OpenBSD 4.2 Errata

For errata on a certain release, click below:
2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5,
3.6, 3.7, 3.8, 3.9, 4.0, 4.1, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 5.0, 5.1, 5.2,
5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8,
6.9, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7.

Patches for the OpenBSD base system are distributed as unified diffs. Each patch contains usage instructions. All the following patches are also available in one tar.gz file for convenience.

Patches for supported releases are also incorporated into the -stable branch.

001: SECURITY FIX: October 8, 2007 All architectures
Malicious DHCP clients could cause dhcpd(8) to corrupt its stack
A DHCP client that claimed to require a maximum message size less than the minimum IP MTU could cause dhcpd(8) to overwrite stack memory.
A source code patch exists which remedies this problem.
002: SECURITY FIX: October 10, 2007 All architectures
The SSL_get_shared_ciphers() function in OpenSSL contains an off-by-one overflow.
A source code patch exists which remedies this problem.
003: CD BOOT FAILURE ON OLDER COMPUTERS : October 30, 2007 i386 only
Some older BIOSes are unable to boot CD1 (ie. the commercial release sold by the project, not the CD images available on the net). A workaround using CD2 (amd64 architecture) is as follows. (An amd64 machine is NOT required for this to work.)
1. Insert CD2 and tell your computer to boot it;
2. When the boot> prompt appears, stop the automatic boot by pressing the space bar;
3. Remove CD2 and insert CD1;
4. Erase the character you typed to stop the boot, type
  boot /4.2/i386/bsd.rd
  then press Enter.
004: RELIABILITY FIX: November 27, 2007 All architectures
A memory leak in pf can lead to machine lockups.
A source code patch exists which remedies this problem.
005: RELIABILITY FIX: January 11, 2008 All architectures
A missing NULL pointer check can lead to a kernel panic.
A source code patch exists which remedies this problem.
006: SECURITY FIX: February 8, 2008 All architectures
2nd revision, February 10, 2008
Multiple vulnerabilities have been discovered in X.Org.
XFree86 Misc extension out of bounds array index, File existence disclosure, Xinput extension memory corruption, TOG-cup extension memory corruption, MIT-SHM and EVI extensions integer overflows, PCF Font parser buffer overflow. CVE-2007-5760, CVE-2007-5958, CVE-2007-6427, CVE-2007-6428, CVE-2007-6429, CVE-2008-0006.
A source code patch exists which remedies this problem.
007: RELIABILITY FIX: February 22, 2008 All architectures
Incorrect assumptions in tcp_respond can lead to a kernel panic.
A source code patch exists which remedies this problem.
008: RELIABILITY FIX: February 25, 2008 All architectures
Malformed IPv6 routing headers can cause a kernel panic.
A source code patch exists which remedies this problem.
009: SECURITY FIX: March 7, 2008 All architectures
Buffer overflow in ppp command prompt parsing.
A source code patch exists which remedies this problem.
010: SECURITY FIX: March 30, 2008 All architectures
sshd(8) would execute ~/.ssh/rc even when a sshd_config(5) ForceCommand directive was in effect, allowing users with write access to this file to execute arbitrary commands. This behaviour was documented, but was an unsafe default and an extra hassle for administrators.
A source code patch exists which remedies this problem.
011: SECURITY FIX: April 3, 2008 All architectures
Avoid possible hijacking of X11-forwarded connections with sshd(8) by refusing to listen on a port unless all address families bind successfully.
A source code patch exists which remedies this problem.
012: SECURITY FIX: July 15, 2008 All architectures
Multiple vulnerabilities have been discovered in X.Org.
RENDER Extension heap buffer overflow, RENDER Extension crash, RENDER Extension memory corruption, MIT-SHM arbitrary memory read, RECORD and Security extensions memory corruption. CVE-2008-2360, CVE-2008-2361, CVE-2008-2362, CVE-2008-1379, CVE-2008-1377.
A source code patch exists which remedies this problem.
013: SECURITY FIX: July 23, 2008 All architectures
2nd revision, July 23, 2008
A vulnerability has been found with BIND. An attacker could use this vulnerability to poison the cache of a recursive resolving name server. CVE-2008-1447.
A source code patch exists which remedies this problem.
014: RELIABILITY FIX: July 29, 2008 All architectures
Some kinds of IPv6 usage would leak kernel memory (in particular, this path was exercised by the named(8) patch for port randomization). Since INET6 is enabled by default, this condition affects all systems.
A source code patch exists which remedies this problem.
015: SECURITY FIX: October 2, 2008 All architectures
The Neighbor Discovery Protocol (ndp) did not correctly verify neighbor solicitation requests maybe allowing a nearby attacker to intercept traffic. The attacker must have IPv6 connectivity to the same router as their target for this vulnerability to be exploited. CVE-2008-2476.
A source code patch exists which remedies this problem.