This is the OpenBSD 3.9 release errata & patch list:
For OpenBSD patch branch information, please refer here.
For important packages updates, please refer here.
For errata on a certain release, click below:
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.5,
3.6,
3.7,
3.8,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5.
You can also fetch a tar.gz file containing all the following patches.
This file is updated once a day.
The patches below are available in CVS via the
OPENBSD_3_9
patch branch.
For more detailed information on how to install patches to OpenBSD, please
consult the OpenBSD FAQ.
-
023: STABILITY FIX: April 26, 2007
PowerPC
An unhandled AltiVec assist exception can cause a kernel panic.
A source code patch exists which remedies this problem.
-
022: SECURITY FIX: April 23, 2007
All architectures
IPv6 type 0 route headers can be used to mount a DoS attack against
hosts and networks. This is a design flaw in IPv6 and not a bug in
OpenBSD.
A source code patch exists which remedies this problem.
-
021: SECURITY FIX: April 4, 2007
All architectures
Multiple vulnerabilities have been discovered in X.Org.
XC-MISC extension ProcXCMiscGetXIDList memory corruption vulnerability,
BDFFont parsing integer overflow vulnerability,
fonts.dir file parsing integer overflow vulnerability,
multiple integer overflows in the XGetPixel() and XInitImage functions
in ImUtil.c.
CVE-2007-1003,
CVE-2007-1351,
CVE-2007-1352,
CVE-2007-1667.
A source code patch exists which remedies this problem.
-
020: SECURITY FIX: March 7, 2007
All architectures
2nd revision, March 17, 2007
Incorrect mbuf handling for ICMP6 packets.
Using
pf(4)
to avoid the problem packets is an effective workaround until the patch
can be installed.
Use "block in inet6" in /etc/pf.conf
A source code patch exists which remedies this problem.
-
019: INTEROPERABILITY FIX: February 4, 2007
All architectures
A US daylight saving time rules change takes effect in 2007.
A source code patch exists which syncs the timezone data files with tzdata2007a.
-
018: RELIABILITY FIX: January 16, 2007
All architectures
Under some circumstances, processing an ICMP6 echo request would cause
the kernel to enter an infinite loop.
A source code patch exists which remedies this problem.
-
017: SECURITY FIX: January 3, 2007
i386 only
Insufficient validation in
vga(4)
may allow an attacker to gain root privileges if the kernel is compiled with
option PCIAGP
and the actual device is not an AGP device.
The PCIAGP option is present by default on i386
kernels only.
A source code patch exists which remedies this problem.
-
016: SECURITY FIX: November 19, 2006
All architectures
The ELF
ld.so(1)
fails to properly sanitize the environment. There is a potential localhost security
problem in cases we have not found yet. This patch applies to all ELF-based
systems (m68k, m88k, and vax are a.out-based systems).
A source code patch exists which remedies this problem.
-
015: SECURITY FIX: October 12, 2006
All architectures
Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
by Tavis Ormandy) that would cause
sshd(8)
to spin until the login grace time expired.
An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
that could be exploited to perform a pre-authentication denial of service.
CVE-2006-4924,
CVE-2006-5051
A source code patch exists which remedies this problem.
-
014: SECURITY FIX: October 7, 2006
All architectures
Fix for an integer overflow in
systrace(4)'s
STRIOCREPLACE support, found by
Chris Evans. This could be exploited for DoS, limited kmem reads or local
privilege escalation.
A source code patch exists which remedies this problem.
-
013: SECURITY FIX: October 7, 2006
All architectures
Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
structures an error condition is mishandled, possibly resulting in an infinite
loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
pointer may be dereferenced in the SSL version 2 client code. In addition, many
applications using OpenSSL do not perform any validation of the lengths of
public keys being used.
CVE-2006-2937,
CVE-2006-3738,
CVE-2006-4343,
CVE-2006-2940
A source code patch exists which remedies this problem.
-
012: SECURITY FIX: October 7, 2006
All architectures
httpd(8)
does not sanitize the Expect header from an HTTP request when it is
reflected back in an error message, which might allow cross-site scripting (XSS)
style attacks.
CVE-2006-3918
A source code patch exists which remedies this problem.
-
011: SECURITY FIX: September 8, 2006
All architectures
Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
an attacker to construct an invalid signature which OpenSSL would accept as a
valid PKCS#1 v1.5 signature.
CVE-2006-4339
A source code patch exists which remedies this problem.
-
010: SECURITY FIX: September 8, 2006
All architectures
Two Denial of Service issues have been found with BIND.
An attacker who can perform recursive lookups on a DNS server and is able
to send a sufficiently large number of recursive queries, or is able to
get the DNS server to return more than one SIG(covered) RRsets can stop
the functionality of the DNS service.
An attacker querying an authoritative DNS server serving a RFC 2535
DNSSEC zone may be able to crash the DNS server.
CVE-2006-4095
CVE-2006-4096
A source code patch exists which remedies this problem.
-
009: SECURITY FIX: September 2, 2006
All architectures
Due to the failure to correctly validate LCP configuration option lengths,
it is possible for an attacker to send LCP packets via an
sppp(4)
connection causing the kernel to panic.
CVE-2006-4304
A source code patch exists which remedies this problem.
-
008: SECURITY FIX: August 25, 2006
All architectures
A problem in
isakmpd(8)
caused IPsec to run partly without replay protection. If
isakmpd(8)
was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
replay counter.
A source code patch exists which remedies this problem.
-
007: SECURITY FIX: August 25, 2006
All architectures
It is possible to cause the kernel to panic when more than the default number of
sempahores have been allocated.
A source code patch exists which remedies this problem.
-
006: SECURITY FIX: August 25, 2006
All architectures
Due to an off-by-one error in
dhcpd(8),
it is possible to cause
dhcpd(8)
to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
CVE-2006-3122
A source code patch exists which remedies this problem.
-
005: SECURITY FIX: August 25, 2006
All architectures
A potential denial of service problem has been found in sendmail. A message
with really long header lines could trigger a use-after-free bug causing
sendmail to crash.
A source code patch exists which remedies this problem.
-
004: SECURITY FIX: July 30, 2006
All architectures
httpd(8)'s
mod_rewrite has a potentially exploitable off-by-one buffer overflow.
The buffer overflow may result in a vulnerability which, in combination
with certain types of Rewrite rules in the web server configuration files,
could be triggered remotely. The default install is not affected by the
buffer overflow. CVE-2006-3747
A source code patch exists which remedies this problem.
-
003: SECURITY FIX: June 15, 2006
All architectures
A potential denial of service problem has been found in sendmail. A malformed MIME
message could trigger excessive recursion which will lead to stack exhaustion.
This denial of service attack only affects delivery of mail from the queue and
delivery of a malformed message. Other incoming mail is still accepted and
delivered. However, mail messages in the queue may not be reattempted if a
malformed MIME message exists.
A source code patch exists which remedies this problem.
-
002: SECURITY FIX: May 2, 2006
All architectures
A security vulnerability has been found in the X.Org server --
CVE-2006-1526.
Clients authorized to connect to the X server are able to crash it and to execute
malicious code within the X server.
A source code patch exists which remedies this problem.
-
001: SECURITY FIX: March 25, 2006
All architectures
A race condition has been reported to exist in the handling by sendmail of
asynchronous signals. A remote attacker may be able to execute arbitrary code with the
privileges of the user running sendmail, typically root. This is the second revision of
this patch.
A source code patch exists which remedies this problem.