www/security.html - diff

Return to security.html CVS log

Up to [local] / www

Diff for /www/security.html between version 1.293 and 1.294

version 1.293, 2004/06/12 23:43:14

version 1.294, 2004/06/16 01:06:19

Line 1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML Strict//EN">

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"

"http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<title>OpenBSD Security</title>

Line 13

Line 15

<p>

<h2><font color=#e00000>Security</font><hr></h2>

<h2><font color="#e00000">Security</font></h2>

<hr>

<tr>

Line 23

Line 26

</tr>

<tr>

<a href=#goals>Security goals of the Project</a>.<br>

<a href="#goals">Security goals of the Project</a>.<br>

<a href=#disclosure>Full Disclosure policy</a>.<br>

<a href="#disclosure">Full Disclosure policy</a>.<br>

<a href=#process>Source code auditing process</a>.<br>

<a href="#process">Source code auditing process</a>.<br>

<a href=#default>"Secure by Default"</a>.<br>

<a href="#default">"Secure by Default"</a>.<br>

<a href=#crypto>Use of Cryptography</a>.<br>

<a href="#crypto">Use of Cryptography</a>.<br>

<p>

<a href=#watching>Watching changes</a>.<br>

<a href="#watching">Watching changes</a>.<br>

<a href=#reporting>Reporting security issues</a>.<br>

<a href="#reporting">Reporting security issues</a>.<br>

<a href=#papers>Further Reading</a><br>

<a href="#papers">Further Reading</a><br>

<p>

</td>

Line 57

Line 60

</table>

<hr>

<ul>

<ul>

OpenBSD believes in strong security. Our aspiration is to be NUMBER

ONE in the industry for security (if we are not already there). Our

Line 71

Line 74

fixing security problems.<p>

<li><h3><font color=#e00000>Full Disclosure</font></h3><p>

<li><h3><font color="#e00000">Full Disclosure</font></h3><p>

Like many readers of the

Line 88

Line 91

people who really care about security.<p>

<li><h3><font color=#e00000>Audit Process</font></h3><p>

<li><h3><font color="#e00000">Audit Process</font></h3><p>

Our security auditing team typically has between six and twelve

members who continue to search for and fix new security holes. We

Line 131

Line 134

<p>

<li><h3><font color=#e00000>New Technologies</font></h3><p>

<li><h3><font color="#e00000">New Technologies</font></h3><p>

As we audit source code, we often invent new ways of solving problems.

Sometimes these ideas have been used before in some random application

Line 158

Line 161

</ul>

<p>

<li><h3><font color=#e00000>The Reward</font></h3><p>

<li><h3><font color="#e00000">The Reward</font></h3><p>

Our proactive auditing process has really paid off. Statements like

``This problem was fixed in OpenBSD about 6 months ago'' have become

Line 191

Line 194

to find and fix new security flaws.<p>

<li><h3><font color=#e00000>"Secure by Default"</font></h3><p>

<li><h3><font color="#e00000">"Secure by Default"</font></h3><p>

To ensure that novice users of OpenBSD do not need to become security

experts overnight (a viewpoint which other vendors seem to have), we

Line 207

Line 210

within minutes after their first install.<p>

<li><h3><font color=#e00000>Cryptography</font></h3><p>

<li><h3><font color="#e00000">Cryptography</font></h3><p>

And of course, since the OpenBSD project is based in Canada, it is possible

for us to integrate cryptography. For more information, read the page

outlining <a href=crypto.html>what we have done with cryptography</a>.</p>

<li><h3><font color=#e00000>Advisories</font></h3><p>

<li><h3><font color="#e00000">Advisories</font></h3><p>

<li>

<h3><font color=#e00000>OpenBSD 3.5 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 3.5 Security Advisories</font></h3>

These are the OpenBSD 3.5 advisories -- all these problems are solved

in <a href=anoncvs.html>OpenBSD current</a> and the

<a href=stable.html>patch branch</a>.

<p>

<ul>

<li><a href=errata.html#httpd> Jun 12, 2004:

<li><a href="errata.html#httpd"> Jun 12, 2004:

Multiple vulnerabilites have been found in httpd(8) / mod_ssl.</a>

<li><a href=errata.html#isakmpd> Jun 10, 2004:

<li><a href="errata.html#isakmpd"> Jun 10, 2004:

isakmpd(8) still has issues with unauthorized SA deletion,

an attacker can delete IPsec tunnels at will.</a>

<li><a href=errata.html#cvs3> Jun 9, 2004:

<li><a href="errata.html#cvs3"> Jun 9, 2004:

Multiple remote vulnerabilities have been found in the cvs(1)

server which can be used by CVS clients to crash or execute

arbitrary code on the server.</a>

<li><a href=errata.html#kerberos> May 30, 2004:

<li><a href="errata.html#kerberos"> May 30, 2004:

kdc(8) performs inadequate checking of request fields, leading

to the possibility of principal impersonation from other

Kerberos realms if they are trusted with a cross-realm trust.</a>

<li><a href=errata.html#xdm> May 26, 2004:

<li><a href="errata.html#xdm"> May 26, 2004:

xdm(1) ignores the requestPort resource and creates a

listening socket regardless of the setting in xdm-config.</a>

<li><a href=errata.html#cvs2> May 20, 2004:

<li><a href="errata.html#cvs2"> May 20, 2004:

A buffer overflow in the cvs(1) server has been found,

which can be used by CVS clients to execute arbitrary code on

the server.</a>

<li><a href=errata.html#procfs> May 13, 2004:

<li><a href="errata.html#procfs"> May 13, 2004:

Integer overflow problems were found in procfs, allowing

reading of arbitrary kernel memory.</a>

<li><a href=errata.html#cvs> May 5, 2004:

<li><a href="errata.html#cvs"> May 5, 2004:

Pathname validation problems have been found in cvs(1),

allowing clients and servers access to files outside the

repository or local CVS tree.</a>

Line 258

Line 261

<li>

<h3><font color=#e00000>OpenBSD 3.4 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 3.4 Security Advisories</font></h3>

These are the OpenBSD 3.4 advisories -- all these problems are solved

in <a href=anoncvs.html>OpenBSD current</a> and the

in <a href="anoncvs.html">OpenBSD current</a> and the

<a href=stable.html>patch branch</a>.

<a href="stable.html">patch branch</a>.

<p>

<ul>

<li><a href=errata34.html#httpd3> Jun 12, 2004:

<li><a href="errata34.html#httpd3"> Jun 12, 2004:

Multiple vulnerabilites have been found in httpd(8) / mod_ssl.</a>

<li><a href=errata34.html#isakmpd3> Jun 10, 2004:

<li><a href="errata34.html#isakmpd3"> Jun 10, 2004:

isakmpd(8) still has issues with unauthorized SA deletion,

an attacker can delete IPsec tunnels at will.</a>

<li><a href=errata34.html#cvs3> Jun 9, 2004:

<li><a href="errata34.html#cvs3"> Jun 9, 2004:

Multiple remote vulnerabilities have been found in the cvs(1)

server which can be used by CVS clients to crash or execute

arbitrary code on the server.</a>

<li><a href=errata34.html#kerberos> May 30, 2004:

<li><a href="errata34.html#kerberos"> May 30, 2004:

kdc(8) performs inadequate checking of request fields, leading

to the possibility of principal impersonation from other

Kerberos realms if they are trusted with a cross-realm trust.</a>

<li><a href=errata34.html#cvs2> May 20, 2004:

<li><a href="errata34.html#cvs2"> May 20, 2004:

A buffer overflow in the cvs(1) server has been found,

which can be used by CVS clients to execute arbitrary code on

the server.</a>

<li><a href=errata34.html#procfs> May 13, 2004:

<li><a href="errata34.html#procfs"> May 13, 2004:

Integer overflow problems were found in procfs, allowing

reading of arbitrary kernel memory.</a>

<li><a href=errata34.html#cvs> May 5, 2004:

<li><a href="errata34.html#cvs"> May 5, 2004:

Pathname validation problems have been found in cvs(1),

allowing clients and servers access to files outside the

repository or local CVS tree.</a>

<li><a href=errata34.html#openssl> March 17, 2004:

<li><a href="errata34.html#openssl"> March 17, 2004:

A missing check for a NULL-pointer dereference may allow a

remote attacker to crash applications using OpenSSL.</a>

<li><a href=errata34.html#isakmpd2> March 17, 2004:

<li><a href="errata34.html#isakmpd2"> March 17, 2004:

Defects in the payload validation and processing functions of

isakmpd have been discovered. An attacker could send malformed

ISAKMP messages and cause isakmpd to crash or to loop endlessly.</a>

<li><a href=errata34.html#httpd2> March 13, 2004:

<li><a href="errata34.html#httpd2"> March 13, 2004:

Due to a bug in the parsing of Allow/Deny rules for httpd(8)'s

access module, using IP addresses without a netmask on big endian

64-bit platforms causes the rules to fail to match.</a>

<li><a href=errata34.html#ip6> February 8, 2004:

<li><a href="errata34.html#ip6"> February 8, 2004:

An IPv6 MTU handling problem exists that could be used by an

attacker to cause a denial of service attack.</a>

<li><a href=errata34.html#sysvshm> February 5, 2004:

<li><a href="errata34.html#sysvshm"> February 5, 2004:

A reference counting bug in shmat(2) could be used to write to

kernel memory under certain circumstances.</a>

<li><a href=errata34.html#isakmpd>January 13, 2004:

<li><a href="errata34.html#isakmpd">January 13, 2004:

Several message handling flaws in isakmpd(8) have been reported

by Thomas Walpuski.</a>

<li><a href=errata34.html#ibcs2>November 17, 2003:

<li><a href="errata34.html#ibcs2">November 17, 2003:

It may be possible for a local user to overrun the stack in

compat_ibcs2(8) and cause a kernel panic.</a>

<li><a href=errata34.html#asn1>November 1, 2003:

<li><a href="errata34.html#asn1">November 1, 2003:

The use of certain ASN.1 encodings or malformed public keys may

allow an attacker to mount a denial of service attack against

applications linked with ssl(3).</a>

Line 327

Line 330

<li>

<h3><font color=#e00000>OpenBSD 3.3 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 3.3 Security Advisories</font></h3>

These are the OpenBSD 3.3 advisories -- all these problems are solved

in <a href=anoncvs.html>OpenBSD current</a>. The

in <a href="anoncvs.html">OpenBSD current</a>. The

<a href=stable.html>patch branch</a> for 3.3 is no longer being maintained,

<a href="stable.html">patch branch</a> for 3.3 is no longer being maintained,

you should update your machine.

<p>

<ul>

<li><a href=errata33.html#cvs> May 5, 2004:

<li><a href="errata33.html#cvs"> May 5, 2004:

Pathname validation problems have been found in cvs(1),

allowing clients and servers access to files outside the

repository or local CVS tree.</a>

<li><a href=errata33.html#openssl> March 17, 2004:

<li><a href="errata33.html#openssl"> March 17, 2004:

A missing check for a NULL-pointer dereference may allow a

remote attacker to crash applications using OpenSSL.</a>

<li><a href=errata33.html#isakmpd2> March 17, 2004:

<li><a href="errata33.html#isakmpd2"> March 17, 2004:

Defects in the payload validation and processing functions of

isakmpd have been discovered. An attacker could send malformed

ISAKMP messages and cause isakmpd to crash or to loop endlessly.</a>

<li><a href=errata33.html#httpd2> March 13, 2004:

<li><a href="errata33.html#httpd2"> March 13, 2004:

Due to a bug in the parsing of Allow/Deny rules for httpd(8)'s

access module, using IP addresses without a netmask on big endian

64-bit platforms causes the rules to fail to match.</a>

<li><a href=errata33.html#ip6> February 8, 2004:

<li><a href="errata33.html#ip6"> February 8, 2004:

An IPv6 MTU handling problem exists that could be used by an

attacker to cause a denial of service attack.</a>

<li><a href=errata33.html#sysvshm> February 5, 2004:

<li><a href="errata33.html#sysvshm"> February 5, 2004:

A reference counting bug in shmat(2) could be used to write to

kernel memory under certain circumstances.</a>

<li><a href=errata33.html#isakmpd>January 15, 2004:

<li><a href="errata33.html#isakmpd">January 15, 2004:

Several message handling flaws in isakmpd(8) have been reported

by Thomas Walpuski.</a>

<li><a href=errata33.html#ibcs2>November 17, 2003:

<li><a href="errata33.html#ibcs2">November 17, 2003:

It may be possible for a local user to execute arbitrary code

resulting in escalation of privileges due to a stack overrun

in compat_ibcs2(8).</a>

<li><a href=errata33.html#asn1>October 1, 2003:

<li><a href="errata33.html#asn1">October 1, 2003:

The use of certain ASN.1 encodings or malformed public keys may

allow an attacker to mount a denial of service attack against

applications linked with ssl(3).</a>

<li><a href=errata33.html#pfnorm>September 24, 2003:

<li><a href="errata33.html#pfnorm">September 24, 2003:

Access of freed memory in pf(4) could be used to

remotely panic a machine using scrub rules.</a>

<li><a href=errata33.html#sendmail>September 17, 2003:

<li><a href="errata33.html#sendmail">September 17, 2003:

A buffer overflow in the address parsing in

sendmail(8) may allow an attacker to gain root privileges.</a>

<li><a href=errata33.html#sshbuffer>September 16, 2003:

<li><a href="errata33.html#sshbuffer">September 16, 2003:

OpenSSH versions prior to 3.7 contains a buffer management error

that is potentially exploitable.</a>

<li><a href=errata33.html#sysvsem>September 10, 2003:

<li><a href="errata33.html#sysvsem">September 10, 2003:

Root may be able to reduce the security level by taking advantage of

an integer overflow when the semaphore limits are made very large.</a>

<li><a href=errata33.html#semget>August 20, 2003:

<li><a href="errata33.html#semget">August 20, 2003:

An improper bounds check in the kernel may allow a local user

to panic the kernel.</a>

<li><a href=errata33.html#realpath>August 4, 2003:

<li><a href="errata33.html#realpath">August 4, 2003:

An off-by-one error exists in the C library function realpath(3)

may allow an attacker to gain escalated privileges.</a>

</ul>

Line 391

Line 394

<li>

<h3><font color=#e00000>OpenBSD 3.2 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 3.2 Security Advisories</font></h3>

These are the OpenBSD 3.2 advisories -- all these problems are solved

in <a href=anoncvs.html>OpenBSD current</a>. The

in <a href="anoncvs.html">OpenBSD current</a>. The

<a href=stable.html>patch branch</a> for 3.2 is no longer being maintained,

<a href="stable.html">patch branch</a> for 3.2 is no longer being maintained,

you should update your machine.

<p>

<ul>

<li><a href=errata32.html#asn1>October 1, 2003:

<li><a href="errata32.html#asn1">October 1, 2003:

The use of certain ASN.1 encodings or malformed public keys may

allow an attacker to mount a denial of service attack against

applications linked with ssl(3). This does not affect OpenSSH.</a>

<li><a href=errata32.html#pfnorm>September 24, 2003:

<li><a href="errata32.html#pfnorm">September 24, 2003:

Access of freed memory in pf(4) could be used to

remotely panic a machine using scrub rules.</a>

<li><a href=errata32.html#sendmail4>September 17, 2003:

<li><a href="errata32.html#sendmail4">September 17, 2003:

A buffer overflow in the address parsing in

sendmail(8) may allow an attacker to gain root privileges.</a>

<li><a href=errata32.html#sshbuffer>September 16, 2003:

<li><a href="errata32.html#sshbuffer">September 16, 2003:

OpenSSH versions prior to 3.7 contains a buffer management error

that is potentially exploitable.</a>

<li><a href=errata32.html#sendmail3>August 25, 2003:

<li><a href="errata32.html#sendmail3">August 25, 2003:

Fix for a potential security issue in

sendmail(8) with respect to DNS maps.</a>

<li><a href=errata32.html#realpath>August 4, 2003:

<li><a href="errata32.html#realpath">August 4, 2003:

An off-by-one error exists in the C library function realpath(3)

may allow an attacker to gain escalated privileges.</a>

<li><a href=errata32.html#sendmail2>March 31, 2003:

<li><a href="errata32.html#sendmail2">March 31, 2003:

A buffer overflow in the address parsing in

sendmail(8) may allow an attacker to gain root privileges.</a>

<li><a href=errata32.html#kerberos>March 24, 2003:

<li><a href="errata32.html#kerberos">March 24, 2003:

A cryptographic weaknesses in the Kerberos v4 protocol can be

exploited on Kerberos v5 as well.</a>

<li><a href=errata32.html#kpr>March 19, 2003:

<li><a href="errata32.html#kpr">March 19, 2003:

OpenSSL is vulnerable to an extension of the ``Bleichenbacher'' attack

<li><a href=errata32.html#blinding>March 18, 2003:

<li><a href="errata32.html#blinding">March 18, 2003:

Various SSL and TLS operations in OpenSSL are vulnerable to

timing attacks.</a>

<li><a href=errata32.html#lprm>March 5, 2003:

<li><a href="errata32.html#lprm">March 5, 2003:

A buffer overflow in lprm(1) may allow an attacker to elevate

privileges to user daemon.</a>.

