This is the OpenBSD 3.5 release errata & patch list:
For OpenBSD patch branch information, please refer here.
For important packages updates, please refer here.
For errata on a certain release, click below:
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.6,
3.7,
3.8,
3.9,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5.
You can also fetch a tar.gz file containing all the following patches.
This file is updated once a day.
The patches below are available in CVS via the
OPENBSD_3_5
patch branch.
For more detailed information on how to install patches to OpenBSD, please
consult the OpenBSD FAQ.
-
033: SECURITY FIX: April 28, 2005
All architectures
Fix a buffer overflow, memory leaks, and NULL pointer dereference in
cvs(1)
. None of these issues are known to be exploitable.
CAN-2005-0753
.
A source code patch exists which remedies this problem.
-
032: RELIABILITY FIX: April 4, 2005
All architectures
Handle an edge condition in
tcp(4)
timestamps.
A source code patch exists which remedies this problem.
-
031: SECURITY FIX: March 30, 2005
All architectures
Due to buffer overflows in
telnet(1)
, a malicious server or man-in-the-middle attack could allow execution of
arbitrary code with the privileges of the user invoking
telnet(1)
.
A source code patch exists which remedies this problem.
-
030: RELIABILITY FIX: March 30, 2005
All architectures
Bugs in the
tcp(4)
stack can lead to memory exhaustion or processing of TCP segments with
invalid SACK options and cause a system crash.
A source code patch exists which remedies this problem.
-
029: SECURITY FIX: March 16, 2005
amd64 only
More stringent checking should be done in the
copy(9)
functions to prevent their misuse.
A source code patch exists which remedies this problem.
-
028: SECURITY FIX: February 28, 2005
i386 only
More stringent checking should be done in the
copy(9)
functions to prevent their misuse.
A source code patch exists which remedies this problem.
-
027: RELIABILITY FIX: January 11, 2005
All architectures
A bug in the
tcp(4)
stack allows an invalid argument to be used in calculating the TCP
retransmit timeout. By sending packets with specific values in the TCP
timestamp option, an attacker can cause a system panic.
A source code patch exists which remedies this problem.
-
026: SECURITY FIX: January 12, 2005
All architectures
httpd(8)
's mod_include module fails to properly validate the length of
user supplied tag strings prior to copying them to a local buffer,
causing a buffer overflow.
This would require enabling the XBitHack directive or server-side
includes and making use of a malicious document.
A source code patch exists which remedies this problem.
-
025: RELIABILITY FIX: January 6, 2005
All architectures
The
getcwd(3)
library function contains a memory management error, which causes failure
to retrieve the current working directory if the path is very long.
A source code patch exists which remedies this problem.
-
024: SECURITY FIX: December 14, 2004
All architectures
On systems running
isakmpd(8)
it is possible for a local user to cause kernel memory corruption
and system panic by setting
ipsec(4)
credentials on a socket.
A source code patch exists which remedies this problem.
-
023: RELIABILITY FIX: November 10, 2004
All architectures
Due to a bug in
lynx(1)
it is possible for pages such as
this
to cause
lynx(1)
to exhaust memory and then crash when parsing such pages.
A source code patch exists which remedies this problem.
-
022: RELIABILITY FIX: November 10, 2004
All architectures
pppd(8)
contains a bug that allows an attacker to crash his own connection, but it cannot
be used to deny service to other users.
A source code patch exists which remedies this problem.
-
021: RELIABILITY FIX: November 10, 2004
All architectures
BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in
cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and
thus slow DNS queries.
A source code patch exists which remedies this problem.
-
020: SECURITY FIX: September 20, 2004
All architectures
Eilko Bos reported that radius authentication, as implemented by
login_radius(8),
was not checking the shared secret used for replies sent by the radius server.
This could allow an attacker to spoof a reply granting access to the
attacker. Note that OpenBSD does not ship with radius authentication enabled.
A source code patch exists which remedies this problem.
-
019: SECURITY FIX: September 16, 2004
All architectures
Chris Evans reported several flaws (stack and integer overflows) in the
Xpm
library code that parses image files
(CAN-2004-0687,
CAN-2004-0688).
Some of these would be exploitable when parsing malicious image files in
an application that handles XPM images, if they could escape ProPolice.
A source code patch exists which remedies this problem.
-
018: SECURITY FIX: September 10, 2004
All architectures
httpd(8)
's mod_rewrite module can be made to write one zero byte in an arbitrary memory
position outside of a char array, causing a DoS or possibly buffer overflows.
