Patches for the OpenBSD base system are distributed as unified diffs.
Each patch contains usage instructions.
All the following patches are also available in one
tar.gz file
for convenience.
Patches for supported releases are also incorporated into the
-stable branch.
001: BROKEN PACKAGE ON CD: May 4, 2004macppc only
The powerpc autobook-1.3.tgz package found on CD2 has been found to be corrupt,
and will not extract.
A replacement package can be found on the ftp sites.
002: SECURITY FIX: May 5, 2004All architectures
Pathname validation problems have been found in
cvs(1),
allowing malicious clients to create files outside the repository, allowing
malicious servers to overwrite files outside the local CVS tree on
the client and allowing clients to check out files outside the CVS
repository.
A source code patch exists which remedies this problem.
007: SECURITY FIX: May 20, 2004All architectures
A heap overflow in the
cvs(1)
server has been discovered that can be exploited by clients sending
malformed requests, enabling these clients to run arbitrary code
with the same privileges as the CVS server program.
A source code patch exists which remedies this problem.
008: SECURITY FIX: May 26, 2004All architectures
With the introduction of IPv6 code in
xdm(1),
one test on the 'requestPort' resource was deleted by accident. This
makes xdm create the chooser socket even if xdmcp is disabled in
xdm-config, by setting requestPort to 0. See
XFree86
bugzilla for details.
A source code patch exists which remedies this problem.
009: SECURITY FIX: May 30, 2004All architectures
A flaw in the Kerberos V
kdc(8)
server could result in the administrator of a Kerberos realm having
the ability to impersonate any principal in any other realm which
has established a cross-realm trust with their realm. The flaw is due to
inadequate checking of the "transited" field in a Kerberos request. For
more details see
Heimdal's announcement.
A source code patch exists which remedies this problem.
010: RELIABILITY FIX: June 9, 2004All architectures
A FIFO bug was introduced in OpenBSD 3.5 that occurs when a FIFO is opened in
non-blocking mode for writing when there are no processes reading the FIFO.
One program affected by this is the qmail
mail server which could go into an infinite loop and consume all CPU.
A source code patch exists which remedies this problem.
011: SECURITY FIX: June 9, 2004All architectures
Multiple remote vulnerabilities have been found in the
cvs(1)
server that allow an attacker to crash the server or possibly execute arbitrary
code with the same privileges as the CVS server program.
A source code patch exists which remedies this problem.
014: RELIABILITY FIX: July 25, 2004All architectures
Under a certain network load the kernel can run out of stack space. This was
encountered in an environment using CARP on a VLAN interface. This issue initially
manifested itself as a FPU related crash on boot up.
A source code patch exists which remedies this problem.
018: SECURITY FIX: September 10, 2004All architectures httpd(8)
's mod_rewrite module can be made to write one zero byte in an arbitrary memory
position outside of a char array, causing a DoS or possibly buffer overflows.
This would require enabling dbm for mod_rewrite and making use of a malicious
dbm file.
A source code patch exists which remedies this problem.
019: SECURITY FIX: September 16, 2004All architectures
Chris Evans reported several flaws (stack and integer overflows) in the
Xpm
library code that parses image files
(CAN-2004-0687,
CAN-2004-0688).
Some of these would be exploitable when parsing malicious image files in
an application that handles XPM images, if they could escape ProPolice.
A source code patch exists which remedies this problem.
020: SECURITY FIX: September 20, 2004All architectures
Eilko Bos reported that radius authentication, as implemented by
login_radius(8),
was not checking the shared secret used for replies sent by the radius server.
This could allow an attacker to spoof a reply granting access to the
attacker. Note that OpenBSD does not ship with radius authentication enabled.
A source code patch exists which remedies this problem.
021: RELIABILITY FIX: November 10, 2004All architectures
BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in
cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and
thus slow DNS queries.
A source code patch exists which remedies this problem.
027: RELIABILITY FIX: January 11, 2005All architectures
A bug in the
tcp(4)
stack allows an invalid argument to be used in calculating the TCP
retransmit timeout. By sending packets with specific values in the TCP
timestamp option, an attacker can cause a system panic.
A source code patch exists which remedies this problem.
026: SECURITY FIX: January 12, 2005All architectures httpd(8)
's mod_include module fails to properly validate the length of
user supplied tag strings prior to copying them to a local buffer,
causing a buffer overflow.
This would require enabling the XBitHack directive or server-side
includes and making use of a malicious document.
A source code patch exists which remedies this problem.
025: RELIABILITY FIX: January 6, 2005All architectures
The
getcwd(3)
library function contains a memory management error, which causes failure
to retrieve the current working directory if the path is very long.
A source code patch exists which remedies this problem.