<li><a href=errata32.html#sendmail>March 3, 2003:

<li><a href="errata32.html#sendmail">March 3, 2003:

A buffer overflow in the envelope comments processing in

sendmail(8) may allow an attacker to gain root privileges.</a>

<li><a href=errata32.html#httpd>February 25, 2003:

<li><a href="errata32.html#httpd">February 25, 2003:

httpd(8) leaks file inode numbers via ETag header as well as

child PIDs in multipart MIME boundary generation. This could

lead, for example, to NFS exploitation because it uses inode

numbers as part of the file handle.</a>

<li><a href=errata32.html#ssl>February 22, 2003:

<li><a href="errata32.html#ssl">February 22, 2003:

In ssl(8) an information leak can occur via timing by performing

a MAC computation even if incorrect block cipher padding has

been found, this is a countermeasure. Also, check for negative

sizes, in allocation routines.</a>

<li><a href=errata32.html#cvs>January 20, 2003:

<li><a href="errata32.html#cvs">January 20, 2003:

A double free exists in cvs(1) that could lead to privilege

escalation for cvs configurations where the cvs command is

run as a privileged user.</a>

<li><a href=errata32.html#named>November 14, 2002:

<li><a href="errata32.html#named">November 14, 2002:

A buffer overflow exists in named(8) that could lead to a

remote crash or code execution as user named in a chroot jail.</a>

<li><a href=errata32.html#pool>November 6, 2002:

<li><a href="errata32.html#pool">November 6, 2002:

A logic error in the pool kernel memory allocator could cause

memory corruption in low-memory situations, causing the system

to crash.</a>

<li><a href=errata32.html#smrsh>November 6, 2002:

<li><a href="errata32.html#smrsh">November 6, 2002:

An attacker can bypass smrsh(8)'s restrictions and execute

arbitrary commands with the privileges of his own account.</a>

<li><a href=errata32.html#pfbridge>November 6, 2002:

<li><a href="errata32.html#pfbridge">November 6, 2002:

Network bridges running pf with scrubbing enabled could cause

mbuf corruption, causing the system to crash.</a>

<li><a href=errata32.html#kadmin>October 21, 2002:

<li><a href="errata32.html#kadmin">October 21, 2002:

A buffer overflow can occur in the kadmind(8) daemon, leading

to possible remote crash or exploit.</a>

</ul>

Line 471

Line 474

<li>

<h3><font color=#e00000>OpenBSD 3.1 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 3.1 Security Advisories</font></h3>

These are the OpenBSD 3.1 advisories -- all these problems are solved

in <a href=anoncvs.html>OpenBSD current</a>. The

in <a href="anoncvs.html">OpenBSD current</a>. The

<a href=stable.html>patch branch</a> for 3.1 is no longer being maintained,

<a href="stable.html">patch branch</a> for 3.1 is no longer being maintained,

you should update your machine.

<p>

<ul>

<li><a href=errata31.html#sendmail2>March 31, 2003:

<li><a href="errata31.html#sendmail2">March 31, 2003:

A buffer overflow in the address parsing in

sendmail(8) may allow an attacker to gain root privileges.</a>

<li><a href=errata31.html#kerberos>March 24, 2003:

<li><a href="errata31.html#kerberos">March 24, 2003:

A cryptographic weaknesses in the Kerberos v4 protocol can be

exploited on Kerberos v5 as well.</a>

<li><a href=errata31.html#kpr>March 19, 2003:

<li><a href="errata31.html#kpr">March 19, 2003:

OpenSSL is vulnerable to an extension of the ``Bleichenbacher'' attack

<li><a href=errata31.html#blinding>March 18, 2003:

<li><a href="errata31.html#blinding">March 18, 2003:

Various SSL and TLS operations in OpenSSL are vulnerable to

timing attacks.</a>

<li><a href=errata31.html#lprm>March 4, 2003:

<li><a href="errata31.html#lprm">March 4, 2003:

A buffer overflow in lprm(1) may allow an attacker to gain

root privileges.</a>

<li><a href=errata31.html#sendmail>March 3, 2003:

<li><a href="errata31.html#sendmail">March 3, 2003:

A buffer overflow in the envelope comments processing in

sendmail(8) may allow an attacker to gain root privileges.</a>

<li><a href=errata31.html#ssl2>February 23, 2003:

<li><a href="errata31.html#ssl2">February 23, 2003:

In ssl(8) an information leak can occur via timing by performing

a MAC computation even if incorrect block cipher padding has

been found, this is a countermeasure. Also, check for negative

sizes, in allocation routines.</a>

<li><a href=errata31.html#cvs>January 20, 2003:

<li><a href="errata31.html#cvs">January 20, 2003:

A double free exists in cvs(1) that could lead to privilege

escalation for cvs configurations where the cvs command is

run as a privileged user.

run as a privileged user</a>.

<li><a href=errata31.html#named>November 14, 2002:

<li><a href="errata31.html#named">November 14, 2002:

A buffer overflow exists in named(8) that could lead to a

remote crash or code execution as user named in a chroot jail.</a>

<li><a href=errata31.html#kernresource>November 6, 2002:

<li><a href="errata31.html#kernresource">November 6, 2002:

Incorrect argument checking in the getitimer(2) system call

may allow an attacker to crash the system.</a>

<li><a href=errata31.html#smrsh>November 6, 2002:

<li><a href="errata31.html#smrsh">November 6, 2002:

An attacker can bypass smrsh(8)'s restrictions and execute

arbitrary commands with the privileges of his own account.</a>

<li><a href=errata31.html#kadmin>October 21, 2002:

<li><a href="errata31.html#kadmin">October 21, 2002:

A buffer overflow can occur in the kadmind(8) daemon, leading

to possible remote crash or exploit.</a>

<li><a href=errata31.html#kerntime>October 2, 2002:

<li><a href="errata31.html#kerntime">October 2, 2002:

Incorrect argument checking in the setitimer(2) system call

may allow an attacker to write to kernel memory.</a>

<li><a href=errata31.html#scarg>August 11, 2002:

<li><a href="errata31.html#scarg">August 11, 2002:

An insufficient boundary check in the select system call

allows an attacker to overwrite kernel memory and execute arbitrary code

in kernel context.</a>

<li><a href=errata31.html#ssl>July 30, 2002:

<li><a href="errata31.html#ssl">July 30, 2002:

Several remote buffer overflows can occur in the SSL2 server and SSL3

client of the ssl(8) library, as in the ASN.1 parser code in the

crypto(3) library, all of them being potentially remotely

exploitable.</a>

<li><a href=errata31.html#xdr>July 29, 2002:

<li><a href="errata31.html#xdr">July 29, 2002:

A buffer overflow can occur in the xdr_array(3) RPC code, leading to

possible remote crash.</a>

<li><a href=errata31.html#pppd>July 29, 2002:

<li><a href="errata31.html#pppd">July 29, 2002:

A race condition exists in the pppd(8) daemon which may cause it to

alter the file permissions of an arbitrary file.</a>

<li><a href=errata31.html#isakmpd>July 5, 2002:

<li><a href="errata31.html#isakmpd">July 5, 2002:

Receiving IKE payloads out of sequence can cause isakmpd(8) to

crash.</a>

<li><a href=errata31.html#ktrace>June 27, 2002:

<li><a href="errata31.html#ktrace">June 27, 2002:

The kernel would let any user ktrace set[ug]id processes.</a>

<li><a href=errata31.html#modssl>June 26, 2002:

<li><a href="errata31.html#modssl">June 26, 2002:

A buffer overflow can occur in the .htaccess parsing code in

mod_ssl httpd module, leading to possible remote crash or exploit.</a>

<li><a href=errata31.html#resolver>June 25, 2002:

<li><a href="errata31.html#resolver">June 25, 2002:

A potential buffer overflow in the DNS resolver has been found.</a>

<li><a href=errata31.html#sshd>June 24, 2002:

<li><a href="errata31.html#sshd">June 24, 2002:

All versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an

input validation error that can result in an integer overflow and

privilege escalation.</a>

<li><a href=errata31.html#httpd>June 19, 2002:

<li><a href="errata31.html#httpd">June 19, 2002:

A buffer overflow can occur during the interpretation of chunked

encoding in httpd(8), leading to possible remote crash.</a>

<li><a href=errata31.html#sshbsdauth>May 22, 2002:

<li><a href="errata31.html#sshbsdauth">May 22, 2002:

Under certain conditions, on systems using YP with netgroups

in the password database, it is possible that sshd(8) does

ACL checks for the requested user name but uses the password

database entry of a different user for authentication. This

means that denied users might authenticate successfully

while permitted users could be locked out.</a>

<li><a href=errata31.html#fdalloc2>May 8, 2002:

<li><a href="errata31.html#fdalloc2">May 8, 2002:

A race condition exists that could defeat the kernel's

protection of fd slots 0-2 for setuid processes.</a>

<li><a href=errata31.html#sudo>April 25, 2002:

<li><a href="errata31.html#sudo">April 25, 2002:

A bug in sudo may allow an attacker to corrupt the heap.</a>

<li><a href=errata31.html#sshafs>April 22, 2002:

<li><a href="errata31.html#sshafs">April 22, 2002:

A local user can gain super-user privileges due to a buffer

overflow in sshd(8) if AFS has been configured on the system

or if KerberosTgtPassing or AFSTokenPassing has been enabled

Line 576

Line 579

<li>

<h3><font color=#e00000>OpenBSD 3.0 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 3.0 Security Advisories</font></h3>

These are the OpenBSD 3.0 advisories -- all these problems are solved

in <a href=anoncvs.html>OpenBSD current</a>. The

in <a href="anoncvs.html">OpenBSD current</a>. The

<a href=stable.html>patch branch</a> for 3.0 is no longer being maintained,

<a href="stable.html">patch branch</a> for 3.0 is no longer being maintained,

you should update your machine.