This would require enabling dbm for mod_rewrite and making use of a malicious
dbm file.
A source code patch exists which remedies this problem.
-
017: RELIABILITY FIX: August 29, 2004
All architectures
Due to incorrect error handling in zlib an attacker could potentially cause a Denial
of Service attack.
CAN-2004-0797
.
A source code patch exists which remedies this problem.
-
016: RELIABILITY FIX: August 26, 2004
All architectures
As
reported
by Vafa Izadinia
bridge(4)
with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
A source code patch exists which remedies this problem.
-
015: RELIABILITY FIX: August 25, 2004
All architectures
Improved verification of ICMP errors in order to minimize the impact of ICMP attacks
against TCP.
http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html
A source code patch exists which remedies this problem.
-
014: RELIABILITY FIX: July 25, 2004
All architectures
Under a certain network load the kernel can run out of stack space. This was
encountered in an environment using CARP on a VLAN interface. This issue initially
manifested itself as a FPU related crash on boot up.
A source code patch exists which remedies this problem.
-
013: SECURITY FIX: June 12, 2004
All architectures
Multiple vulnerabilities have been found in
httpd(8)
/ mod_ssl.
CAN-2003-0020,
CAN-2003-0987,
CAN-2004-0488,
CAN-2004-0492.
A source code patch exists which remedies this problem.
-
012: SECURITY FIX: June 10, 2004
All architectures
As
disclosed
by Thomas Walpuski
isakmpd(8)
is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec
tunnels at will.
A source code patch exists which remedies this problem.
-
011: SECURITY FIX: June 9, 2004
All architectures
Multiple remote vulnerabilities have been found in the
cvs(1)
server that allow an attacker to crash the server or possibly execute arbitrary
code with the same privileges as the CVS server program.
A source code patch exists which remedies this problem.
-
010: RELIABILITY FIX: June 9, 2004
All architectures
A FIFO bug was introduced in OpenBSD 3.5 that occurs when a FIFO is opened in
non-blocking mode for writing when there are no processes reading the FIFO.
One program affected by this is the qmail
mail server which could go into an infinite loop and consume all CPU.
A source code patch exists which remedies this problem.
-
009: SECURITY FIX: May 30, 2004
All architectures
A flaw in the Kerberos V
kdc(8)
server could result in the administrator of a Kerberos realm having
the ability to impersonate any principal in any other realm which
has established a cross-realm trust with their realm. The flaw is due to
inadequate checking of the "transited" field in a Kerberos request. For
more details see
Heimdal's announcement.
A source code patch exists which remedies this problem.
-
008: SECURITY FIX: May 26, 2004
All architectures
With the introduction of IPv6 code in
xdm(1),
one test on the 'requestPort' resource was deleted by accident. This
makes xdm create the chooser socket even if xdmcp is disabled in
xdm-config, by setting requestPort to 0. See
XFree86
bugzilla for details.
A source code patch exists which remedies this problem.
-
007: SECURITY FIX: May 20, 2004
All architectures
A heap overflow in the
cvs(1)
server has been discovered that can be exploited by clients sending
malformed requests, enabling these clients to run arbitrary code
with the same privileges as the CVS server program.
A source code patch exists which remedies this problem.
-
006: SECURITY FIX: May 13, 2004
All architectures
Check for integer overflow in procfs. Use of procfs is not recommended.
A source code patch exists which remedies this problem.
-
005: RELIABILITY FIX: May 6, 2004
All architectures
Reply to in-window SYN with a rate-limited ACK.
A source code patch exists which remedies this problem.
-
004: RELIABILITY FIX: May 5, 2004
All architectures
Restore the ability to negotiate tags/wide/sync with some SCSI controllers ( i.e.
siop(4),
trm(4),
iha(4)
).
A source code patch exists which remedies this problem.
-
003: RELIABILITY FIX: May 5, 2004
All architectures
Under load "recent model"
gdt(4)
controllers will lock up.
A source code patch exists which remedies this problem.
-
002: SECURITY FIX: May 5, 2004
All architectures
Pathname validation problems have been found in
cvs(1),
allowing malicious clients to create files outside the repository, allowing
malicious servers to overwrite files outside the local CVS tree on
the client and allowing clients to check out files outside the CVS
repository.
A source code patch exists which remedies this problem.
-
001: BROKEN PACKAGE ON CD: May 4, 2004 macppc only
The powerpc autobook-1.3.tgz package found on CD2 has been found to be corrupt,
and will not extract.
A replacement package can be found on the ftp sites.