECURITY FIX: A heap overflow in the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&sektion=1">cvs(1)</a> server has been discovered that can be exploited by clients sending malformed requests.</strong></font> These clients can then run arbitrary code with the same privileges as the CVS server program.<br> |
| <a href="errata.html#cvs2">A source code patch is available</a>.<br> |
<a href="errata36.html#cvs2">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <li>Allow symbolic service- and protocol names in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a>, so e.g. "Protocol=tcp" now works. |
<li>Allow symbolic service- and protocol names in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a>, so e.g. "Protocol=tcp" now works. |
| <li><font color="#e00000"><strong>SECURITY FIX: A flaw in the Kerberos V <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=kdc&sektion=8">kdc(8)</a> server could result in the administrator of a Kerberos realm having the ability to impersonate any principal in any other realm which has established a cross-realm trust with their realm.</strong></font> The flaw is due to inadequate checking of the "transited" field in a Kerberos request. For more details see <a href="http://www.pdc.kth.se/heimdal/advisory/2004-04-01/">Heimdal's announcement</a>.<br> |
<li><font color="#e00000"><strong>SECURITY FIX: A flaw in the Kerberos V <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=kdc&sektion=8">kdc(8)</a> server could result in the administrator of a Kerberos realm having the ability to impersonate any principal in any other realm which has established a cross-realm trust with their realm.</strong></font> The flaw is due to inadequate checking of the "transited" field in a Kerberos request. For more details see <a href="http://www.pdc.kth.se/heimdal/advisory/2004-04-01/">Heimdal's announcement</a>.<br> |
| <a href="errata.html#kerberos">A source code patch is available</a>.<br> |
<a href="errata36.html#kerberos">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <li>Add word boundary tests to the regexes that find @-commands in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_add&sektion=1">pkg_add(1)</a> etc. packing lists. |
<li>Add word boundary tests to the regexes that find @-commands in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_add&sektion=1">pkg_add(1)</a> etc. packing lists. |
| <li>Fix SIGINT handling in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>. |
<li>Fix SIGINT handling in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>. |
|
|
| <li>Add strchr() and strrchr() to libkern. |
<li>Add strchr() and strrchr() to libkern. |
| <!-- ^ 20040506 --> |
<!-- ^ 20040506 --> |
| <li><font color="#e00000"><strong>SECURITY FIX: Check for integer overflow in procfs.</strong></font> Use of procfs is not recommended.<br> |
<li><font color="#e00000"><strong>SECURITY FIX: Check for integer overflow in procfs.</strong></font> Use of procfs is not recommended.<br> |
| <a href="errata.html#procfs">A source code patch is available</a>.<br> |
<a href="errata36.html#procfs">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <li>When a <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> scrub rule with the 'reassemble tcp' option is in effect, use RFC1913 PAWS as a means of extending the TCP sequence space by 10 to 18 bits. This makes blind insertion attacks much more difficult, because the timestamp needs to be guessed as well as the TCP sequence number. |
<li>When a <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> scrub rule with the 'reassemble tcp' option is in effect, use RFC1913 PAWS as a means of extending the TCP sequence space by 10 to 18 bits. This makes blind insertion attacks much more difficult, because the timestamp needs to be guessed as well as the TCP sequence number. |
| <li>Sprinkle <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strtonum&sektion=3">strtonum(3)</a> liberally all over <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ifconfig&sektion=8">ifconfig(8)</a>. |
<li>Sprinkle <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strtonum&sektion=3">strtonum(3)</a> liberally all over <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ifconfig&sektion=8">ifconfig(8)</a>. |
|
|
| <li>Sync the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=em&sektion=4">em(4)</a> driver with FreeBSD. |
<li>Sync the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=em&sektion=4">em(4)</a> driver with FreeBSD. |
| <li>Tidy up <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=usb&sektion=4">usb(4)</a> kernel configs in line with recent i386 changes. |
<li>Tidy up <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=usb&sektion=4">usb(4)</a> kernel configs in line with recent i386 changes. |
| <li><font color="#e00000"><strong>RELIABILITY FIX: Restore the ability to negotiate tags/wide/sync with some SCSI controllers</strong></font> (<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=siop&sektion=4">siop(4)</a>, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=trm&sektion=4">trm(4)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=iha&sektion=4">iha(4)</a>).<br> |
<li><font color="#e00000"><strong>RELIABILITY FIX: Restore the ability to negotiate tags/wide/sync with some SCSI controllers</strong></font> (<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=siop&sektion=4">siop(4)</a>, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=trm&sektion=4">trm(4)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=iha&sektion=4">iha(4)</a>).<br> |