<p>

<ul>

<li><a href=errata30.html#named>November 14, 2002:

<li><a href="errata30.html#named">November 14, 2002:

A buffer overflow exists in named(8) that could lead to a

remote crash or code execution as user named in a chroot jail.</a>

<li><a href=errata30.html#kernresource>November 6, 2002:

<li><a href="errata30.html#kernresource">November 6, 2002:

Incorrect argument checking in the getitimer(2) system call

may allow an attacker to crash the system.</a>

<li><a href=errata30.html#smrsh>November 6, 2002:

<li><a href="errata30.html#smrsh">November 6, 2002:

An attacker can bypass smrsh(8)'s restrictions and execute

arbitrary commands with the privileges of his own account.</a>

<li><a href=errata30.html#kadmin>October 21, 2002:

<li><a href="errata30.html#kadmin">October 21, 2002:

A buffer overflow can occur in the kadmind(8) daemon, leading

to possible remote crash or exploit.</a>

<li><a href=errata30.html#kerntime>October 7, 2002:

<li><a href="errata30.html#kerntime">October 7, 2002:

Incorrect argument checking in the setitimer(2) system call

may allow an attacker to write to kernel memory.</a>

<li><a href=errata30.html#scarg>August 11, 2002:

<li><a href="errata30.html#scarg">August 11, 2002:

An insufficient boundary check in the select and poll system calls

allows an attacker to overwrite kernel memory and execute arbitrary code

in kernel context.</a>

<li><a href=errata30.html#ssl>July 30, 2002:

<li><a href="errata30.html#ssl">July 30, 2002:

Several remote buffer overflows can occur in the SSL2 server and SSL3

client of the ssl(8) library, as in the ASN.1 parser code in the

crypto(3) library, all of them being potentially remotely

exploitable.</a>

<li><a href=errata30.html#xdr>July 29, 2002:

<li><a href="errata30.html#xdr">July 29, 2002:

A buffer overflow can occur in the xdr_array(3) RPC code, leading to

possible remote crash.</a>

<li><a href=errata30.html#pppd>July 29, 2002:

<li><a href="errata30.html#pppd">July 29, 2002:

A race condition exists in the pppd(8) daemon which may cause it to

alter the file permissions of an arbitrary file.</a>

<li><a href=errata30.html#isakmpd2>July 5, 2002:

<li><a href="errata30.html#isakmpd2">July 5, 2002:

Receiving IKE payloads out of sequence can cause isakmpd(8) to

crash.</a>

<li><a href=errata30.html#ktrace>June 27, 2002:

<li><a href="errata30.html#ktrace">June 27, 2002:

The kernel would let any user ktrace set[ug]id processes.</a>

<li><a href=errata30.html#resolver>June 25, 2002:

<li><a href="errata30.html#resolver">June 25, 2002:

A potential buffer overflow in the DNS resolver has been found.</a>

<li><a href=errata30.html#sshdauth>June 24, 2002:

<li><a href="errata30.html#sshdauth">June 24, 2002:

All versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an

input validation error that can result in an integer overflow and

privilege escalation.</a>

<li><a href=errata30.html#modssl>June 24, 2002:

<li><a href="errata30.html#modssl">June 24, 2002:

A buffer overflow can occur in the .htaccess parsing code in

mod_ssl httpd module, leading to possible remote crash or exploit.</a>

<li><a href=errata30.html#httpd>June 19, 2002:

<li><a href="errata30.html#httpd">June 19, 2002:

A buffer overflow can occur during the interpretation of chunked

encoding in httpd(8), leading to possible remote crash.</a>

<li><a href=errata30.html#fdalloc2>May 8, 2002:

<li><a href="errata30.html#fdalloc2">May 8, 2002:

A race condition exists that could defeat the kernel's

protection of fd slots 0-2 for setuid processes.</a>

<li><a href=errata30.html#sudo2>April 25, 2002:

<li><a href="errata30.html#sudo2">April 25, 2002:

A bug in sudo may allow an attacker to corrupt the heap.</a>

<li><a href=errata30.html#sshafs>April 22, 2002:

<li><a href="errata30.html#sshafs">April 22, 2002:

A local user can gain super-user privileges due to a buffer

overflow in sshd(8) if AFS has been configured on the system

or if KerberosTgtPassing or AFSTokenPassing has been enabled

in the sshd_config file.</a>

<li><a href=errata30.html#mail>April 11, 2002:

<li><a href="errata30.html#mail">April 11, 2002:

The mail(1) was interpreting tilde escapes even when invoked

in non-interactive mode. As mail(1) is called as root from cron,

this can lead to a local root compromise.</a>

<li><a href=errata30.html#approval>March 19, 2002:

<li><a href="errata30.html#approval">March 19, 2002:

Under certain conditions, on systems using YP with netgroups in

the password database, it is possible for the rexecd(8) and rshd(8)

daemons to execute a shell from a password database entry for a

different user. Similarly, atrun(8) may change to the wrong

home directory when running jobs.</a>

<li><a href=errata30.html#zlib>March 13, 2002:

<li><a href="errata30.html#zlib">March 13, 2002:

A potential double free() exists in the zlib library;

this is not exploitable on OpenBSD.

The kernel also contains a copy of zlib; it is not

currently known if the kernel zlib is exploitable.</a>

<li><a href=errata30.html#openssh>March 8, 2002:

<li><a href="errata30.html#openssh">March 8, 2002:

An off-by-one check in OpenSSH's channel forwarding code

may allow a local user to gain super-user privileges.</a>

<li><a href=errata30.html#ptrace>January 21, 2002:

<li><a href="errata30.html#ptrace">January 21, 2002:

A race condition between the ptrace(2) and execve(2) system calls

allows an attacker to modify the memory contents of suid/sgid

processes which could lead to compromise of the super-user account.</a>

<li><a href=errata30.html#sudo>January 17, 2002:

<li><a href="errata30.html#sudo">January 17, 2002:

There is a security hole in sudo(8) that can be exploited

when the Postfix sendmail replacement is installed that may

allow an attacker on the local host to gain root privileges.</a>

<li><a href=errata30.html#lpd>November 28, 2001:

<li><a href="errata30.html#lpd">November 28, 2001:

An attacker can trick a machine running the lpd daemon into

creating new files in the root directory from a machine with

remote line printer access.</a>

<li><a href=errata30.html#vi.recover>November 13, 2001:

<li><a href="errata30.html#vi.recover">November 13, 2001:

The vi.recover script can be abused in such a way as

to cause arbitrary zero-length files to be removed.</a>

<li><a href=errata30.html#pf>November 13, 2001:

<li><a href="errata30.html#pf">November 13, 2001:

pf(4) was incapable of dealing with certain ipv6 icmp packets,

resulting in a crash.</a>

<li><a href=errata30.html#sshd>November 12, 2001:

<li><a href="errata30.html#sshd">November 12, 2001:

A security hole that may allow an attacker to partially authenticate

if -- and only if -- the administrator has enabled KerberosV.</a>

</ul>

Line 686

Line 689

<li>

<h3><font color=#e00000>OpenBSD 2.9 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 2.9 Security Advisories</font></h3>

These are the OpenBSD 2.9 advisories -- all these problems are solved

in <a href=anoncvs.html>OpenBSD current</a>. The

in <a href="anoncvs.html">OpenBSD current</a>. The

<a href=stable.html>patch branch</a>. for 2.9 is no longer being maintained,

<a href="stable.html">patch branch</a>. for 2.9 is no longer being maintained,

you should update your machine.

<p>

<ul>

<li><a href=errata29.html#resolver>June 25, 2002:

<li><a href="errata29.html#resolver">June 25, 2002:

A potential buffer overflow in the DNS resolver has been found.</a>

<li><a href=errata29.html#fdalloc2>May 8, 2002:

<li><a href="errata29.html#fdalloc2">May 8, 2002:

A race condition exists that could defeat the kernel's

protection of fd slots 0-2 for setuid processes.</a>

<li><a href=errata29.html#sudo2>April 25, 2002:

<li><a href="errata29.html#sudo2">April 25, 2002:

A bug in sudo may allow an attacker to corrupt the heap.</a>

<li><a href=errata29.html#sshafs>April 22, 2002:

<li><a href="errata29.html#sshafs">April 22, 2002:

A local user can gain super-user privileges due to a buffer

overflow in sshd(8) if AFS has been configured on the system

or if KerberosTgtPassing or AFSTokenPassing has been enabled

in the sshd_config file.</a>

<li><a href=errata29.html#mail>April 11, 2002:

<li><a href="errata29.html#mail">April 11, 2002:

The mail(1) was interpreting tilde escapes even when invoked

in non-interactive mode. As mail(1) is called as root from cron,

this can lead to a local root compromise.</a>

<li><a href=errata29.html#zlib>March 13, 2002:

<li><a href="errata29.html#zlib">March 13, 2002:

A potential double free() exists in the zlib library;

this is not exploitable on OpenBSD.

