OpenBSD Security

=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/security.html,v retrieving revision 1.293 retrieving revision 1.294 diff -u -r1.293 -r1.294 --- www/security.html 2004/06/12 23:43:14 1.293 +++ www/security.html 2004/06/16 01:06:19 1.294 @@ -1,8 +1,10 @@ - + OpenBSD Security - + + @@ -13,7 +15,8 @@

Security

@@ -23,15 +26,15 @@

-Security goals of the Project.
-Full Disclosure policy.
-Source code auditing process.
-"Secure by Default".
-Use of Cryptography.
+Security goals of the Project.
+Full Disclosure policy.
+Source code auditing process.
+"Secure by Default".
+Use of Cryptography.

-Watching changes.
-Reporting security issues.
-Further Reading
+Watching changes.
+Reporting security issues.
+Further Reading

@@ -57,9 +60,9 @@

Goal
+
- Goal
  OpenBSD believes in strong security. Our aspiration is to be NUMBER ONE in the industry for security (if we are not already there). Our @@ -71,7 +74,7 @@ fixing security problems.
  -
- Full Disclosure
  +
- Full Disclosure
  Like many readers of the @@ -88,7 +91,7 @@ people who really care about security.
  -
- Audit Process
  +
- Audit Process
  Our security auditing team typically has between six and twelve members who continue to search for and fix new security holes. We @@ -131,7 +134,7 @@
  -
- New Technologies
  +
- New Technologies
  As we audit source code, we often invent new ways of solving problems. Sometimes these ideas have been used before in some random application @@ -158,7 +161,7 @@
-
The Reward
+
The Reward
Our proactive auditing process has really paid off. Statements like ``This problem was fixed in OpenBSD about 6 months ago'' have become @@ -191,7 +194,7 @@ to find and fix new security flaws.
-
"Secure by Default"
+
"Secure by Default"
To ensure that novice users of OpenBSD do not need to become security experts overnight (a viewpoint which other vendors seem to have), we @@ -207,48 +210,48 @@ within minutes after their first install.
-
Cryptography
+
Cryptography
And of course, since the OpenBSD project is based in Canada, it is possible for us to integrate cryptography. For more information, read the page outlining what we have done with cryptography.
-
Advisories
+
Advisories
-
OpenBSD 3.5 Security Advisories
+
OpenBSD 3.5 Security Advisories
These are the OpenBSD 3.5 advisories -- all these problems are solved in OpenBSD current and the patch branch.
- Jun 12, 2004: +
- Jun 12, 2004: Multiple vulnerabilites have been found in httpd(8) / mod_ssl. -
- Jun 10, 2004: +
- Jun 10, 2004: isakmpd(8) still has issues with unauthorized SA deletion, an attacker can delete IPsec tunnels at will. -
- Jun 9, 2004: +
- Jun 9, 2004: Multiple remote vulnerabilities have been found in the cvs(1) server which can be used by CVS clients to crash or execute arbitrary code on the server. -
- May 30, 2004: +
- May 30, 2004: kdc(8) performs inadequate checking of request fields, leading to the possibility of principal impersonation from other Kerberos realms if they are trusted with a cross-realm trust. -
- May 26, 2004: +
- May 26, 2004: xdm(1) ignores the requestPort resource and creates a listening socket regardless of the setting in xdm-config. -
- May 20, 2004: +
- May 20, 2004: A buffer overflow in the cvs(1) server has been found, which can be used by CVS clients to execute arbitrary code on the server. -
- May 13, 2004: +
- May 13, 2004: Integer overflow problems were found in procfs, allowing reading of arbitrary kernel memory. -
- May 5, 2004: +
- May 5, 2004: Pathname validation problems have been found in cvs(1), allowing clients and servers access to files outside the repository or local CVS tree. @@ -258,61 +261,61 @@
- -
  OpenBSD 3.4 Security Advisories
  +
  OpenBSD 3.4 Security Advisories
  These are the OpenBSD 3.4 advisories -- all these problems are solved -in OpenBSD current and the -patch branch. +in OpenBSD current and the +patch branch.
  - Jun 12, 2004: +
  - Jun 12, 2004: Multiple vulnerabilites have been found in httpd(8) / mod_ssl. -
  - Jun 10, 2004: +
  - Jun 10, 2004: isakmpd(8) still has issues with unauthorized SA deletion, an attacker can delete IPsec tunnels at will. -
  - Jun 9, 2004: +
  - Jun 9, 2004: Multiple remote vulnerabilities have been found in the cvs(1) server which can be used by CVS clients to crash or execute arbitrary code on the server. -
  - May 30, 2004: +
  - May 30, 2004: kdc(8) performs inadequate checking of request fields, leading to the possibility of principal impersonation from other Kerberos realms if they are trusted with a cross-realm trust. -
  - May 20, 2004: +
  - May 20, 2004: A buffer overflow in the cvs(1) server has been found, which can be used by CVS clients to execute arbitrary code on the server. -
  - May 13, 2004: +
  - May 13, 2004: Integer overflow problems were found in procfs, allowing reading of arbitrary kernel memory. -
  - May 5, 2004: +
  - May 5, 2004: Pathname validation problems have been found in cvs(1), allowing clients and servers access to files outside the repository or local CVS tree. -
  - March 17, 2004: +
  - March 17, 2004: A missing check for a NULL-pointer dereference may allow a remote attacker to crash applications using OpenSSL. -
  - March 17, 2004: +
  - March 17, 2004: Defects in the payload validation and processing functions of isakmpd have been discovered. An attacker could send malformed ISAKMP messages and cause isakmpd to crash or to loop endlessly. -
  - March 13, 2004: +
  - March 13, 2004: Due to a bug in the parsing of Allow/Deny rules for httpd(8)'s access module, using IP addresses without a netmask on big endian 64-bit platforms causes the rules to fail to match. -
  - February 8, 2004: +
  - February 8, 2004: An IPv6 MTU handling problem exists that could be used by an attacker to cause a denial of service attack. -
  - February 5, 2004: +
  - February 5, 2004: A reference counting bug in shmat(2) could be used to write to kernel memory under certain circumstances. -
  - January 13, 2004: +
  - January 13, 2004: Several message handling flaws in isakmpd(8) have been reported by Thomas Walpuski. -
  - November 17, 2003: +
  - November 17, 2003: It may be possible for a local user to overrun the stack in compat_ibcs2(8) and cause a kernel panic. -
  - November 1, 2003: +
  - November 1, 2003: The use of certain ASN.1 encodings or malformed public keys may allow an attacker to mount a denial of service attack against applications linked with ssl(3). @@ -327,61 +330,61 @@
  - -
    OpenBSD 3.3 Security Advisories
    +
    OpenBSD 3.3 Security Advisories
    These are the OpenBSD 3.3 advisories -- all these problems are solved -in OpenBSD current. The -patch branch for 3.3 is no longer being maintained, +in OpenBSD current. The +patch branch for 3.3 is no longer being maintained, you should update your machine.
    - May 5, 2004: +
    - May 5, 2004: Pathname validation problems have been found in cvs(1), allowing clients and servers access to files outside the repository or local CVS tree. -
    - March 17, 2004: +
    - March 17, 2004: A missing check for a NULL-pointer dereference may allow a remote attacker to crash applications using OpenSSL. -
    - March 17, 2004: +
    - March 17, 2004: Defects in the payload validation and processing functions of isakmpd have been discovered. An attacker could send malformed ISAKMP messages and cause isakmpd to crash or to loop endlessly. -
    - March 13, 2004: +
    - March 13, 2004: Due to a bug in the parsing of Allow/Deny rules for httpd(8)'s access module, using IP addresses without a netmask on big endian 64-bit platforms causes the rules to fail to match. -
    - February 8, 2004: +
    - February 8, 2004: An IPv6 MTU handling problem exists that could be used by an attacker to cause a denial of service attack. -
    - February 5, 2004: +
    - February 5, 2004: A reference counting bug in shmat(2) could be used to write to kernel memory under certain circumstances. -
    - January 15, 2004: +
    - January 15, 2004: Several message handling flaws in isakmpd(8) have been reported by Thomas Walpuski. -
    - November 17, 2003: +
    - November 17, 2003: It may be possible for a local user to execute arbitrary code resulting in escalation of privileges due to a stack overrun in compat_ibcs2(8). -
    - October 1, 2003: +
    - October 1, 2003: The use of certain ASN.1 encodings or malformed public keys may allow an attacker to mount a denial of service attack against applications linked with ssl(3). -
    - September 24, 2003: +
    - September 24, 2003: Access of freed memory in pf(4) could be used to remotely panic a machine using scrub rules. -
    - September 17, 2003: +
    - September 17, 2003: A buffer overflow in the address parsing in sendmail(8) may allow an attacker to gain root privileges. -
    - September 16, 2003: +
    - September 16, 2003: OpenSSH versions prior to 3.7 contains a buffer management error that is potentially exploitable. -
    - September 10, 2003: +
    - September 10, 2003: Root may be able to reduce the security level by taking advantage of an integer overflow when the semaphore limits are made very large. -
    - August 20, 2003: +
    - August 20, 2003: An improper bounds check in the kernel may allow a local user to panic the kernel. -
    - August 4, 2003: +
    - August 4, 2003: An off-by-one error exists in the C library function realpath(3) may allow an attacker to gain escalated privileges.
    @@ -391,78 +394,78 @@
  - -
    OpenBSD 3.2 Security Advisories
    +
    OpenBSD 3.2 Security Advisories
    These are the OpenBSD 3.2 advisories -- all these problems are solved -in OpenBSD current. The -patch branch for 3.2 is no longer being maintained, +in OpenBSD current. The +patch branch for 3.2 is no longer being maintained, you should update your machine.
    - October 1, 2003: +
    - October 1, 2003: The use of certain ASN.1 encodings or malformed public keys may allow an attacker to mount a denial of service attack against applications linked with ssl(3). This does not affect OpenSSH. -
    - September 24, 2003: +
    - September 24, 2003: Access of freed memory in pf(4) could be used to remotely panic a machine using scrub rules. -
    - September 17, 2003: +
    - September 17, 2003: A buffer overflow in the address parsing in sendmail(8) may allow an attacker to gain root privileges. -
    - September 16, 2003: +
    - September 16, 2003: OpenSSH versions prior to 3.7 contains a buffer management error that is potentially exploitable. -
    - August 25, 2003: +
    - August 25, 2003: Fix for a potential security issue in sendmail(8) with respect to DNS maps. -
    - August 4, 2003: +
    - August 4, 2003: An off-by-one error exists in the C library function realpath(3) may allow an attacker to gain escalated privileges. -
    - March 31, 2003: +
    - March 31, 2003: A buffer overflow in the address parsing in sendmail(8) may allow an attacker to gain root privileges. -
    - March 24, 2003: +
    - March 24, 2003: A cryptographic weaknesses in the Kerberos v4 protocol can be exploited on Kerberos v5 as well. -
    - March 19, 2003: +
    - March 19, 2003: OpenSSL is vulnerable to an extension of the ``Bleichenbacher'' attack designed by Czech researchers Klima, Pokorny and Rosa. -
    - March 18, 2003: +
    - March 18, 2003: Various SSL and TLS operations in OpenSSL are vulnerable to timing attacks. -
    - March 5, 2003: +
