forked from openbsd/www
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy patherrata36.html
336 lines (305 loc) · 12.5 KB
/
errata36.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenBSD 3.6 Errata</title>
<meta name="description" content="the OpenBSD CD errata page">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/errata36.html">
</head>
<!--
IMPORTANT REMINDER
IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
-->
<body bgcolor="#ffffff" text="#000000" link="#23238E">
<h2>
<a href="index.html">
<font color="#0000ff"><i>Open</i></font><font color="#000084">BSD</font></a>
<font color="#e00000">3.6 Errata</font>
</h2>
<hr>
For errata on a certain release, click below:<br>
<a href="errata21.html">2.1</a>,
<a href="errata22.html">2.2</a>,
<a href="errata23.html">2.3</a>,
<a href="errata24.html">2.4</a>,
<a href="errata25.html">2.5</a>,
<a href="errata26.html">2.6</a>,
<a href="errata27.html">2.7</a>,
<a href="errata28.html">2.8</a>,
<a href="errata29.html">2.9</a>,
<a href="errata30.html">3.0</a>,
<a href="errata31.html">3.1</a>,
<a href="errata32.html">3.2</a>,
<a href="errata33.html">3.3</a>,
<a href="errata34.html">3.4</a>,
<a href="errata35.html">3.5</a>,
<a href="errata37.html">3.7</a>,
<br>
<a href="errata38.html">3.8</a>,
<a href="errata39.html">3.9</a>,
<a href="errata40.html">4.0</a>,
<a href="errata41.html">4.1</a>,
<a href="errata42.html">4.2</a>,
<a href="errata43.html">4.3</a>,
<a href="errata44.html">4.4</a>,
<a href="errata45.html">4.5</a>,
<a href="errata46.html">4.6</a>,
<a href="errata47.html">4.7</a>,
<a href="errata48.html">4.8</a>,
<a href="errata49.html">4.9</a>,
<a href="errata50.html">5.0</a>,
<a href="errata51.html">5.1</a>,
<a href="errata52.html">5.2</a>,
<a href="errata53.html">5.3</a>,
<br>
<a href="errata54.html">5.4</a>,
<a href="errata55.html">5.5</a>,
<a href="errata56.html">5.6</a>,
<a href="errata57.html">5.7</a>,
<a href="errata58.html">5.8</a>,
<a href="errata59.html">5.9</a>,
<a href="errata60.html">6.0</a>,
<a href="errata61.html">6.1</a>,
<a href="errata62.html">6.2</a>.
<hr>
<p>
Patches for the OpenBSD base system are distributed as unified diffs.
Each patch contains usage instructions.
All the following patches are also available in one
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6.tar.gz">tar.gz file</a>
for convenience.
<p>
Patches for supported releases are also incorporated into the
<a href="stable.html">-stable branch</a>.
<hr>
<ul>
<li id="libz2">
<font color="#009000"><strong>020: SECURITY FIX: July 21, 2005</strong></font>
<i>All architectures</i><br>
A buffer overflow has been found in
<a href="https://man.openbsd.org/OpenBSD-3.6/compress.3">compress(3)</a>
which may be exploitable.<br>
Please note that this fixes a different buffer overflow than the <a href="#libz">previous</a> zlib patch.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/020_libz.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="libz">
<font color="#009000"><strong>019: SECURITY FIX: July 6, 2005</strong></font>
<i>All architectures</i><br>
A buffer overflow has been found in
<a href="https://man.openbsd.org/OpenBSD-3.6/compress.3">compress(3)</a>
which may be exploitable.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/019_libz.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="sudo">
<font color="#009000"><strong>018: SECURITY FIX: June 20, 2005</strong></font>
<i>All architectures</i><br>
Due to a race condition in its command pathname handling, a user with
<a href="https://man.openbsd.org/OpenBSD-3.6/sudo.8">sudo(8)</a>
privileges may be able to run arbitrary commands if the user's entry
is followed by an entry that grants <tt>sudo ALL</tt> privileges to
another user.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/018_sudo.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="getsockopt">
<font color="#009000"><strong>017: RELIABILITY FIX: June 15, 2005</strong></font>
<i>All architectures</i><br>
As discovered by Stefan Miltchev calling
<a href="https://man.openbsd.org/OpenBSD-3.6/getsockopt.2">getsockopt(2)</a>
to get
<a href="https://man.openbsd.org/OpenBSD-3.6/ipsec.4">ipsec(4)</a>
credentials for a socket can result in a kernel panic.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/017_getsockopt.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="cvs">
<font color="#009000"><strong>016: SECURITY FIX: April 28, 2005</strong></font>
<i>All architectures</i><br>
Fix a buffer overflow, memory leaks, and NULL pointer dereference in
<a href="https://man.openbsd.org/OpenBSD-3.6/cvs.1">cvs(1)</a>
. None of these issues are known to be exploitable.
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753">CAN-2005-0753</a>
.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/016_cvs.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="tcp">
<font color="#009000"><strong>015: RELIABILITY FIX: April 4, 2005</strong></font>
<i>All architectures</i><br>
Handle an edge condition in
<a href="https://man.openbsd.org/OpenBSD-3.6/tcp.4">tcp(4)</a>
timestamps.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/015_tcp.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="telnet">
<font color="#009000"><strong>014: SECURITY FIX: March 30, 2005</strong></font>
<i>All architectures</i><br>
Due to buffer overflows in
<a href="https://man.openbsd.org/OpenBSD-3.6/telnet.1">telnet(1)</a>,
a malicious server or man-in-the-middle attack could allow execution of
arbitrary code with the privileges of the user invoking
<a href="https://man.openbsd.org/OpenBSD-3.6/telnet.1">telnet(1)</a>.
