OpenBSD 3.6 Errata

For errata on a certain release, click below:
2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5,
3.7, 3.8, 3.9, 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 5.0, 5.1, 5.2,
5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8,
6.9, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7.

Patches for the OpenBSD base system are distributed as unified diffs. Each patch contains usage instructions. All the following patches are also available in one tar.gz file for convenience.

Patches for supported releases are also incorporated into the -stable branch.

001: RELIABILITY FIX: November 10, 2004 All architectures
Fix detection of tape blocksize during device open. Corrects problem with restore(8).
A source code patch exists which remedies this problem.
002: RELIABILITY FIX: November 10, 2004 All architectures
BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and thus slow DNS queries.
A source code patch exists which remedies this problem.
003: RELIABILITY FIX: November 10, 2004 All architectures
pppd(8) contains a bug that allows an attacker to crash his own connection, but it cannot be used to deny service to other users.
A source code patch exists which remedies this problem.
004: RELIABILITY FIX: November 10, 2004 All architectures
Due to a bug in lynx(1) it is possible for pages such as this to cause lynx(1) to exhaust memory and then crash when parsing such pages.
A source code patch exists which remedies this problem.
005: RELIABILITY FIX: November 21, 2004 All architectures
Wrong calculation of NAT-D payloads may cause interoperability problems between isakmpd(8) and other ISAKMP/IKE implementations.
A source code patch exists which remedies this problem.
006: RELIABILITY FIX: November 21, 2004 All architectures
Fix for transmit side breakage on macppc and mbuf leaks with xl(4).
A source code patch exists which remedies this problem.
007: SECURITY FIX: December 14, 2004 All architectures
On systems running isakmpd(8) it is possible for a local user to cause kernel memory corruption and system panic by setting ipsec(4) credentials on a socket.
A source code patch exists which remedies this problem.
008: RELIABILITY FIX: January 6, 2005 All architectures
The getcwd(3) library function contains a memory management error, which causes failure to retrieve the current working directory if the path is very long.
A source code patch exists which remedies this problem.
009: SECURITY FIX: January 12, 2005 All architectures
httpd(8) 's mod_include module fails to properly validate the length of user supplied tag strings prior to copying them to a local buffer, causing a buffer overflow.
This would require enabling the XBitHack directive or server-side includes and making use of a malicious document.
A source code patch exists which remedies this problem.
010: RELIABILITY FIX: January 11, 2005 All architectures
A bug in the tcp(4) stack allows an invalid argument to be used in calculating the TCP retransmit timeout. By sending packets with specific values in the TCP timestamp option, an attacker can cause a system panic.
A source code patch exists which remedies this problem.
011: SECURITY FIX: February 28, 2005 i386 only
More stringent checking should be done in the copy(9) functions to prevent their misuse.
A source code patch exists which remedies this problem.
012: SECURITY FIX: March 16, 2005 amd64 only
More stringent checking should be done in the copy(9) functions to prevent their misuse.
A source code patch exists which remedies this problem.
013: RELIABILITY FIX: March 30, 2005 All architectures
Bugs in the tcp(4) stack can lead to memory exhaustion or processing of TCP segments with invalid SACK options and cause a system crash.
A source code patch exists which remedies this problem.
014: SECURITY FIX: March 30, 2005 All architectures
Due to buffer overflows in telnet(1), a malicious server or man-in-the-middle attack could allow execution of arbitrary code with the privileges of the user invoking telnet(1). Noone should use telnet anymore. Please use ssh(1).
A source code patch exists which remedies this problem.
015: RELIABILITY FIX: April 4, 2005 All architectures
Handle an edge condition in tcp(4) timestamps.
A source code patch exists which remedies this problem.
016: SECURITY FIX: April 28, 2005 All architectures
Fix a buffer overflow, memory leaks, and NULL pointer dereference in cvs(1) . None of these issues are known to be exploitable. CAN-2005-0753 .
A source code patch exists which remedies this problem.
017: RELIABILITY FIX: June 15, 2005 All architectures
As discovered by Stefan Miltchev calling getsockopt(2) to get ipsec(4) credentials for a socket can result in a kernel panic.
A source code patch exists which remedies this problem.
018: SECURITY FIX: June 20, 2005 All architectures
Due to a race condition in its command pathname handling, a user with sudo(8) privileges may be able to run arbitrary commands if the user's entry is followed by an entry that grants sudo ALL privileges to another user.
A source code patch exists which remedies this problem.
019: SECURITY FIX: July 6, 2005 All architectures
A buffer overflow has been found in compress(3) which may be exploitable.
A source code patch exists which remedies this problem.
020: SECURITY FIX: July 21, 2005 All architectures
A buffer overflow has been found in compress(3) which may be exploitable.
Please note that this fixes a different buffer overflow than the previous zlib patch.
A source code patch exists which remedies this problem.