errata34.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenBSD 3.4 Errata</title>
<meta name="description" content="the OpenBSD CD errata page">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/errata34.html">
</head>

<!--
			IMPORTANT REMINDER
	IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
-->

<h2>
<a href="index.html">
<font color="#0000ff"><i>Open</i></font><font color="#000084">BSD</font></a>
<font color="#e00000">3.4 Errata</font>
</h2>
<hr>

For errata on a certain release, click below:<br>
<a href="errata21.html">2.1</a>,
<a href="errata22.html">2.2</a>,
<a href="errata23.html">2.3</a>,
<a href="errata24.html">2.4</a>,
<a href="errata25.html">2.5</a>,
<a href="errata26.html">2.6</a>,
<a href="errata27.html">2.7</a>,
<a href="errata28.html">2.8</a>,
<a href="errata29.html">2.9</a>,
<a href="errata30.html">3.0</a>,
<a href="errata31.html">3.1</a>,
<a href="errata32.html">3.2</a>,
<a href="errata33.html">3.3</a>,
<a href="errata35.html">3.5</a>,
<a href="errata36.html">3.6</a>,
<a href="errata37.html">3.7</a>,
<br>
<a href="errata38.html">3.8</a>,
<a href="errata39.html">3.9</a>,
<a href="errata40.html">4.0</a>,
<a href="errata41.html">4.1</a>,
<a href="errata42.html">4.2</a>,
<a href="errata43.html">4.3</a>,
<a href="errata44.html">4.4</a>,
<a href="errata45.html">4.5</a>,
<a href="errata46.html">4.6</a>,
<a href="errata47.html">4.7</a>,
<a href="errata48.html">4.8</a>,
<a href="errata49.html">4.9</a>,
<a href="errata50.html">5.0</a>,
<a href="errata51.html">5.1</a>,
<a href="errata52.html">5.2</a>,
<a href="errata53.html">5.3</a>,
<br>
<a href="errata54.html">5.4</a>,
<a href="errata55.html">5.5</a>,
<a href="errata56.html">5.6</a>,
<a href="errata57.html">5.7</a>,
<a href="errata58.html">5.8</a>,
<a href="errata59.html">5.9</a>,
<a href="errata60.html">6.0</a>,
<a href="errata61.html">6.1</a>,
<a href="errata62.html">6.2</a>,
<a href="errata63.html">6.3</a>,
<a href="errata64.html">6.4</a>.
<hr>

<p>
Patches for the OpenBSD base system are distributed as unified diffs.
Each patch contains usage instructions.
All the following patches are also available in one
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4.tar.gz">tar.gz file</a>
for convenience.

<p>
Patches for supported releases are also incorporated into the
<a href="stable.html">-stable branch</a>.