    - March 5, 2003: A buffer overflow in lprm(1) may allow an attacker to elevate privileges to user daemon.. -
    - March 3, 2003: +
    - March 3, 2003: A buffer overflow in the envelope comments processing in sendmail(8) may allow an attacker to gain root privileges. -
    - February 25, 2003: +
    - February 25, 2003: httpd(8) leaks file inode numbers via ETag header as well as child PIDs in multipart MIME boundary generation. This could lead, for example, to NFS exploitation because it uses inode numbers as part of the file handle. -
    - February 22, 2003: +
    - February 22, 2003: In ssl(8) an information leak can occur via timing by performing a MAC computation even if incorrect block cipher padding has been found, this is a countermeasure. Also, check for negative sizes, in allocation routines. -
    - January 20, 2003: +
    - January 20, 2003: A double free exists in cvs(1) that could lead to privilege escalation for cvs configurations where the cvs command is run as a privileged user. -
    - November 14, 2002: +
    - November 14, 2002: A buffer overflow exists in named(8) that could lead to a remote crash or code execution as user named in a chroot jail. -
    - November 6, 2002: +
    - November 6, 2002: A logic error in the pool kernel memory allocator could cause memory corruption in low-memory situations, causing the system to crash. -
    - November 6, 2002: +
    - November 6, 2002: An attacker can bypass smrsh(8)'s restrictions and execute arbitrary commands with the privileges of his own account. -
    - November 6, 2002: +
    - November 6, 2002: Network bridges running pf with scrubbing enabled could cause mbuf corruption, causing the system to crash. -
    - October 21, 2002: +
    - October 21, 2002: A buffer overflow can occur in the kadmind(8) daemon, leading to possible remote crash or exploit.
    @@ -471,101 +474,101 @@
  - -
    OpenBSD 3.1 Security Advisories
    +
    OpenBSD 3.1 Security Advisories
    These are the OpenBSD 3.1 advisories -- all these problems are solved -in OpenBSD current. The -patch branch for 3.1 is no longer being maintained, +in OpenBSD current. The +patch branch for 3.1 is no longer being maintained, you should update your machine.
    - March 31, 2003: +
    - March 31, 2003: A buffer overflow in the address parsing in sendmail(8) may allow an attacker to gain root privileges. -
    - March 24, 2003: +
    - March 24, 2003: A cryptographic weaknesses in the Kerberos v4 protocol can be exploited on Kerberos v5 as well. -
    - March 19, 2003: +
    - March 19, 2003: OpenSSL is vulnerable to an extension of the ``Bleichenbacher'' attack designed by Czech researchers Klima, Pokorny and Rosa. -
    - March 18, 2003: +
    - March 18, 2003: Various SSL and TLS operations in OpenSSL are vulnerable to timing attacks. -
    - March 4, 2003: +
    - March 4, 2003: A buffer overflow in lprm(1) may allow an attacker to gain root privileges. -
    - March 3, 2003: +
    - March 3, 2003: A buffer overflow in the envelope comments processing in sendmail(8) may allow an attacker to gain root privileges. -
    - February 23, 2003: +
    - February 23, 2003: In ssl(8) an information leak can occur via timing by performing a MAC computation even if incorrect block cipher padding has been found, this is a countermeasure. Also, check for negative sizes, in allocation routines. -
    - January 20, 2003: +
    - January 20, 2003: A double free exists in cvs(1) that could lead to privilege escalation for cvs configurations where the cvs command is - run as a privileged user. -
    - November 14, 2002: + run as a privileged user. +
    - November 14, 2002: A buffer overflow exists in named(8) that could lead to a remote crash or code execution as user named in a chroot jail. -
    - November 6, 2002: +
    - November 6, 2002: Incorrect argument checking in the getitimer(2) system call may allow an attacker to crash the system. -
    - November 6, 2002: +
    - November 6, 2002: An attacker can bypass smrsh(8)'s restrictions and execute arbitrary commands with the privileges of his own account. -
    - October 21, 2002: +
    - October 21, 2002: A buffer overflow can occur in the kadmind(8) daemon, leading to possible remote crash or exploit. -
    - October 2, 2002: +
    - October 2, 2002: Incorrect argument checking in the setitimer(2) system call may allow an attacker to write to kernel memory. -
    - August 11, 2002: +
    - August 11, 2002: An insufficient boundary check in the select system call allows an attacker to overwrite kernel memory and execute arbitrary code in kernel context. -
    - July 30, 2002: +
    - July 30, 2002: Several remote buffer overflows can occur in the SSL2 server and SSL3 client of the ssl(8) library, as in the ASN.1 parser code in the crypto(3) library, all of them being potentially remotely exploitable. -
    - July 29, 2002: +
    - July 29, 2002: A buffer overflow can occur in the xdr_array(3) RPC code, leading to possible remote crash. -
    - July 29, 2002: +
    - July 29, 2002: A race condition exists in the pppd(8) daemon which may cause it to alter the file permissions of an arbitrary file. -
    - July 5, 2002: +
    - July 5, 2002: Receiving IKE payloads out of sequence can cause isakmpd(8) to crash. -
    - June 27, 2002: +
    - June 27, 2002: The kernel would let any user ktrace set[ug]id processes. -
    - June 26, 2002: +
    - June 26, 2002: A buffer overflow can occur in the .htaccess parsing code in mod_ssl httpd module, leading to possible remote crash or exploit. -
    - June 25, 2002: +
    - June 25, 2002: A potential buffer overflow in the DNS resolver has been found. -
    - June 24, 2002: +
    - June 24, 2002: All versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. -
    - June 19, 2002: +
    - June 19, 2002: A buffer overflow can occur during the interpretation of chunked encoding in httpd(8), leading to possible remote crash. -
    - May 22, 2002: +
    - May 22, 2002: Under certain conditions, on systems using YP with netgroups in the password database, it is possible that sshd(8) does ACL checks for the requested user name but uses the password database entry of a different user for authentication. This means that denied users might authenticate successfully while permitted users could be locked out. -
    - May 8, 2002: +
    - May 8, 2002: A race condition exists that could defeat the kernel's protection of fd slots 0-2 for setuid processes. -
    - April 25, 2002: +
    - April 25, 2002: A bug in sudo may allow an attacker to corrupt the heap. -
    - April 22, 2002: +
    - April 22, 2002: A local user can gain super-user privileges due to a buffer overflow in sshd(8) if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled @@ -576,108 +579,108 @@
    - -
      OpenBSD 3.0 Security Advisories
      +
      OpenBSD 3.0 Security Advisories
      These are the OpenBSD 3.0 advisories -- all these problems are solved -in OpenBSD current. The -patch branch for 3.0 is no longer being maintained, +in OpenBSD current. The +patch branch for 3.0 is no longer being maintained, you should update your machine.
      - November 14, 2002: +
      - November 14, 2002: A buffer overflow exists in named(8) that could lead to a remote crash or code execution as user named in a chroot jail. -
      - November 6, 2002: +
      - November 6, 2002: Incorrect argument checking in the getitimer(2) system call may allow an attacker to crash the system. -
      - November 6, 2002: +
      - November 6, 2002: An attacker can bypass smrsh(8)'s restrictions and execute arbitrary commands with the privileges of his own account. -
      - October 21, 2002: +
      - October 21, 2002: A buffer overflow can occur in the kadmind(8) daemon, leading to possible remote crash or exploit. -
      - October 7, 2002: +
      - October 7, 2002: Incorrect argument checking in the setitimer(2) system call may allow an attacker to write to kernel memory. -
      - August 11, 2002: +
      - August 11, 2002: An insufficient boundary check in the select and poll system calls allows an attacker to overwrite kernel memory and execute arbitrary code in kernel context. -
      - July 30, 2002: +
      - July 30, 2002: Several remote buffer overflows can occur in the SSL2 server and SSL3 client of the ssl(8) library, as in the ASN.1 parser code in the crypto(3) library, all of them being potentially remotely exploitable. -
      - July 29, 2002: +
      - July 29, 2002: A buffer overflow can occur in the xdr_array(3) RPC code, leading to possible remote crash. -
      - July 29, 2002: +
      - July 29, 2002: A race condition exists in the pppd(8) daemon which may cause it to alter the file permissions of an arbitrary file. -
      - July 5, 2002: +
      - July 5, 2002: Receiving IKE payloads out of sequence can cause isakmpd(8) to crash. -
      - June 27, 2002: +
      - June 27, 2002: The kernel would let any user ktrace set[ug]id processes. -
      - June 25, 2002: +
      - June 25, 2002: A potential buffer overflow in the DNS resolver has been found. -
      - June 24, 2002: +
      - June 24, 2002: All versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. -
      - June 24, 2002: +
      - June 24, 2002: A buffer overflow can occur in the .htaccess parsing code in mod_ssl httpd module, leading to possible remote crash or exploit. -
      - June 19, 2002: +
      - June 19, 2002: A buffer overflow can occur during the interpretation of chunked encoding in httpd(8), leading to possible remote crash. -
      - May 8, 2002: +
      - May 8, 2002: A race condition exists that could defeat the kernel's protection of fd slots 0-2 for setuid processes. -
      - April 25, 2002: +
      - April 25, 2002: A bug in sudo may allow an attacker to corrupt the heap. -
      - April 22, 2002: +
      - April 22, 2002: A local user can gain super-user privileges due to a buffer overflow in sshd(8) if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. -
      - April 11, 2002: +
      - April 11, 2002: The mail(1) was interpreting tilde escapes even when invoked in non-interactive mode. As mail(1) is called as root from cron, this can lead to a local root compromise. -
      - March 19, 2002: +
      - March 19, 2002: Under certain conditions, on systems using YP with netgroups in the password database, it is possible for the rexecd(8) and rshd(8) daemons to execute a shell from a password database entry for a different user. Similarly, atrun(8) may change to the wrong home directory when running jobs. -
      - March 13, 2002: +
      - March 13, 2002: A potential double free() exists in the zlib library; this is not exploitable on OpenBSD. The kernel also contains a copy of zlib; it is not currently known if the kernel zlib is exploitable. -
      - March 8, 2002: +
      - March 8, 2002: An off-by-one check in OpenSSH's channel forwarding code may allow a local user to gain super-user privileges. -
      - January 21, 2002: +
      - January 21, 2002: A race condition between the ptrace(2) and execve(2) system calls allows an attacker to modify the memory contents of suid/sgid processes which could lead to compromise of the super-user account. -
      - January 17, 2002: +
      - January 17, 2002: There is a security hole in sudo(8) that can be exploited when the Postfix sendmail replacement is installed that may allow an attacker on the local host to gain root privileges. -