| <a href="errata.html#scsi">A source code patch is available</a>.<br> |
<a href="errata36.html#scsi">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <li>Since <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhcpd&sektion=8">dhcpd(8)</a> can now be invoked legitimately without an interface, don't abort when the user doesn't give any options. |
<li>Since <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhcpd&sektion=8">dhcpd(8)</a> can now be invoked legitimately without an interface, don't abort when the user doesn't give any options. |
| <!-- ^ 20040418 --> |
<!-- ^ 20040418 --> |
|
|
| <li>Undo a non-fix in shared memory <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sysctl&sektion=3">sysctl(3)</a> kern.shminfo.shmmni.<br> |
<li>Undo a non-fix in shared memory <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sysctl&sektion=3">sysctl(3)</a> kern.shminfo.shmmni.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <font color="#e00000"><strong>SECURITY FIX: Pathname validation problems have been found in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&sektion=1">cvs(1)</a></strong></font>, allowing malicious clients to create files outside the repository, allowing malicious servers to overwrite files outside the local CVS tree on the client and allowing clients to check out files outside the CVS repository.<br> |
<font color="#e00000"><strong>SECURITY FIX: Pathname validation problems have been found in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&sektion=1">cvs(1)</a></strong></font>, allowing malicious clients to create files outside the repository, allowing malicious servers to overwrite files outside the local CVS tree on the client and allowing clients to check out files outside the CVS repository.<br> |
| <a href="errata.html#cvs">A source code patch is available</a>.<br> |
<a href="errata36.html#cvs">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <li>Some address family agnosticism in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bgpd&sektion=8">bgpd(8)</a>. |
<li>Some address family agnosticism in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bgpd&sektion=8">bgpd(8)</a>. |
| <li>Let <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bgpctl&sektion=8">bgpctl(8)</a> show IPv6 peer addresses in neighbour view. |
<li>Let <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bgpctl&sektion=8">bgpctl(8)</a> show IPv6 peer addresses in neighbour view. |
|
|
| <li>Implement a rate limit for TCP ACKs of 100pps, and use this more general mechanism for in-window SYN handling too. |
<li>Implement a rate limit for TCP ACKs of 100pps, and use this more general mechanism for in-window SYN handling too. |
| <li>Safely handle aborts in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=malloc&sektion=3">malloc(3)</a> etc. without tripping the recursive call handler by mistake. |
<li>Safely handle aborts in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=malloc&sektion=3">malloc(3)</a> etc. without tripping the recursive call handler by mistake. |
| <li><font color="#e00000"><strong>RELIABILITY FIX: Under load "recent model" gdt(4) controllers will lock up.</strong></font><br> |
<li><font color="#e00000"><strong>RELIABILITY FIX: Under load "recent model" gdt(4) controllers will lock up.</strong></font><br> |
| <a href="errata.html#gdt">A source code patch is available</a>.<br> |
<a href="errata36.html#gdt">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <!-- ^ 20040412 --> |
<!-- ^ 20040412 --> |
| <li>Fix an accidental busy-wait in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sensorsd&sektion=8">sensorsd(8)</a>. |
<li>Fix an accidental busy-wait in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sensorsd&sektion=8">sensorsd(8)</a>. |
|
|
| <li>Under Linux emulation, pass <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=madvise&sektion=2">madvise(2)</a> straight through to the native syscall. |
<li>Under Linux emulation, pass <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=madvise&sektion=2">madvise(2)</a> straight through to the native syscall. |
| <!-- ^ 20040405 --> |
<!-- ^ 20040405 --> |
| <li><font color="#e00000"><strong>RELIABILITY FIX: Reply to in-window SYN with a rate-limited ACK.</strong></font><br> |
<li><font color="#e00000"><strong>RELIABILITY FIX: Reply to in-window SYN with a rate-limited ACK.</strong></font><br> |
| <a href="errata.html#tcp">A source code patch is available</a>.<br> |
<a href="errata36.html#tcp">A source code patch is available</a>.<br> |
| <a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
<a href="stable.html"><font color="#00b000">[Applied to stable]</font></a> |
| <li>Don't try to recreate the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xfs&sektion=1">xfs(1)</a> logfile after dropping privileges. |
<li>Don't try to recreate the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xfs&sektion=1">xfs(1)</a> logfile after dropping privileges. |
| <li>Don't abort <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xfs&sektion=1">xfs(1)</a> gracelessly when handling an unimplemented protocol request. |
<li>Don't abort <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xfs&sektion=1">xfs(1)</a> gracelessly when handling an unimplemented protocol request. |
![[BACK]](/icons/back.gif){kind=icon}
Return to plus36.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www