The kernel also contains a copy of zlib; it is not

currently known if the kernel zlib is exploitable.</a>

<li><a href=errata29.html#openssh>March 8, 2002:

<li><a href="errata29.html#openssh">March 8, 2002:

An off-by-one check in OpenSSH's channel forwarding code

may allow a local user to gain super-user privileges.</a>

<li><a href=errata29.html#ptrace>January 21, 2002:

<li><a href="errata29.html#ptrace">January 21, 2002:

A race condition between the ptrace(2) and execve(2) system calls

allows an attacker to modify the memory contents of suid/sgid

processes which could lead to compromise of the super-user account.</a>

<li><a href=errata29.html#sudo>January 17, 2002:

<li><a href="errata29.html#sudo">January 17, 2002:

There is a security hole in sudo(8) that can be exploited

when the Postfix sendmail replacement is installed that may

allow an attacker on the local host to gain root privileges.</a>

<li><a href=errata29.html#lpd2>November 28, 2001:

<li><a href="errata29.html#lpd2">November 28, 2001:

An attacker can trick a machine running the lpd daemon into

creating new files in the root directory from a machine with

remote line printer access.</a>

<li><a href=errata29.html#vi.recover>November 13, 2001:

<li><a href="errata29.html#vi.recover">November 13, 2001:

The vi.recover script can be abused in such a way as

to cause arbitrary zero-length files to be removed.</a>

<li><a href=errata29.html#uucp>September 11, 2001:

<li><a href="errata29.html#uucp">September 11, 2001:

A security hole exists in uuxqt(8) that may allow an

attacker to gain root privileges.</a>

<li><a href=errata29.html#lpd>August 29, 2001:

<li><a href="errata29.html#lpd">August 29, 2001:

A security hole exists in lpd(8) that may allow an

attacker to gain root privileges if lpd is running.</a>

<li><a href=errata29.html#sendmail2>August 21, 2001:

<li><a href="errata29.html#sendmail2">August 21, 2001:

A security hole exists in sendmail(8) that may allow an

attacker on the local host to gain root privileges.</a>

<li><a href=errata29.html#nfs>July 30, 2001:

<li><a href="errata29.html#nfs">July 30, 2001:

A kernel buffer overflow in the NFS code can be used to execute

arbitrary code by users with mount privileges (only root by

default).</a>

<li><a href=errata29.html#kernexec>June 15, 2001:

<li><a href="errata29.html#kernexec">June 15, 2001:

A race condition in the kernel can lead to local root compromise.</a>

<li><a href=errata29.html#sshcookie>June 12, 2001:

<li><a href="errata29.html#sshcookie">June 12, 2001:

sshd(8) allows users to delete arbitrary files named "cookies"

if X11 forwarding is enabled. X11 forwarding is disabled

by default.</a>

<li><a href=errata29.html#fts>May 30, 2001:

<li><a href="errata29.html#fts">May 30, 2001:

Programs using the fts routines can be tricked into changing

into the wrong directory.</a>

<li><a href=errata29.html#sendmail>May 29, 2001:

<li><a href="errata29.html#sendmail">May 29, 2001:

Sendmail signal handlers contain unsafe code,

leading to numerous race conditions.</a>

</ul>

Line 765

Line 768

<li>

<h3><font color=#e00000>OpenBSD 2.8 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 2.8 Security Advisories</font></h3>

These are the OpenBSD 2.8 advisories -- all these problems are solved

in <a href=anoncvs.html>OpenBSD current</a>. The

in <a href="anoncvs.html">OpenBSD current</a>. The

<a href=stable.html>patch branch</a>. for 2.8 is no longer being maintained,

<a href="stable.html">patch branch</a>. for 2.8 is no longer being maintained,

you should update your machine.

<p>

<ul>

<li><a href=errata28.html#uucp>September 11, 2001:

<li><a href="errata28.html#uucp">September 11, 2001:

A security hole exists in uuxqt(8) that may allow an

attacker to gain root privileges.</a>

<li><a href=errata28.html#lpd>August 29, 2001:

<li><a href="errata28.html#lpd">August 29, 2001:

A security hole exists in lpd(8) that may allow an

attacker to gain root privileges if lpd is running.</a>

<li><a href=errata28.html#sendmail2>August 21, 2001:

<li><a href="errata28.html#sendmail2">August 21, 2001:

A security hole exists in sendmail(8) that may allow an

attacker on the local host to gain root privileges.</a>

<li><a href=errata28.html#kernexec>June 15, 2001:

<li><a href="errata28.html#kernexec">June 15, 2001:

A race condition in the kernel can lead to local root compromise.</a>

<li><a href=errata28.html#fts>May 30, 2001:

<li><a href="errata28.html#fts">May 30, 2001:

Programs using the fts routines can be tricked into changing

into the wrong directory.</a>

<li><a href=errata28.html#sendmail>May 29, 2001:

<li><a href="errata28.html#sendmail">May 29, 2001:

Sendmail signal handlers contain unsafe code,

leading to numerous race conditions.</a>

<li><a href=errata28.html#ipf_frag>Apr 23, 2001:

<li><a href="errata28.html#ipf_frag">Apr 23, 2001:

IPF contains a serious bug with its handling of fragment caching.</a>

<li><a href=errata28.html#glob_limit>Apr 23, 2001:

<li><a href="errata28.html#glob_limit">Apr 23, 2001:

ftpd(8) contains a potential DoS relating to glob(3).</a>

<li><a href=errata28.html#glob>Apr 10, 2001:

<li><a href="errata28.html#glob">Apr 10, 2001:

The glob(3) library call contains multiple buffer overflows.</a>

<li><a href=errata28.html#readline>Mar 18, 2001:

<li><a href="errata28.html#readline">Mar 18, 2001:

The readline library creates history files with permissive modes based on the user's umask.</a>

<li><a href=errata28.html#ipsec_ah>Mar 2, 2001:

<li><a href="errata28.html#ipsec_ah">Mar 2, 2001:

Insufficient checks in the IPSEC AH IPv4 option handling code can lead to a buffer overrun in the kernel.</a>

<li><a href=errata28.html#userldt>Mar 2, 2001:

<li><a href="errata28.html#userldt">Mar 2, 2001:

The <b>USER_LDT</b> kernel option allows an attacker to gain access to privileged areas of kernel memory.</a>

<li><a href=errata28.html#sudo>Feb 22, 2001:

<li><a href="errata28.html#sudo">Feb 22, 2001:

a non-exploitable buffer overflow was fixed in sudo(8).</a>

<li><a href=errata28.html#named>Jan 29, 2001:

<li><a href="errata28.html#named">Jan 29, 2001:

merge named(8) with ISC BIND 4.9.8-REL, which fixes some buffer vulnerabilities.</a>

<li><a href=errata28.html#rnd>Jan 22, 2001:

<li><a href="errata28.html#rnd">Jan 22, 2001:

rnd(4) did not use all of its input when written to.</a>

<li><a href=errata28.html#xlock>Dec 22, 2000:

<li><a href="errata28.html#xlock">Dec 22, 2000:

xlock(1)'s authentication was re-done to authenticate via a named pipe. (patch and new xlock binaries included).</a>

<li><a href=errata28.html#procfs>Dec 18, 2000:

<li><a href="errata28.html#procfs">Dec 18, 2000:

Procfs contains numerous overflows. Procfs is not used by default in OpenBSD. (patch included).</a>

<li><a href=errata28.html#kerberos2>Dec 10, 2000:

<li><a href="errata28.html#kerberos2">Dec 10, 2000:

Another problem exists in KerberosIV libraries (patch included).</a>

<li><a href=errata28.html#kerberos>Dec 7, 2000:

<li><a href="errata28.html#kerberos">Dec 7, 2000:

A set of problems in KerberosIV exist (patch included).</a>

<li><a href=errata28.html#ftpd>Dec 4, 2000:

<li><a href="errata28.html#ftpd">Dec 4, 2000:

A single-byte buffer overflow exists in ftpd (patch included).</a>

</ul>

Line 825

Line 828

<li>

<h3><font color=#e00000>OpenBSD 2.7 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 2.7 Security Advisories</font></h3>

These are the OpenBSD 2.7 advisories -- all these problems are solved

in <a href=anoncvs.html>OpenBSD current</a>. Obviously, all the

in <a href="anoncvs.html">OpenBSD current</a>. Obviously, all the

OpenBSD 2.6 advisories listed below are fixed in OpenBSD 2.7.