      - November 28, 2001: +
      - November 28, 2001: An attacker can trick a machine running the lpd daemon into creating new files in the root directory from a machine with remote line printer access. -
      - November 13, 2001: +
      - November 13, 2001: The vi.recover script can be abused in such a way as to cause arbitrary zero-length files to be removed. -
      - November 13, 2001: +
      - November 13, 2001: pf(4) was incapable of dealing with certain ipv6 icmp packets, resulting in a crash. -
      - November 12, 2001: +
      - November 12, 2001: A security hole that may allow an attacker to partially authenticate if -- and only if -- the administrator has enabled KerberosV.
      @@ -686,77 +689,77 @@
    - -
      OpenBSD 2.9 Security Advisories
      +
      OpenBSD 2.9 Security Advisories
      These are the OpenBSD 2.9 advisories -- all these problems are solved -in OpenBSD current. The -patch branch. for 2.9 is no longer being maintained, +in OpenBSD current. The +patch branch. for 2.9 is no longer being maintained, you should update your machine.
      - June 25, 2002: +
      - June 25, 2002: A potential buffer overflow in the DNS resolver has been found. -
      - May 8, 2002: +
      - May 8, 2002: A race condition exists that could defeat the kernel's protection of fd slots 0-2 for setuid processes. -
      - April 25, 2002: +
      - April 25, 2002: A bug in sudo may allow an attacker to corrupt the heap. -
      - April 22, 2002: +
      - April 22, 2002: A local user can gain super-user privileges due to a buffer overflow in sshd(8) if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. -
      - April 11, 2002: +
      - April 11, 2002: The mail(1) was interpreting tilde escapes even when invoked in non-interactive mode. As mail(1) is called as root from cron, this can lead to a local root compromise. -
      - March 13, 2002: +
      - March 13, 2002: A potential double free() exists in the zlib library; this is not exploitable on OpenBSD. The kernel also contains a copy of zlib; it is not currently known if the kernel zlib is exploitable. -
      - March 8, 2002: +
      - March 8, 2002: An off-by-one check in OpenSSH's channel forwarding code may allow a local user to gain super-user privileges. -
      - January 21, 2002: +
      - January 21, 2002: A race condition between the ptrace(2) and execve(2) system calls allows an attacker to modify the memory contents of suid/sgid processes which could lead to compromise of the super-user account. -
      - January 17, 2002: +
      - January 17, 2002: There is a security hole in sudo(8) that can be exploited when the Postfix sendmail replacement is installed that may allow an attacker on the local host to gain root privileges. -
      - November 28, 2001: +
      - November 28, 2001: An attacker can trick a machine running the lpd daemon into creating new files in the root directory from a machine with remote line printer access. -
      - November 13, 2001: +
      - November 13, 2001: The vi.recover script can be abused in such a way as to cause arbitrary zero-length files to be removed. -
      - September 11, 2001: +
      - September 11, 2001: A security hole exists in uuxqt(8) that may allow an attacker to gain root privileges. -
      - August 29, 2001: +
      - August 29, 2001: A security hole exists in lpd(8) that may allow an attacker to gain root privileges if lpd is running. -
      - August 21, 2001: +
      - August 21, 2001: A security hole exists in sendmail(8) that may allow an attacker on the local host to gain root privileges. -
      - July 30, 2001: +
      - July 30, 2001: A kernel buffer overflow in the NFS code can be used to execute arbitrary code by users with mount privileges (only root by default). -
      - June 15, 2001: +
      - June 15, 2001: A race condition in the kernel can lead to local root compromise. -
      - June 12, 2001: +
      - June 12, 2001: sshd(8) allows users to delete arbitrary files named "cookies" if X11 forwarding is enabled. X11 forwarding is disabled by default. -
      - May 30, 2001: +
      - May 30, 2001: Programs using the fts routines can be tricked into changing into the wrong directory. -
      - May 29, 2001: +
      - May 29, 2001: Sendmail signal handlers contain unsafe code, leading to numerous race conditions.
      @@ -765,59 +768,59 @@
    - -
      OpenBSD 2.8 Security Advisories
      +
      OpenBSD 2.8 Security Advisories
      These are the OpenBSD 2.8 advisories -- all these problems are solved -in OpenBSD current. The -patch branch. for 2.8 is no longer being maintained, +in OpenBSD current. The +patch branch. for 2.8 is no longer being maintained, you should update your machine.
      - September 11, 2001: +
      - September 11, 2001: A security hole exists in uuxqt(8) that may allow an attacker to gain root privileges. -
      - August 29, 2001: +
      - August 29, 2001: A security hole exists in lpd(8) that may allow an attacker to gain root privileges if lpd is running. -
      - August 21, 2001: +
      - August 21, 2001: A security hole exists in sendmail(8) that may allow an attacker on the local host to gain root privileges. -
      - June 15, 2001: +
      - June 15, 2001: A race condition in the kernel can lead to local root compromise. -
      - May 30, 2001: +
      - May 30, 2001: Programs using the fts routines can be tricked into changing into the wrong directory. -
      - May 29, 2001: +
      - May 29, 2001: Sendmail signal handlers contain unsafe code, leading to numerous race conditions. -
      - Apr 23, 2001: +
      - Apr 23, 2001: IPF contains a serious bug with its handling of fragment caching. -
      - Apr 23, 2001: +
      - Apr 23, 2001: ftpd(8) contains a potential DoS relating to glob(3). -
      - Apr 10, 2001: +
      - Apr 10, 2001: The glob(3) library call contains multiple buffer overflows. -
      - Mar 18, 2001: +
      - Mar 18, 2001: The readline library creates history files with permissive modes based on the user's umask. -
      - Mar 2, 2001: +
      - Mar 2, 2001: Insufficient checks in the IPSEC AH IPv4 option handling code can lead to a buffer overrun in the kernel. -
      - Mar 2, 2001: +
      - Mar 2, 2001: The USER_LDT kernel option allows an attacker to gain access to privileged areas of kernel memory. -
      - Feb 22, 2001: +
      - Feb 22, 2001: a non-exploitable buffer overflow was fixed in sudo(8). -
      - Jan 29, 2001: +
      - Jan 29, 2001: merge named(8) with ISC BIND 4.9.8-REL, which fixes some buffer vulnerabilities. -
      - Jan 22, 2001: +
      - Jan 22, 2001: rnd(4) did not use all of its input when written to. -
      - Dec 22, 2000: +
      - Dec 22, 2000: xlock(1)'s authentication was re-done to authenticate via a named pipe. (patch and new xlock binaries included). -
      - Dec 18, 2000: +
      - Dec 18, 2000: Procfs contains numerous overflows. Procfs is not used by default in OpenBSD. (patch included). -
      - Dec 10, 2000: +
      - Dec 10, 2000: Another problem exists in KerberosIV libraries (patch included). -
      - Dec 7, 2000: +
      - Dec 7, 2000: A set of problems in KerberosIV exist (patch included). -
      - Dec 4, 2000: +
      - Dec 4, 2000: A single-byte buffer overflow exists in ftpd (patch included).
      @@ -825,88 +828,88 @@
    - -
      OpenBSD 2.7 Security Advisories
      +
      OpenBSD 2.7 Security Advisories
      These are the OpenBSD 2.7 advisories -- all these problems are solved -in OpenBSD current. Obviously, all the +in OpenBSD current. Obviously, all the OpenBSD 2.6 advisories listed below are fixed in OpenBSD 2.7.
      - Mar 18, 2001: +
      - Mar 18, 2001: The readline library creates history files with permissive modes based on the user's umask. -
      - Feb 22, 2001: +
      - Feb 22, 2001: a buffer overflow was fixed in sudo(8). -
      - Dec 4, 2000: +
      - Dec 4, 2000: A single-byte buffer overflow exists in ftpd (patch included). -
      - Nov 10, 2000: +
      - Nov 10, 2000: Hostile servers can force OpenSSH clients to do agent or X11 forwarding. (patch included) -
      - Oct 26, 2000: +
      - Oct 26, 2000: X11 libraries have 2 potential overflows in xtrans code. (patch included) -
      - Oct 18, 2000: +
      - Oct 18, 2000: Apache mod_rewrite and mod_vhost_alias modules could expose files on the server in certain configurations if used. (patch included) -
      - Oct 10, 2000: +
      - Oct 10, 2000: The telnet daemon does not strip out the TERMINFO, TERMINFO_DIRS, TERMPATH and TERMCAP environment variables as it should. (patch included) -
      - Oct 6, 2000: +
      - Oct 6, 2000: There are printf-style format string bugs in several privileged programs. (patch included) -
      - Oct 6, 2000: +
      - Oct 6, 2000: libcurses honored terminal descriptions in the $HOME/.terminfo directory as well as in the TERMCAP environment variable for setuid and setgid applications. (patch included) -
      - Oct 6, 2000: +
      - Oct 6, 2000: A format string vulnerability exists in talkd(8). (patch included) -
      - Oct 3, 2000: +
      - Oct 3, 2000: A format string vulnerability exists in the pw_error() function of the libutil library, yielding localhost root through chpass(1). (patch included) -
      - Sep 18, 2000: +
      - Sep 18, 2000: Bad ESP/AH packets could cause a crash under certain conditions. (patch included) -
      - Aug 16, 2000: +
      - Aug 16, 2000: A format string vulnerability (localhost root) exists in xlock(1). (patch included) -
      - July 14, 2000: +
      - July 14, 2000: Various bugs found in X11 libraries have various side effects, almost completely denial of service in OpenBSD. (patch included) -
      - July 5, 2000: +
      - July 5, 2000: Just like pretty much all the other unix ftp daemons on the planet, ftpd had a remote root hole in it. Luckily, ftpd was not enabled by default. The problem exists if anonymous ftp is enabled. (patch included) -
      - July 5, 2000: +
      - July 5, 2000: Mopd, very rarely used, contained some buffer overflows. (patch included) -
      - June 28, 2000: +
      - June 28, 2000: libedit would check for a .editrc file in the current directory. Not known to be a real security issue, but a patch is available anyways. (patch included) -
      - June 24, 2000: +
      - June 24, 2000: A serious bug in dhclient(8) could allow strings from a malicious dhcp server to be executed in the shell as root. (patch included) -
      - June 9, 2000: +
      - June 9, 2000: A serious bug in isakmpd(8) policy handling wherein policy verification could be completely bypassed in isakmpd. (patch included) -
      - June 6, 2000: +
      - June 6, 2000: The non-default flag UseLogin in /etc/sshd_config is broken, should not be used, and results in security problems on other operating systems. -
      - May 26, 2000: +
      - May 26, 2000: The bridge(4) learning flag may be bypassed. (patch included) -
      - May 25, 2000: +
      - May 25, 2000: Improper use of ipf keep-state rules can result in firewall rules being bypassed. (patch included) @@ -916,46 +919,46 @@
      - -
        OpenBSD 2.6 Security Advisories
        +
        OpenBSD 2.6 Security Advisories
        These are the OpenBSD 2.6 advisories -- all these problems are solved -in OpenBSD current. Obviously, all the +in OpenBSD current. Obviously, all the OpenBSD 2.5 advisories listed below are fixed in OpenBSD 2.6.
        