<hr>

<ul>
<li id="pfkey">
<font color="#009000"><strong>035: SECURITY FIX: December 13, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
On systems running
<a href="https://man.openbsd.org/OpenBSD-3.4/isakmpd.8">isakmpd(8)</a>
it is possible for a local user to cause kernel memory corruption
and system panic by setting
<a href="https://man.openbsd.org/OpenBSD-3.4/ipsec.4">ipsec(4)</a>
credentials on a socket.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/035_pfkey.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="lynx">
<font color="#009000"><strong>034: RELIABILITY FIX: November 10, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Due to a bug in
<a href="https://man.openbsd.org/OpenBSD-3.4/lynx.1">lynx(1)</a>
it is possible for pages such as
<a href="http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html">this</a>
to cause
<a href="https://man.openbsd.org/OpenBSD-3.4/lynx.1">lynx(1)</a>
to exhaust memory and then crash when parsing such pages.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/034_lynx.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="pppd">
<font color="#009000"><strong>033: RELIABILITY FIX: November 10, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
<a href="https://man.openbsd.org/OpenBSD-3.4/pppd.8">pppd(8)</a>
contains a bug that allows an attacker to crash his own connection, but it cannot
be used to deny service to other users.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/033_pppd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="bind">
<font color="#009000"><strong>032: RELIABILITY FIX: November 10, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in
cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and
thus slow DNS queries.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/032_bind.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="radius">
<font color="#009000"><strong>031: SECURITY FIX: September 20, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Eilko Bos reported that radius authentication, as implemented by
<a href="https://man.openbsd.org/OpenBSD-3.4/login_radius.8">login_radius(8)</a>,
was not checking the shared secret used for replies sent by the radius server.
This could allow an attacker to spoof a reply granting access to the
attacker.  Note that OpenBSD does not ship with radius authentication enabled.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/031_radius.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="xpm">
<font color="#009000"><strong>030: SECURITY FIX: September 16, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Chris Evans reported several flaws (stack and integer overflows) in the
<a href="http://www.inria.fr/koala/lehors/xpm.html">Xpm</a>
library code that parses image files
(<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687">CAN-2004-0687</a>,
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688">CAN-2004-0688</a>).
Some of these would be exploitable when parsing malicious image files in
an application that handles XPM images, if they could escape ProPolice.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/030_xpm.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="httpd4">
<font color="#009000"><strong>029: SECURITY FIX: September 10, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
<a href="https://man.openbsd.org/OpenBSD-3.4/httpd.8">httpd(8)</a>
's mod_rewrite module can be made to write one zero byte in an arbitrary memory
position outside of a char array, causing a DoS or possibly buffer overflows.
This would require enabling dbm for mod_rewrite and making use of a malicious
dbm file.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/029_httpd4.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="bridge">
<font color="#009000"><strong>028: RELIABILITY FIX: August 26, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
As
<a href="https://marc.info/?l=bugtraq&amp;m=109345131508824&amp;w=2">reported</a>
by Vafa Izadinia
<a href="https://man.openbsd.org/OpenBSD-3.4/bridge.4">bridge(4)</a>
with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/028_bridge.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="icmp">
<font color="#009000"><strong>027: RELIABILITY FIX: August 25, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Improved verification of ICMP errors in order to minimize the impact of ICMP attacks
against TCP.
<br>
<a href="http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html">http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html</a>
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/027_icmp.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="rnd">
<font color="#009000"><strong>026: RELIABILITY FIX: Jul 25, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Under a certain network load the kernel can run out of stack space.  This was
encountered in an environment using CARP on a VLAN interface.  This issue initially
manifested itself as a FPU related crash on boot up.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/026_rnd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="httpd3">
<font color="#009000"><strong>025: SECURITY FIX: June 12, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Multiple vulnerabilities have been found in
<a href="https://man.openbsd.org/OpenBSD-3.4/httpd.8">httpd(8)</a>
/ mod_ssl.
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987">CAN-2003-0987</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488">CAN-2004-0488</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492">CAN-2004-0492</a>.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/025_httpd3.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="isakmpd3">