<p>

<ul>

<li><a href=errata27.html#readline>Mar 18, 2001:

<li><a href="errata27.html#readline">Mar 18, 2001:

The readline library creates history files with permissive modes based on the user's umask.</a>

<li><a href=errata27.html#sudo>Feb 22, 2001:

<li><a href="errata27.html#sudo">Feb 22, 2001:

a buffer overflow was fixed in sudo(8).</a>

<li><a href=errata27.html#ftpd>Dec 4, 2000:

<li><a href="errata27.html#ftpd">Dec 4, 2000:

A single-byte buffer overflow exists in ftpd (patch included).</a>

<li><a href=errata27.html#sshforwarding>Nov 10, 2000:

<li><a href="errata27.html#sshforwarding">Nov 10, 2000:

Hostile servers can force OpenSSH clients to do agent or X11 forwarding.

(patch included)</a>

<li><a href=errata27.html#xtrans>Oct 26, 2000:

<li><a href="errata27.html#xtrans">Oct 26, 2000:

X11 libraries have 2 potential overflows in xtrans code.

(patch included)</a>

<li><a href=errata27.html#httpd>Oct 18, 2000:

<li><a href="errata27.html#httpd">Oct 18, 2000:

Apache mod_rewrite and mod_vhost_alias modules could expose files

on the server in certain configurations if used.

(patch included)</a>

<li><a href=errata27.html#telnetd>Oct 10, 2000:

<li><a href="errata27.html#telnetd">Oct 10, 2000:

The telnet daemon does not strip out the TERMINFO, TERMINFO_DIRS,

TERMPATH and TERMCAP environment variables as it should.

(patch included)</a>

<li><a href=errata27.html#format_strings>Oct 6, 2000:

<li><a href="errata27.html#format_strings">Oct 6, 2000:

There are printf-style format string bugs in several privileged

programs. (patch included)</a>

<li><a href=errata27.html#curses>Oct 6, 2000:

<li><a href="errata27.html#curses">Oct 6, 2000:

libcurses honored terminal descriptions in the $HOME/.terminfo

directory as well as in the TERMCAP environment variable for

setuid and setgid applications.

(patch included)</a>

<li><a href=errata27.html#talkd>Oct 6, 2000:

<li><a href="errata27.html#talkd">Oct 6, 2000:

A format string vulnerability exists in talkd(8).

(patch included)</a>

<li><a href=errata27.html#pw_error>Oct 3, 2000:

<li><a href="errata27.html#pw_error">Oct 3, 2000:

A format string vulnerability exists in the pw_error() function of the

libutil library, yielding localhost root through chpass(1).

(patch included)</a>

<li><a href=errata27.html#ipsec>Sep 18, 2000:

<li><a href="errata27.html#ipsec">Sep 18, 2000:

Bad ESP/AH packets could cause a crash under certain conditions.

(patch included)</a>

<li><a href=errata27.html#xlock>Aug 16, 2000:

<li><a href="errata27.html#xlock">Aug 16, 2000:

A format string vulnerability (localhost root) exists in xlock(1).

(patch included)</a>

<li><a href=errata27.html#X11_libs>July 14, 2000:

<li><a href="errata27.html#X11_libs">July 14, 2000:

Various bugs found in X11 libraries have various side effects, almost

completely denial of service in OpenBSD.

(patch included)</a>

<li><a href=errata27.html#ftpd>July 5, 2000:

<li><a href="errata27.html#ftpd">July 5, 2000:

Just like pretty much all the other unix ftp daemons

on the planet, ftpd had a remote root hole in it.

Luckily, ftpd was not enabled by default.

The problem exists if anonymous ftp is enabled.

(patch included)</a>

<li><a href=errata27.html#mopd>July 5, 2000:

<li><a href="errata27.html#mopd">July 5, 2000:

Mopd, very rarely used, contained some buffer overflows.

(patch included)</a>

<li><a href=errata27.html#libedit>June 28, 2000:

<li><a href="errata27.html#libedit">June 28, 2000:

libedit would check for a <b>.editrc</b> file in the current

directory. Not known to be a real security issue, but a patch

is available anyways.

(patch included)</a>

<li><a href=errata27.html#dhclient>June 24, 2000:

<li><a href="errata27.html#dhclient">June 24, 2000:

A serious bug in dhclient(8) could allow strings from a

malicious dhcp server to be executed in the shell as root.

(patch included)</a>

<li><a href=errata27.html#isakmpd>June 9, 2000:

<li><a href="errata27.html#isakmpd">June 9, 2000:

A serious bug in isakmpd(8) policy handling wherein

policy verification could be completely bypassed in isakmpd.

(patch included)</a>

<li><a href=errata27.html#uselogin>June 6, 2000:

<li><a href="errata27.html#uselogin">June 6, 2000:

The non-default flag UseLogin in <b>/etc/sshd_config</b> is broken,

should not be used, and results in security problems on

other operating systems.</a>

<li><a href=errata27.html#bridge>May 26, 2000:

<li><a href="errata27.html#bridge">May 26, 2000:

The bridge(4) <i>learning</i> flag may be bypassed.

(patch included)</a>

<li><a href=errata27.html#ipf>May 25, 2000:

<li><a href="errata27.html#ipf">May 25, 2000:

Improper use of ipf <i>keep-state</i> rules can result

in firewall rules being bypassed. (patch included)</a>

Line 916

Line 919

<li>

<h3><font color=#e00000>OpenBSD 2.6 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 2.6 Security Advisories</font></h3>

These are the OpenBSD 2.6 advisories -- all these problems are solved

in <a href=anoncvs.html>OpenBSD current</a>. Obviously, all the

in <a href="anoncvs.html">OpenBSD current</a>. Obviously, all the

OpenBSD 2.5 advisories listed below are fixed in OpenBSD 2.6.

<p>

<ul>

<li><a href=errata26.html#semconfig>May 26, 2000:

<li><a href="errata26.html#semconfig">May 26, 2000:

SYSV semaphore support contained an undocumented system call

which could wedge semaphore-using processes from exiting. (patch included)</a>

<li><a href=errata26.html#ipf>May 25, 2000:

<li><a href="errata26.html#ipf">May 25, 2000:

Improper use of ipf <i>keep-state</i> rules can result

in firewall rules being bypassed. (patch included)</a>

<li><a href=errata26.html#xlockmore>May 25, 2000:

<li><a href="errata26.html#xlockmore">May 25, 2000:

xlockmore has a bug which a localhost attacker can use to gain

access to the encrypted root password hash (which is normally

encoded using blowfish</a> (see

crypt(3)</a>)

(patch included).

<li><a href=errata26.html#procfs>Jan 20, 2000:

<li><a href="errata26.html#procfs">Jan 20, 2000:

Systems running with procfs enabled and mounted are

vulnerable to a very tricky exploit. procfs is not

mounted by default.

(patch included).</a>

<li><a href=errata26.html#sendmail>Dec 4, 1999:

<li><a href="errata26.html#sendmail">Dec 4, 1999:

Sendmail permitted any user to cause a aliases file wrap,

thus exposing the system to a race where the aliases file

did not exist.

(patch included).</a>

<li><a href=errata26.html#poll>Dec 4, 1999:

<li><a href="errata26.html#poll">Dec 4, 1999:

Various bugs in poll(2) may cause a kernel crash.</a>

<li><a href=errata26.html#sslUSA>Dec 2, 1999:

<li><a href="errata26.html#sslUSA">Dec 2, 1999:

A buffer overflow in the RSAREF code included in the

USA version of libssl, is possibly exploitable in

httpd, ssh, or isakmpd, if SSL/RSA features are enabled.

(patch included).<br></a>

<strong>Update:</strong> Turns out that this was not exploitable

in any of the software included in OpenBSD 2.6.

<li><a href=errata26.html#ifmedia>Nov 9, 1999:

<li><a href="errata26.html#ifmedia">Nov 9, 1999:

Any user could change interface media configurations, resulting in

a localhost denial of service attack.

(patch included).</a>

Line 965

Line 968

<li>

<h3><font color=#e00000>OpenBSD 2.5 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 2.5 Security Advisories</font></h3>

These are the OpenBSD 2.5 advisories -- all these problems are solved

in <a href=anoncvs.html>OpenBSD current</a>. Obviously, all the

in <a href="anoncvs.html">OpenBSD current</a>. Obviously, all the

OpenBSD 2.4 advisories listed below are fixed in OpenBSD 2.5.

<p>

<ul>

<li><a href=errata25.html#cron>Aug 30, 1999:

<li><a href="errata25.html#cron">Aug 30, 1999:

In cron(8), make sure argv[] is NULL terminated in the

fake popen() and run sendmail as the user, not as root.

(patch included).</a>

<li><a href=errata25.html#miscfs>Aug 12, 1999: The procfs and fdescfs

<li><a href="errata25.html#miscfs">Aug 12, 1999: The procfs and fdescfs

filesystems had an overrun in their handling of uio_offset

in their readdir() routines. (These filesystems are not

enabled by default). (patch included).</a>

<li><a href=errata25.html#profil>Aug 9, 1999: Stop profiling (see profil(2))

<li><a href="errata25.html#profil">Aug 9, 1999: Stop profiling (see profil(2))

when we execve() a new process. (patch included).</a>

<li><a href=errata25.html#ipsec_in_use>Aug 6, 1999: Packets that should have

<li><a href="errata25.html#ipsec_in_use">Aug 6, 1999: Packets that should have

been handled by IPsec may be transmitted as cleartext.