        -
        May 26, 2000: +
        May 26, 2000: SYSV semaphore support contained an undocumented system call which could wedge semaphore-using processes from exiting. (patch included) -
        May 25, 2000: +
        May 25, 2000: Improper use of ipf keep-state rules can result in firewall rules being bypassed. (patch included) -
        May 25, 2000: +
        May 25, 2000: xlockmore has a bug which a localhost attacker can use to gain access to the encrypted root password hash (which is normally encoded using blowfish (see - + crypt(3)) (patch included). -
        Jan 20, 2000: +
        Jan 20, 2000: Systems running with procfs enabled and mounted are vulnerable to a very tricky exploit. procfs is not mounted by default. (patch included). -
        Dec 4, 1999: +
        Dec 4, 1999: Sendmail permitted any user to cause a aliases file wrap, thus exposing the system to a race where the aliases file did not exist. (patch included). -
        Dec 4, 1999: +
        Dec 4, 1999: Various bugs in poll(2) may cause a kernel crash. -
        Dec 2, 1999: +
        Dec 2, 1999: A buffer overflow in the RSAREF code included in the USA version of libssl, is possibly exploitable in httpd, ssh, or isakmpd, if SSL/RSA features are enabled. (patch included).
        Update: Turns out that this was not exploitable in any of the software included in OpenBSD 2.6. -
        Nov 9, 1999: +
        Nov 9, 1999: Any user could change interface media configurations, resulting in a localhost denial of service attack. (patch included). @@ -965,34 +968,34 @@
        -
        OpenBSD 2.5 Security Advisories
        +
        OpenBSD 2.5 Security Advisories
        These are the OpenBSD 2.5 advisories -- all these problems are solved -in OpenBSD current. Obviously, all the +in OpenBSD current. Obviously, all the OpenBSD 2.4 advisories listed below are fixed in OpenBSD 2.5.
        