<font color="#009000"><strong>024: SECURITY FIX: June 10, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
As
<a href="http://seclists.org/lists/fulldisclosure/2004/Jun/0191.html">disclosed</a>
by Thomas Walpuski
<a href="https://man.openbsd.org/OpenBSD-3.4/isakmpd.8">isakmpd(8)</a>
is still vulnerable to unauthorized SA deletion.  An attacker can delete IPsec
tunnels at will.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/024_isakmpd3.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="cvs3">
<font color="#009000"><strong>023: SECURITY FIX: June 9, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Multiple remote vulnerabilities have been found in the
<a href="https://man.openbsd.org/OpenBSD-3.4/cvs.1">cvs(1)</a>
server that allow an attacker to crash the server or possibly execute arbitrary
code with the same privileges as the CVS server program.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/023_cvs3.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="kerberos">
<font color="#00900"><strong>022: SECURITY FIX: May 30, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
A flaw in the Kerberos V
<a href="https://man.openbsd.org/OpenBSD-3.4/kdc.8">kdc(8)</a>
server could result in the administrator of a Kerberos realm having
the ability to impersonate any principal in any other realm which
has established a cross-realm trust with their realm. The flaw is due to
inadequate checking of the "transited" field in a Kerberos request. For
more details see <a href="http://www.pdc.kth.se/heimdal/advisory/2004-04-01/">
Heimdal's announcement</a>.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/022_kerberos.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="cvs2">
<font color="#009000"><strong>021: SECURITY FIX: May 20, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
A heap overflow in the
<a href="https://man.openbsd.org/OpenBSD-3.4/cvs.1">cvs(1)</a>
server has been discovered that can be exploited by clients sending
malformed requests, enabling these clients to run arbitrary code
with the same privileges as the CVS server program.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/021_cvs2.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="procfs">
<font color="#009000"><strong>020: SECURITY FIX: May 13, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Check for integer overflow in procfs.  Use of procfs is not recommended.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/020_procfs.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="tcp2">
<font color="#009000"><strong>019: RELIABILITY FIX: May 6, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Reply to in-window SYN with a rate-limited ACK.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/019_tcp2.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="gdt">
<font color="#009000"><strong>018: RELIABILITY FIX: May 5, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Under load "recent model"
<a href="https://man.openbsd.org/OpenBSD-3.4/gdt.4">gdt(4)</a>
controllers will lock up.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/018_gdt.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="cvs">
<font color="#009000"><strong>017: SECURITY FIX: May 5, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Pathname validation problems have been found in
<a href="https://man.openbsd.org/OpenBSD-3.4/cvs.1">cvs(1)</a>,
allowing malicious clients to create files outside the repository, allowing
malicious servers to overwrite files outside the local CVS tree on
the client and allowing clients to check out files outside the CVS
repository.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/017_cvs.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="openssl">
<font color="#009000"><strong>016: RELIABILITY FIX: March 17, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
A missing check for a NULL-pointer dereference has been found in
<a href="https://man.openbsd.org/OpenBSD-3.4/ssl.3">ssl(3)</a>.
A remote attacker can use the bug to cause an OpenSSL application to crash;
this may lead to a denial of service.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/016_openssl.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="isakmpd2">
<font color="#009000"><strong>015: RELIABILITY FIX: March 17, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Defects in the payload validation and processing functions of
<a href="https://man.openbsd.org/OpenBSD-3.4/isakmpd.8">isakmpd(8)</a>
have been discovered.  An attacker could send malformed ISAKMP messages and
cause isakmpd to crash or to loop endlessly.  This patch fixes these problems
and removes some memory leaks.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/015_isakmpd2.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="httpd2">
<font color="#009000"><strong>014: SECURITY FIX: March 13, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Due to a bug in the parsing of Allow/Deny rules for
<a href="https://man.openbsd.org/OpenBSD-3.4/httpd.8">httpd(8)'s</a>
access module, using IP addresses without a netmask on big endian 64-bit
platforms causes the rules to fail to match. This only affects sparc64.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/014_httpd2.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="tcp">
<font color="#009000"><strong>013: RELIABILITY FIX: March 8, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
OpenBSD's TCP/IP stack did not impose limits on how many out-of-order
TCP segments are queued in the system.  An attacker could
send out-of-order TCP segments and trick the system into using all
available memory buffers.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/013_tcp.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="font">