PF_KEY SA expirations may leak kernel resources.

(patch included).</a>

<li><a href=errata25.html#rc>Aug 5, 1999: In /etc/rc, use mktemp(1) for

<li><a href="errata25.html#rc">Aug 5, 1999: In /etc/rc, use mktemp(1) for

motd re-writing and change the find(1) to use -execdir

(patch included).</a>

<li><a href=errata25.html#chflags>Jul 30, 1999: Do not permit regular

<li><a href="errata25.html#chflags">Jul 30, 1999: Do not permit regular

users to chflags(2) or fchflags(2) on character or block devices

which they may currently be the owner of (patch included).</a>

<li><a href=errata25.html#nroff>Jul 27, 1999: Cause groff(1) to be invoked

<li><a href="errata25.html#nroff">Jul 27, 1999: Cause groff(1) to be invoked

with the -S flag, when called by nroff(1) (patch included).</a>

</ul>

Line 1000

Line 1003

<li>

<h3><font color=#e00000>OpenBSD 2.4 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 2.4 Security Advisories</font></h3>

These are the OpenBSD 2.4 advisories -- all these problems are solved

in <a href=anoncvs.html>OpenBSD current</a>. Obviously, all the

in <a href="anoncvs.html">OpenBSD current</a>. Obviously, all the

OpenBSD 2.3 advisories listed below are fixed in OpenBSD 2.4.

<p>

<ul>

<li><a href=errata24.html#poll>Mar 22, 1999: The nfds argument for poll(2) needs

<li><a href="errata24.html#poll">Mar 22, 1999: The nfds argument for poll(2) needs

to be constrained, to avoid kvm starvation (patch included).</a>

<li><a href=errata24.html#tss>Mar 21, 1999: A change in TSS handling stops

<li><a href="errata24.html#tss">Mar 21, 1999: A change in TSS handling stops

another kernel crash case caused by the <strong>crashme</strong>

program (patch included).</a>

<li><a href=errata24.html#nlink>Feb 25, 1999: An unbounded increment on the

<li><a href="errata24.html#nlink">Feb 25, 1999: An unbounded increment on the

nlink value in FFS and EXT2FS filesystems can cause a system crash.

(patch included).</a>

<li><a href=errata24.html#ping>Feb 23, 1999: Yet another buffer overflow

<li><a href="errata24.html#ping">Feb 23, 1999: Yet another buffer overflow

existed in ping(8). (patch included).</a>

<li><a href=errata24.html#ipqrace>Feb 19, 1999: ipintr() had a race in use of

<li><a href="errata24.html#ipqrace">Feb 19, 1999: ipintr() had a race in use of

the ipq, which could permit an attacker to cause a crash.

(patch included).</a>

<li><a href=errata24.html#accept>Feb 17, 1999: A race condition in the

<li><a href="errata24.html#accept">Feb 17, 1999: A race condition in the

kernel between accept(2) and select(2) could permit an attacker

to hang sockets from remote.

(patch included).</a>

<li><a href=errata24.html#maxqueue>Feb 17, 1999: IP fragment assembly can

<li><a href="errata24.html#maxqueue">Feb 17, 1999: IP fragment assembly can

bog the machine excessively and cause problems.

(patch included).</a>

<li><a href=errata24.html#trctrap>Feb 12, 1999: i386 T_TRCTRAP handling and

<li><a href="errata24.html#trctrap">Feb 12, 1999: i386 T_TRCTRAP handling and

DDB interacted to possibly cause a crash.

(patch included).</a>

<li><a href=errata24.html#rst>Feb 11, 1999: TCP/IP RST handling was sloppy.

<li><a href="errata24.html#rst">Feb 11, 1999: TCP/IP RST handling was sloppy.

(patch included).</a>

<li><a href=errata24.html#bootpd>Nov 27, 1998: There is a remotely exploitable

<li><a href="errata24.html#bootpd">Nov 27, 1998: There is a remotely exploitable

problem in bootpd(8). (patch included).</a>

<li><a href=errata24.html#termcap>Nov 19, 1998: There is a possibly locally

<li><a href="errata24.html#termcap">Nov 19, 1998: There is a possibly locally

exploitable problem relating to environment variables in termcap

and curses. (patch included).</a>

<li><a href=errata24.html#tcpfix>Nov 13, 1998: There is a remote machine lockup

<li><a href="errata24.html#tcpfix">Nov 13, 1998: There is a remote machine lockup

bug in the TCP decoding kernel. (patch included).</a>

</ul>

Line 1045

Line 1048

<li>

<h3><font color=#e00000>OpenBSD 2.3 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 2.3 Security Advisories</font></h3>

These are the OpenBSD 2.3 advisories -- all these problems are solved

in <a href=anoncvs.html>OpenBSD current</a>. Obviously, all the

in <a href="anoncvs.html">OpenBSD current</a>. Obviously, all the

OpenBSD 2.2 advisories listed below are fixed in OpenBSD 2.3.

<p>

<ul>

<li><a href=errata23.html#bootpd>Nov 27, 1998: There is a remotely exploitable

<li><a href="errata23.html#bootpd">Nov 27, 1998: There is a remotely exploitable

problem in bootpd(8). (patch included).</a>

<li><a href=errata23.html#tcpfix>Nov 13, 1998: There is a remote machine lockup

<li><a href="errata23.html#tcpfix">Nov 13, 1998: There is a remote machine lockup

bug in the TCP decoding kernel. (patch included).</a>

<li><a href=errata23.html#resolver>August 31, 1998: A benign looking resolver

<li><a href="errata23.html#resolver">August 31, 1998: A benign looking resolver

buffer overflow bug was re-introduced accidentally (patches included).</a>

<li><a href=errata23.html#chpass>Aug 2, 1998:

<li><a href="errata23.html#chpass">Aug 2, 1998:

chpass(1) has a file descriptor leak which allows an

attacker to modify /etc/master.passwd.</a>

<li><a href=errata23.html#inetd>July 15, 1998: Inetd had a file descriptor leak.</a>

<li><a href="errata23.html#inetd">July 15, 1998: Inetd had a file descriptor leak.</a>

<li><a href=errata23.html#fdalloc>Jul 2, 1998: setuid and setgid processes

<li><a href="errata23.html#fdalloc">Jul 2, 1998: setuid and setgid processes

should not be executed with fd slots 0, 1, or 2 free.

(patch included).</a>

<li><a href=errata23.html#xlib>June 6, 1998: Further problems with the X

<li><a href="errata23.html#xlib">June 6, 1998: Further problems with the X

libraries (patches included).</a>

<li><a href=errata23.html#kill>May 17, 1998: kill(2) of setuid/setgid target

<li><a href="errata23.html#kill">May 17, 1998: kill(2) of setuid/setgid target

processes too permissive (4th revision patch included).</a>

<li><a href=errata23.html#immutable>May 11, 1998: mmap() permits partial bypassing

<li><a href="errata23.html#immutable">May 11, 1998: mmap() permits partial bypassing

of immutable and append-only file flags. (patch included).</a>

<li><a href=errata23.html#ipsec>May 5, 1998: Incorrect handling of IPSEC packets

<li><a href="errata23.html#ipsec">May 5, 1998: Incorrect handling of IPSEC packets

if IPSEC is enabled (patch included).</a>

<li><a href=errata23.html#xterm-xaw>May 1, 1998: Buffer overflow in xterm and Xaw

<li><a href="errata23.html#xterm-xaw">May 1, 1998: Buffer overflow in xterm and Xaw

(CERT advisory VB-98.04) (patch included).</a>

</ul>

Line 1081

Line 1084

<li>

<h3><font color=#e00000>OpenBSD 2.2 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 2.2 Security Advisories</font></h3>

These are the OpenBSD 2.2 advisories. All these problems are solved

in <a href=23.html>OpenBSD 2.3</a>. Some of these problems

in <a href="23.html">OpenBSD 2.3</a>. Some of these problems

still exist in other operating systems. (The supplied patches are for

OpenBSD 2.2; they may or may not work on OpenBSD 2.1).