        -
        Aug 30, 1999: +
        Aug 30, 1999: In cron(8), make sure argv[] is NULL terminated in the fake popen() and run sendmail as the user, not as root. (patch included). -
        Aug 12, 1999: The procfs and fdescfs +
        Aug 12, 1999: The procfs and fdescfs filesystems had an overrun in their handling of uio_offset in their readdir() routines. (These filesystems are not enabled by default). (patch included). -
        Aug 9, 1999: Stop profiling (see profil(2)) +
        Aug 9, 1999: Stop profiling (see profil(2)) when we execve() a new process. (patch included). -
        Aug 6, 1999: Packets that should have +
        Aug 6, 1999: Packets that should have been handled by IPsec may be transmitted as cleartext. PF_KEY SA expirations may leak kernel resources. (patch included). -
        Aug 5, 1999: In /etc/rc, use mktemp(1) for +
        Aug 5, 1999: In /etc/rc, use mktemp(1) for motd re-writing and change the find(1) to use -execdir (patch included). -
        Jul 30, 1999: Do not permit regular +
        Jul 30, 1999: Do not permit regular users to chflags(2) or fchflags(2) on character or block devices which they may currently be the owner of (patch included). -
        Jul 27, 1999: Cause groff(1) to be invoked +
        Jul 27, 1999: Cause groff(1) to be invoked with the -S flag, when called by nroff(1) (patch included).
        @@ -1000,44 +1003,44 @@
        -
        OpenBSD 2.4 Security Advisories
        +
        OpenBSD 2.4 Security Advisories
        These are the OpenBSD 2.4 advisories -- all these problems are solved -in OpenBSD current. Obviously, all the +in OpenBSD current. Obviously, all the OpenBSD 2.3 advisories listed below are fixed in OpenBSD 2.4.
        
