errata35.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenBSD 3.5 Errata</title>
<meta name="description" content="the OpenBSD CD errata page">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/errata35.html">
</head>

<!--
			IMPORTANT REMINDER
	IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
-->

<body bgcolor="#ffffff" text="#000000" link="#23238E">

<h2>
<a href="index.html">
<font color="#0000ff"><i>Open</i></font><font color="#000084">BSD</font></a>
<font color="#e00000">3.5 Errata</font>
</h2>
<hr>

For errata on a certain release, click below:<br>
<a href="errata21.html">2.1</a>,
<a href="errata22.html">2.2</a>,
<a href="errata23.html">2.3</a>,
<a href="errata24.html">2.4</a>,
<a href="errata25.html">2.5</a>,
<a href="errata26.html">2.6</a>,
<a href="errata27.html">2.7</a>,
<a href="errata28.html">2.8</a>,
<a href="errata29.html">2.9</a>,
<a href="errata30.html">3.0</a>,
<a href="errata31.html">3.1</a>,
<a href="errata32.html">3.2</a>,
<a href="errata33.html">3.3</a>,
<a href="errata34.html">3.4</a>,
<a href="errata36.html">3.6</a>,
<a href="errata37.html">3.7</a>,
<br>
<a href="errata38.html">3.8</a>,
<a href="errata39.html">3.9</a>,
<a href="errata40.html">4.0</a>,
<a href="errata41.html">4.1</a>,
<a href="errata42.html">4.2</a>,
<a href="errata43.html">4.3</a>,
<a href="errata44.html">4.4</a>,
<a href="errata45.html">4.5</a>,
<a href="errata46.html">4.6</a>,
<a href="errata47.html">4.7</a>,
<a href="errata48.html">4.8</a>,
<a href="errata49.html">4.9</a>,
<a href="errata50.html">5.0</a>,
<a href="errata51.html">5.1</a>,
<a href="errata52.html">5.2</a>,
<a href="errata53.html">5.3</a>,
<br>
<a href="errata54.html">5.4</a>,
<a href="errata55.html">5.5</a>,
<a href="errata56.html">5.6</a>,
<a href="errata57.html">5.7</a>,
<a href="errata58.html">5.8</a>,
<a href="errata59.html">5.9</a>,
<a href="errata60.html">6.0</a>,
<a href="errata61.html">6.1</a>,
<a href="errata62.html">6.2</a>,
<a href="errata63.html">6.3</a>,
<a href="errata64.html">6.4</a>.
<hr>

<p>
Patches for the OpenBSD base system are distributed as unified diffs.
Each patch contains usage instructions.
All the following patches are also available in one
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5.tar.gz">tar.gz file</a>
for convenience.

<p>
Patches for supported releases are also incorporated into the
<a href="stable.html">-stable branch</a>.