<p>

<ul>

<li><a href=errata22.html#ipsec>May 5, 1998: Incorrect handling of IPSEC

<li><a href="errata22.html#ipsec">May 5, 1998: Incorrect handling of IPSEC

packets if IPSEC is enabled (patch included).</a>

<li><a href=errata22.html#xterm-xaw>May 1, 1998: Buffer overflow in xterm

<li><a href="errata22.html#xterm-xaw">May 1, 1998: Buffer overflow in xterm

and Xaw (CERT advisory VB-98.04) (patch included).</a>

<li><a href=errata22.html#uucpd>Apr 22, 1998: Buffer overflow in uucpd

<li><a href="errata22.html#uucpd">Apr 22, 1998: Buffer overflow in uucpd

(patch included).</a>

<li><a href=errata22.html#rmjob>Apr 22, 1998: Buffer mismanagement in lprm

<li><a href="errata22.html#rmjob">Apr 22, 1998: Buffer mismanagement in lprm

(patch included).</a>

<li><a href=errata22.html#ping>Mar 31, 1998: Overflow in ping -R (patch included).</a>

<li><a href="errata22.html#ping">Mar 31, 1998: Overflow in ping -R (patch included).</a>

<li><a href=errata22.html#named>Mar 30, 1998: Overflow in named fake-iquery

<li><a href="errata22.html#named">Mar 30, 1998: Overflow in named fake-iquery

(patch included).</a>

<li><a href=errata22.html#mountd>Mar 2, 1998: Accidental NFS filesystem

<li><a href="errata22.html#mountd">Mar 2, 1998: Accidental NFS filesystem

export (patch included).</a>

<li><a href="advisories/mmap.txt">Feb 26, 1998: Read-write mmap() flaw.</a>

Revision 3 of the patch is available <a href=errata22.html#mmap>here</a>

Revision 3 of the patch is available <a href="errata22.html#mmap">here</a>

<li><a href="advisories/sourceroute.txt">Feb 19, 1998: Sourcerouted Packet

Acceptance.</a>

A patch is available <a href=errata22.html#sourceroute>here</a>.

A patch is available <a href="errata22.html#sourceroute">here</a>.

<li><a href=errata22.html#ruserok>Feb 13, 1998: Setuid coredump & Ruserok()

<li><a href="errata22.html#ruserok">Feb 13, 1998: Setuid coredump & Ruserok()

flaw (patch included).</a>

<li><a href=errata22.html#ldso>Feb 9, 1998: MIPS ld.so flaw (patch included).</a>

<li><a href="errata22.html#ldso">Feb 9, 1998: MIPS ld.so flaw (patch included).</a>

</ul>

<p>

<li>

<h3><font color=#e00000>OpenBSD 2.1 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 2.1 Security Advisories</font></h3>

These are the OpenBSD 2.1 advisories. All these problems are solved

in <a href=22.html>OpenBSD 2.2</a>. Some of these problems still

in <a href="22.html">OpenBSD 2.2</a>. Some of these problems still

exist in other operating systems. (If you are running OpenBSD 2.1, we

would strongly recommend an upgrade to the newest release, as this

patch list only attempts at fixing the most important security

Line 1138

Line 1141

<li>

<h3><font color=#e00000>OpenBSD 2.0 Security Advisories</font></h3>

<h3><font color="#e00000">OpenBSD 2.0 Security Advisories</font></h3>

These are the OpenBSD 2.0 advisories. All these problems are solved

in <a href=21.html>OpenBSD 2.1</a>. Some of these problems still

in <a href="21.html">OpenBSD 2.1</a>. Some of these problems still

exist in other operating systems. (If you are running OpenBSD 2.0, we

commend you for being there back in the old days!, but you're really

missing out if you don't install a new version!)

Line 1152

Line 1155

<li>Many others... if people can hunt them down, please let me know

and we'll put them up here.

</ul>

</dl>

<p>

<li><h3><font color=#e00000>Watching our Changes</font></h3><p>

<li><h3><font color="#e00000">Watching our Changes</font></h3><p>

Since we take a proactive stance with security, we are continually

finding and fixing new security problems. Not all of these problems

Line 1177

Line 1178

<ul>

<li>If you understand security issues, watch our

<a href=mail.html>source-changes mailing list</a> and keep an

<a href="mail.html">source-changes mailing list</a> and keep an

eye out for things which appear security related. Since

exploitability is not proven for many of the fixes we make,

do not expect the relevant commit message to say "SECURITY FIX!".

Line 1201

Line 1202

<p>

<li><h3><font color=#e00000>Reporting problems</font></h3><p>

<li><h3><font color="#e00000">Reporting problems</font></h3><p>

<p> If you find a new security problem, you can mail it to

<a href=mailto:deraadt@openbsd.org>deraadt@openbsd.org</a>.

<a href="mailto:deraadt@openbsd.org">deraadt@openbsd.org</a>.

<br>

If you wish to PGP encode it (but please only do so if privacy is very

urgent, since it is inconvenient) use this <a href="advisories/pgpkey.txt">pgp key</a>.

<p>

<li><h3><font color=#e00000>Further Reading</font></h3><p>

<li><h3><font color="#e00000">Further Reading</font></h3><p>

A number of papers have been written by OpenBSD team members, about security

related changes they have done in OpenBSD. The postscript versions of these

Line 1219

Line 1220

<ul>

<li>A Future-Adaptable Password Scheme.<br>

<a href=events.html#usenix99>Usenix 1999</a>,

<a href="events.html#usenix99">Usenix 1999</a>,

by <a href=mailto:provos@openbsd.org>Niels Provos</a>,

by <a href="mailto:provos@openbsd.org">Niels Provos</a>,

<a href=mailto:dm@openbsd.org>David Mazieres</a>.<br>

<a href="mailto:dm@openbsd.org">David Mazieres</a>.<br>

<a href=papers/bcrypt-paper.ps>paper</a> and

<a href="papers/bcrypt-paper.ps">paper</a> and

<a href=papers/bcrypt-slides.ps>slides</a>.

<a href="papers/bcrypt-slides.ps">slides</a>.

<p>

<li>Cryptography in OpenBSD: An Overview.<br>

<a href=events.html#usenix99>Usenix 1999</a>,

<a href="events.html#usenix99">Usenix 1999</a>,

by <a href=mailto:deraadt@openbsd.org>Theo de Raadt</a>,

by <a href="mailto:deraadt@openbsd.org">Theo de Raadt</a>,

<a href=mailto:niklas@openbsd.org>Niklas Hallqvist</a>,

<a href="mailto:niklas@openbsd.org">Niklas Hallqvist</a>,

<a href=mailto:art@openbsd.org>Artur Grabowski</a>,

<a href="mailto:art@openbsd.org">Artur Grabowski</a>,

<a href=mailto:angelos@openbsd.org>Angelos D. Keromytis</a>,

<a href="mailto:angelos@openbsd.org">Angelos D. Keromytis</a>,

<a href=mailto:provos@openbsd.org>Niels Provos</a>.<br>

<a href="mailto:provos@openbsd.org">Niels Provos</a>.<br>

<a href=papers/crypt-paper.ps>paper</a> and

<a href="papers/crypt-paper.ps">paper</a> and

<a href=papers/crypt-slides.ps>slides</a>.

<a href="papers/crypt-slides.ps">slides</a>.

<p>

<li>strlcpy and strlcat -- consistent, safe, string copy and concatenation.<br>

<a href=events.html#usenix99>Usenix 1999</a>,

<a href="events.html#usenix99">Usenix 1999</a>,

by <a href=mailto:millert@openbsd.org>Todd C. Miller</a>,

by <a href="mailto:millert@openbsd.org">Todd C. Miller</a>,

<a href=mailto:deraadt@openbsd.org>Theo de Raadt</a>.<br>

<a href="mailto:deraadt@openbsd.org">Theo de Raadt</a>.<br>

<a href=papers/strlcpy-paper.ps>paper</a> and

<a href="papers/strlcpy-paper.ps">paper</a> and

<a href=papers/strlcpy-slides.ps>slides</a>.

<a href="papers/strlcpy-slides.ps">slides</a>.

<p>

<li>Dealing with Public Ethernet Jacks-Switches, Gateways, and Authentication.<br>

<a href=events.html#lisa99>LISA 1999</a>,

<a href="events.html#lisa99">LISA 1999</a>,

by <a href=mailto:beck@openbsd.org>Bob Beck</a>.<br>

by <a href="mailto:beck@openbsd.org">Bob Beck</a>.<br>

<a href=papers/authgw-paper.ps>paper</a> and

<a href="papers/authgw-paper.ps">paper</a> and

<a href=papers/authgw-slides.ps>slides</a>.

<a href="papers/authgw-slides.ps">slides</a>.

<p>

<li>Encrypting Virtual Memory<br>

<a href=events.html#sec2000>Usenix Security 2000</a>,

<a href="events.html#sec2000">Usenix Security 2000</a>,

<a href=mailto:provos@openbsd.org>Niels Provos</a>.<br>

<a href="mailto:provos@openbsd.org">Niels Provos</a>.<br>

<a href=papers/swapencrypt.ps>paper</a> and

<a href="papers/swapencrypt.ps">paper</a> and

<a href=papers/swapencrypt-slides.ps>slides</a>.

<a href="papers/swapencrypt-slides.ps">slides</a>.

<p>

</ul>

</dl>

<hr>

<a href=mailto:www@openbsd.org>www@openbsd.org</a>

<a href="mailto:www@openbsd.org">www@openbsd.org</a>

<br>

<small>$OpenBSD$</small>