        -
        Mar 22, 1999: The nfds argument for poll(2) needs +
        Mar 22, 1999: The nfds argument for poll(2) needs to be constrained, to avoid kvm starvation (patch included). -
        Mar 21, 1999: A change in TSS handling stops +
        Mar 21, 1999: A change in TSS handling stops another kernel crash case caused by the crashme program (patch included). -
        Feb 25, 1999: An unbounded increment on the +
        Feb 25, 1999: An unbounded increment on the nlink value in FFS and EXT2FS filesystems can cause a system crash. (patch included). -
        Feb 23, 1999: Yet another buffer overflow +
        Feb 23, 1999: Yet another buffer overflow existed in ping(8). (patch included). -
        Feb 19, 1999: ipintr() had a race in use of +
        Feb 19, 1999: ipintr() had a race in use of the ipq, which could permit an attacker to cause a crash. (patch included). -
        Feb 17, 1999: A race condition in the +
        Feb 17, 1999: A race condition in the kernel between accept(2) and select(2) could permit an attacker to hang sockets from remote. (patch included). -
        Feb 17, 1999: IP fragment assembly can +
        Feb 17, 1999: IP fragment assembly can bog the machine excessively and cause problems. (patch included). -
        Feb 12, 1999: i386 T_TRCTRAP handling and +
        Feb 12, 1999: i386 T_TRCTRAP handling and DDB interacted to possibly cause a crash. (patch included). -
        Feb 11, 1999: TCP/IP RST handling was sloppy. +
        Feb 11, 1999: TCP/IP RST handling was sloppy. (patch included). -
        Nov 27, 1998: There is a remotely exploitable +
        Nov 27, 1998: There is a remotely exploitable problem in bootpd(8). (patch included). -
        Nov 19, 1998: There is a possibly locally +
        Nov 19, 1998: There is a possibly locally exploitable problem relating to environment variables in termcap and curses. (patch included). -
        Nov 13, 1998: There is a remote machine lockup +
        Nov 13, 1998: There is a remote machine lockup bug in the TCP decoding kernel. (patch included).
        @@ -1045,35 +1048,35 @@
        -
        OpenBSD 2.3 Security Advisories
        +
        OpenBSD 2.3 Security Advisories
        These are the OpenBSD 2.3 advisories -- all these problems are solved -in OpenBSD current. Obviously, all the +in OpenBSD current. Obviously, all the OpenBSD 2.2 advisories listed below are fixed in OpenBSD 2.3.
        