Noone should use telnet anymore. Please use
<a href="https://man.openbsd.org/OpenBSD-3.6/ssh.1">ssh(1)</a>.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/014_telnet.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="sack">
<font color="#009000"><strong>013: RELIABILITY FIX: March 30, 2005</strong></font>
<i>All architectures</i><br>
Bugs in the
<a href="https://man.openbsd.org/OpenBSD-3.6/tcp.4">tcp(4)</a>
stack can lead to memory exhaustion or processing of TCP segments with
invalid SACK options and cause a system crash.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/013_sack.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="copy">
<font color="#009000"><strong>012: SECURITY FIX: March 16, 2005</strong></font>
<strong>amd64 only</strong><br>
More stringent checking should be done in the
<a href="https://man.openbsd.org/OpenBSD-3.6/copy.9">copy(9)</a>
functions to prevent their misuse.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/amd64/012_copy.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="locore">
<font color="#009000"><strong>011: SECURITY FIX: February 28, 2005</strong></font>
<strong>i386 only</strong><br>
More stringent checking should be done in the
<a href="https://man.openbsd.org/OpenBSD-3.6/copy.9">copy(9)</a>
functions to prevent their misuse.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/i386/011_locore.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="rtt">
<font color="#009000"><strong>010: RELIABILITY FIX: January 11, 2005</strong></font>
<i>All architectures</i><br>
A bug in the
<a href="https://man.openbsd.org/OpenBSD-3.6/tcp.4">tcp(4)</a>
stack allows an invalid argument to be used in calculating the TCP
retransmit timeout. By sending packets with specific values in the TCP
timestamp option, an attacker can cause a system panic.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/010_rtt.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="httpd">
<font color="#009000"><strong>009: SECURITY FIX: January 12, 2005</strong></font>
<i>All architectures</i><br>
<a href="https://man.openbsd.org/OpenBSD-3.6/httpd.8">httpd(8)</a>
's mod_include module fails to properly validate the length of
user supplied tag strings prior to copying them to a local buffer,
causing a buffer overflow.
<br>
This would require enabling the XBitHack directive or server-side
includes and making use of a malicious document.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/009_httpd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="getcwd">
<font color="#009000"><strong>008: RELIABILITY FIX: January 6, 2005</strong></font>
<i>All architectures</i><br>
The
<a href="https://man.openbsd.org/OpenBSD-3.6/getcwd.3">getcwd(3)</a>
library function contains a memory management error, which causes failure
to retrieve the current working directory if the path is very long.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/008_getcwd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="pfkey">
<font color="#009000"><strong>007: SECURITY FIX: December 14, 2004</strong></font>
<i>All architectures</i><br>
On systems running
<a href="https://man.openbsd.org/OpenBSD-3.6/isakmpd.8">isakmpd(8)</a>
it is possible for a local user to cause kernel memory corruption
and system panic by setting
<a href="https://man.openbsd.org/OpenBSD-3.6/ipsec.4">ipsec(4)</a>
credentials on a socket.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/007_pfkey.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="xl">
<font color="#009000"><strong>006: RELIABILITY FIX: November 21, 2004</strong></font>
<i>All architectures</i><br>
Fix for transmit side breakage on macppc and mbuf leaks with
<a href="https://man.openbsd.org/OpenBSD-3.6/xl.4">xl(4)</a>.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/006_xl.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="isakmpd">
<font color="#009000"><strong>005: RELIABILITY FIX: November 21, 2004</strong></font>
<i>All architectures</i><br>
Wrong calculation of NAT-D payloads may cause interoperability problems between
<a href="https://man.openbsd.org/OpenBSD-3.6/isakmpd.8">isakmpd(8)</a>
and other ISAKMP/IKE implementations.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/005_isakmpd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="lynx">
<font color="#009000"><strong>004: RELIABILITY FIX: November 10, 2004</strong></font>
<i>All architectures</i><br>
Due to a bug in
<a href="https://man.openbsd.org/OpenBSD-3.6/lynx.1">lynx(1)</a>
it is possible for pages such as
<a href="http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html">this</a>
to cause
<a href="https://man.openbsd.org/OpenBSD-3.6/lynx.1">lynx(1)</a>
to exhaust memory and then crash when parsing such pages.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/004_lynx.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="pppd">
<font color="#009000"><strong>003: RELIABILITY FIX: November 10, 2004</strong></font>
<i>All architectures</i><br>
<a href="https://man.openbsd.org/OpenBSD-3.6/pppd.8">pppd(8)</a>
contains a bug that allows an attacker to crash his own connection, but it cannot
be used to deny service to other users.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/003_pppd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="bind">
<font color="#009000"><strong>002: RELIABILITY FIX: November 10, 2004</strong></font>
<i>All architectures</i><br>
BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in
cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and
thus slow DNS queries.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/002_bind.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="st">
<font color="#009000"><strong>001: RELIABILITY FIX: November 10, 2004</strong></font>
<i>All architectures</i><br>
Fix detection of tape blocksize during device open. Corrects problem with
<a href="https://man.openbsd.org/OpenBSD-3.6/restore.8">restore(8)</a>.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/001_st.patch">
A source code patch exists which remedies this problem.</a>
<p>
</ul>
<hr>
</body>
</html>