<font color="#009000"><strong>012: RELIABILITY FIX: February 14, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Several buffer overflows exist in the code parsing
font.aliases files in XFree86. Thanks to ProPolice, these cannot be
exploited to gain privileges, but they can cause the X server to abort.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/012_font.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="ip6">
<font color="#009000"><strong>011: SECURITY FIX: February 8, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
An IPv6 MTU handling problem exists that could be used by an attacker
to cause a denial of service attack against hosts with reachable IPv6
TCP ports.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/011_ip6.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="sysvshm">
<font color="#009000"><strong>010: SECURITY FIX: February 5, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
A reference counting bug exists in the
<a href="https://man.openbsd.org/OpenBSD-3.4/shmat.2">shmat(2)</a>
system call that could be used by an attacker to write to kernel memory
under certain circumstances.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/010_sysvshm.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="isakmpd">
<font color="#009000"><strong>009: SECURITY FIX: January 13, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Several message handling flaws in
<a href="https://man.openbsd.org/OpenBSD-3.4/isakmpd.8">isakmpd(8)</a>
have been reported by Thomas Walpuski. These allow an attacker to delete arbitrary SAs. The patch also
includes a reliability fix for a filedescriptor leak that causes problems when a crypto card is
installed.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/009_isakmpd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="sem">
<font color="#009000"><strong>008: RELIABILITY FIX: November 20, 2003</strong></font>
&nbsp; <i>All architectures</i><br>
An improper bounds check makes it possible for a local user to cause a crash
by passing the
<a href="https://man.openbsd.org/OpenBSD-3.4/semctl.2">semctl(2)</a> and
<a href="https://man.openbsd.org/OpenBSD-3.4/semop.2">semop(2)</a> functions
certain arguments.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/008_sem.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="uvm">
<font color="#009000"><strong>007: RELIABILITY FIX: November 20, 2003</strong></font>
&nbsp; <i>All architectures</i><br>
It is possible for a local user to cause a crash via
<a href="https://man.openbsd.org/OpenBSD-3.4/sysctl.3">sysctl(3)</a> with certain arguments.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/007_uvm.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="ibcs2">
<font color="#009000"><strong>006: SECURITY FIX: November 17, 2003</strong></font>
&nbsp; <i>i386 only</i><br>
It may be possible for a local user to overrun the stack in
<a href="https://man.openbsd.org/OpenBSD-3.4/compat_ibcs2.8">compat_ibcs2(8)</a>.<br>
ProPolice catches this, turning a potential privilege escalation into a denial
of service. iBCS2 emulation does not need to be enabled via
<a href="https://man.openbsd.org/OpenBSD-3.4/sysctl.8">sysctl(8)</a>
for this to happen.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/i386/006_ibcs2.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="exec">
<font color="#009000"><strong>005: RELIABILITY FIX: November 4, 2003</strong></font>
&nbsp; <i>All architectures</i><br>
It is possible for a local user to cause a system panic by executing a specially crafted binary with an invalid header.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/005_exec.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="httpd">
<font color="#009000"><strong>004: RELIABILITY FIX: November 1, 2003</strong></font>
&nbsp; <i>All architectures</i><br>
A user with write permission to <tt>httpd.conf</tt> or a <tt>.htaccess</tt>
file can crash
<a href="https://man.openbsd.org/OpenBSD-3.4/httpd.8">httpd(8)</a>
or potentially run arbitrary code as the user <tt>www</tt> (although it
is believed that ProPolice will prevent code execution).
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/004_httpd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="arp">
<font color="#009000"><strong>003: RELIABILITY FIX: November 1, 2003</strong></font>
&nbsp; <i>All architectures</i><br>
It is possible for a local user to cause a system panic by flooding it with spoofed ARP
requests.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/003_arp.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="asn1">
<font color="#009000"><strong>002: SECURITY FIX: November 1, 2003</strong></font>
&nbsp; <i>All architectures</i><br>
The use of certain ASN.1 encodings or malformed public keys may allow an
attacker to mount a denial of service attack against applications linked with
<a href="https://man.openbsd.org/OpenBSD-3.4/ssl.3">ssl(3)</a>.
This does not affect OpenSSH.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/002_asn1.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="cd_booklet">
<font color="#009000"><strong>001: DOCUMENTATION FIX: November 1, 2003</strong></font>
&nbsp; <i>All architectures</i><br>
The CD insert documentation has an incorrect example for package installation.<br>
Where it is written:<p>
<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386</strong><p>
It should instead read:<p>
<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386/</strong><p>
The extra <strong>/</strong> at the end is important.  We do not make
patch files available for things printed on paper.
<p>

</ul>

<hr>

</body>
</html>