        -
        Nov 27, 1998: There is a remotely exploitable +
        Nov 27, 1998: There is a remotely exploitable problem in bootpd(8). (patch included). -
        Nov 13, 1998: There is a remote machine lockup +
        Nov 13, 1998: There is a remote machine lockup bug in the TCP decoding kernel. (patch included). -
        August 31, 1998: A benign looking resolver +
        August 31, 1998: A benign looking resolver buffer overflow bug was re-introduced accidentally (patches included). -
        Aug 2, 1998: +
        Aug 2, 1998: chpass(1) has a file descriptor leak which allows an attacker to modify /etc/master.passwd. -
        July 15, 1998: Inetd had a file descriptor leak. -
        Jul 2, 1998: setuid and setgid processes +
        July 15, 1998: Inetd had a file descriptor leak. +
        Jul 2, 1998: setuid and setgid processes should not be executed with fd slots 0, 1, or 2 free. (patch included). -
        June 6, 1998: Further problems with the X +
        June 6, 1998: Further problems with the X libraries (patches included). -
        May 17, 1998: kill(2) of setuid/setgid target +
        May 17, 1998: kill(2) of setuid/setgid target processes too permissive (4th revision patch included). -
        May 11, 1998: mmap() permits partial bypassing +
        May 11, 1998: mmap() permits partial bypassing of immutable and append-only file flags. (patch included). -
        May 5, 1998: Incorrect handling of IPSEC packets +
        May 5, 1998: Incorrect handling of IPSEC packets if IPSEC is enabled (patch included). -
        May 1, 1998: Buffer overflow in xterm and Xaw +
        May 1, 1998: Buffer overflow in xterm and Xaw (CERT advisory VB-98.04) (patch included).
        @@ -1081,44 +1084,44 @@
        -
        OpenBSD 2.2 Security Advisories
        +
        OpenBSD 2.2 Security Advisories
        These are the OpenBSD 2.2 advisories. All these problems are solved -in OpenBSD 2.3. Some of these problems +in OpenBSD 2.3. Some of these problems still exist in other operating systems. (The supplied patches are for OpenBSD 2.2; they may or may not work on OpenBSD 2.1).
        
        -
        May 5, 1998: Incorrect handling of IPSEC +
        May 5, 1998: Incorrect handling of IPSEC packets if IPSEC is enabled (patch included). -
        May 1, 1998: Buffer overflow in xterm +
        May 1, 1998: Buffer overflow in xterm and Xaw (CERT advisory VB-98.04) (patch included). -
        Apr 22, 1998: Buffer overflow in uucpd +
        Apr 22, 1998: Buffer overflow in uucpd (patch included). -
        Apr 22, 1998: Buffer mismanagement in lprm +
        Apr 22, 1998: Buffer mismanagement in lprm (patch included). -
        Mar 31, 1998: Overflow in ping -R (patch included). -
        Mar 30, 1998: Overflow in named fake-iquery +
        Mar 31, 1998: Overflow in ping -R (patch included). +
        Mar 30, 1998: Overflow in named fake-iquery (patch included). -
        Mar 2, 1998: Accidental NFS filesystem +
        Mar 2, 1998: Accidental NFS filesystem export (patch included).
        Feb 26, 1998: Read-write mmap() flaw. - Revision 3 of the patch is available here + Revision 3 of the patch is available here
        Feb 19, 1998: Sourcerouted Packet Acceptance. - A patch is available here. -
        Feb 13, 1998: Setuid coredump & Ruserok() + A patch is available here. +
        Feb 13, 1998: Setuid coredump & Ruserok() flaw (patch included). -
        Feb 9, 1998: MIPS ld.so flaw (patch included). +
        Feb 9, 1998: MIPS ld.so flaw (patch included).
        
        -
        OpenBSD 2.1 Security Advisories
        +
        OpenBSD 2.1 Security Advisories
        These are the OpenBSD 2.1 advisories. All these problems are solved -in OpenBSD 2.2. Some of these problems still +in OpenBSD 2.2. Some of these problems still exist in other operating systems. (If you are running OpenBSD 2.1, we would strongly recommend an upgrade to the newest release, as this patch list only attempts at fixing the most important security @@ -1138,9 +1141,9 @@
        -
        OpenBSD 2.0 Security Advisories
        +
        OpenBSD 2.0 Security Advisories
        These are the OpenBSD 2.0 advisories. All these problems are solved -in OpenBSD 2.1. Some of these problems still +in OpenBSD 2.1. Some of these problems still exist in other operating systems. (If you are running OpenBSD 2.0, we commend you for being there back in the old days!, but you're really missing out if you don't install a new version!) @@ -1152,12 +1155,10 @@
        Many others... if people can hunt them down, please let me know and we'll put them up here.
        - -
        -
      - Watching our Changes
        +
      - Watching our Changes
        Since we take a proactive stance with security, we are continually finding and fixing new security problems. Not all of these problems @@ -1177,7 +1178,7 @@
        
        If you understand security issues, watch our - source-changes mailing list and keep an + source-changes mailing list and keep an eye out for things which appear security related. Since exploitability is not proven for many of the fixes we make, do not expect the relevant commit message to say "SECURITY FIX!". @@ -1201,17 +1202,17 @@
        -
        Reporting problems
        +
        Reporting problems
        
        If you find a new security problem, you can mail it to -deraadt@openbsd.org. +deraadt@openbsd.org.
        If you wish to PGP encode it (but please only do so if privacy is very urgent, since it is inconvenient) use this pgp key.
        -
        Further Reading
        +
        Further Reading
        A number of papers have been written by OpenBSD team members, about security related changes they have done in OpenBSD. The postscript versions of these @@ -1219,50 +1220,49 @@
        
        A Future-Adaptable Password Scheme.
        - Usenix 1999, - by Niels Provos, - David Mazieres.
        - paper and - slides. + Usenix 1999, + by Niels Provos, + David Mazieres.
        + paper and + slides.
        
        Cryptography in OpenBSD: An Overview.
        - Usenix 1999, - by Theo de Raadt, - Niklas Hallqvist, - Artur Grabowski, - Angelos D. Keromytis, - Niels Provos.
        - paper and - slides. + Usenix 1999, + by Theo de Raadt, + Niklas Hallqvist, + Artur Grabowski, + Angelos D. Keromytis, + Niels Provos.
        + paper and + slides.
        
        strlcpy and strlcat -- consistent, safe, string copy and concatenation.
        - Usenix 1999, - by Todd C. Miller, - Theo de Raadt.
        - paper and - slides. + Usenix 1999, + by Todd C. Miller, + Theo de Raadt.
        + paper and + slides.
        
        Dealing with Public Ethernet Jacks-Switches, Gateways, and Authentication.
        - LISA 1999, - by Bob Beck.
        - paper and - slides. + LISA 1999, + by Bob Beck.
        + paper and + slides.
        
        Encrypting Virtual Memory
        - Usenix Security 2000, - Niels Provos.
        - paper and - slides. + Usenix Security 2000, + Niels Provos.
        + paper and + slides.
        
        +
        - -
        - -www@openbsd.org + +www@openbsd.org
        -$OpenBSD: security.html,v 1.293 2004/06/12 23:43:14 brad Exp $ +$OpenBSD: security.html,v 1.294 2004/06/16 01:06:19 david Exp $

Security

Security

Goal

Goal

Full Disclosure

Full Disclosure

Audit Process

Audit Process

New Technologies

New Technologies

The Reward

The Reward

"Secure by Default"

"Secure by Default"

Cryptography

Cryptography

Advisories

Advisories

OpenBSD 3.5 Security Advisories

OpenBSD 3.5 Security Advisories

OpenBSD 3.4 Security Advisories

OpenBSD 3.4 Security Advisories

OpenBSD 3.3 Security Advisories

OpenBSD 3.3 Security Advisories

OpenBSD 3.2 Security Advisories

OpenBSD 3.2 Security Advisories

OpenBSD 3.1 Security Advisories

OpenBSD 3.1 Security Advisories

OpenBSD 3.0 Security Advisories

OpenBSD 3.0 Security Advisories

OpenBSD 2.9 Security Advisories

OpenBSD 2.9 Security Advisories

OpenBSD 2.8 Security Advisories

OpenBSD 2.8 Security Advisories

OpenBSD 2.7 Security Advisories

OpenBSD 2.7 Security Advisories

OpenBSD 2.6 Security Advisories

OpenBSD 2.6 Security Advisories

OpenBSD 2.5 Security Advisories

OpenBSD 2.5 Security Advisories

OpenBSD 2.4 Security Advisories

OpenBSD 2.4 Security Advisories

OpenBSD 2.3 Security Advisories

OpenBSD 2.3 Security Advisories

OpenBSD 2.2 Security Advisories

OpenBSD 2.2 Security Advisories

OpenBSD 2.1 Security Advisories

OpenBSD 2.1 Security Advisories

OpenBSD 2.0 Security Advisories

OpenBSD 2.0 Security Advisories

Watching our Changes

Watching our Changes

Reporting problems

Reporting problems

Further Reading

Further Reading