<hr>

<ul>
<li id="cvs4">
<font color="#009000"><strong>033: SECURITY FIX: April 28, 2005</strong></font>
&nbsp; <i>All architectures</i><br>
Fix a buffer overflow, memory leaks, and NULL pointer dereference in
<a href="https://man.openbsd.org/OpenBSD-3.5/cvs.1">cvs(1)</a>
. None of these issues are known to be exploitable.
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753">CAN-2005-0753</a>
.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/033_cvs4.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="tcp2">
<font color="#009000"><strong>032: RELIABILITY FIX: April 4, 2005</strong></font>
&nbsp; <i>All architectures</i><br>
Handle an edge condition in
<a href="https://man.openbsd.org/OpenBSD-3.5/tcp.4">tcp(4)</a>
timestamps.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/032_tcp2.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="telnet">
<font color="#009000"><strong>031: SECURITY FIX: March 30, 2005</strong></font>
&nbsp; <i>All architectures</i><br>
Due to buffer overflows in
<a href="https://man.openbsd.org/OpenBSD-3.5/telnet.1">telnet(1)</a>
, a malicious server or man-in-the-middle attack could allow execution of
arbitrary code with the privileges of the user invoking
<a href="https://man.openbsd.org/OpenBSD-3.5/telnet.1">telnet(1)</a>
.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/031_telnet.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="sack">
<font color="#009000"><strong>030: RELIABILITY FIX: March 30, 2005</strong></font>
&nbsp; <i>All architectures</i><br>
Bugs in the
<a href="https://man.openbsd.org/OpenBSD-3.5/tcp.4">tcp(4)</a>
stack can lead to memory exhaustion or processing of TCP segments with
invalid SACK options and cause a system crash.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/030_sack.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="copy">
<font color="#009000"><strong>029: SECURITY FIX: March 16, 2005</strong></font>
&nbsp; <i>amd64 only</i><br>
More stringent checking should be done in the
<a href="https://man.openbsd.org/OpenBSD-3.5/copy.9">copy(9)</a>
functions to prevent their misuse.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/amd64/029_copy.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="locore">
<font color="#009000"><strong>028: SECURITY FIX: February 28, 2005</strong></font>
&nbsp; <i>i386 only</i><br>
More stringent checking should be done in the
<a href="https://man.openbsd.org/OpenBSD-3.5/copy.9">copy(9)</a>
functions to prevent their misuse.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/i386/028_locore.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="rtt">
<font color="#009000"><strong>027: RELIABILITY FIX: January 11, 2005</strong></font>
&nbsp; <i>All architectures</i><br>
A bug in the
<a href="https://man.openbsd.org/OpenBSD-3.5/tcp.4">tcp(4)</a>
stack allows an invalid argument to be used in calculating the TCP
retransmit timeout. By sending packets with specific values in the TCP
timestamp option, an attacker can cause a system panic.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/027_rtt.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="httpd3">
<font color="#009000"><strong>026: SECURITY FIX: January 12, 2005</strong></font>
&nbsp; <i>All architectures</i><br>
<a href="https://man.openbsd.org/OpenBSD-3.5/httpd.8">httpd(8)</a>
's mod_include module fails to properly validate the length of
user supplied tag strings prior to copying them to a local buffer,
causing a buffer overflow.
<br>
This would require enabling the XBitHack directive or server-side
includes and making use of a malicious document.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/026_httpd3.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="getcwd">
<font color="#009000"><strong>025: RELIABILITY FIX: January 6, 2005</strong></font>
&nbsp; <i>All architectures</i><br>
The
<a href="https://man.openbsd.org/OpenBSD-3.5/getcwd.3">getcwd(3)</a>
library function contains a memory management error, which causes failure
to retrieve the current working directory if the path is very long.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/025_getcwd.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="pfkey">
<font color="#009000"><strong>024: SECURITY FIX: December 14, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
On systems running
<a href="https://man.openbsd.org/OpenBSD-3.5/isakmpd.8">isakmpd(8)</a>
it is possible for a local user to cause kernel memory corruption
and system panic by setting
<a href="https://man.openbsd.org/OpenBSD-3.5/ipsec.4">ipsec(4)</a>
credentials on a socket.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/024_pfkey.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="lynx">
<font color="#009000"><strong>023: RELIABILITY FIX: November 10, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Due to a bug in
<a href="https://man.openbsd.org/OpenBSD-3.5/lynx.1">lynx(1)</a>
it is possible for pages such as
<a href="http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html">this</a>
to cause
<a href="https://man.openbsd.org/OpenBSD-3.5/lynx.1">lynx(1)</a>
to exhaust memory and then crash when parsing such pages.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/023_lynx.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="pppd">
<font color="#009000"><strong>022: RELIABILITY FIX: November 10, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
<a href="https://man.openbsd.org/OpenBSD-3.5/pppd.8">pppd(8)</a>
contains a bug that allows an attacker to crash his own connection, but it cannot
be used to deny service to other users.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/022_pppd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="bind">
<font color="#009000"><strong>021: RELIABILITY FIX: November 10, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in
cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and
thus slow DNS queries.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/021_bind.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="radius">
<font color="#009000"><strong>020: SECURITY FIX: September 20, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Eilko Bos reported that radius authentication, as implemented by
<a href="https://man.openbsd.org/OpenBSD-3.5/login_radius.8">login_radius(8)</a>,
was not checking the shared secret used for replies sent by the radius server.
This could allow an attacker to spoof a reply granting access to the
attacker.  Note that OpenBSD does not ship with radius authentication enabled.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/020_radius.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="xpm">
<font color="#009000"><strong>019: SECURITY FIX: September 16, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Chris Evans reported several flaws (stack and integer overflows) in the
<a href="http://www.inria.fr/koala/lehors/xpm.html">Xpm</a>
library code that parses image files
(<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687">CAN-2004-0687</a>,
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688">CAN-2004-0688</a>).
Some of these would be exploitable when parsing malicious image files in
an application that handles XPM images, if they could escape ProPolice.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/019_xpm.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="httpd2">
<font color="#009000"><strong>018: SECURITY FIX: September 10, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
<a href="https://man.openbsd.org/OpenBSD-3.5/httpd.8">httpd(8)</a>
's mod_rewrite module can be made to write one zero byte in an arbitrary memory
position outside of a char array, causing a DoS or possibly buffer overflows.
This would require enabling dbm for mod_rewrite and making use of a malicious
dbm file.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/018_httpd2.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="libz">
<font color="#009000"><strong>017: RELIABILITY FIX: August 29, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Due to incorrect error handling in zlib an attacker could potentially cause a Denial
of Service attack.
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0797">CAN-2004-0797</a>
.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/017_libz.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="bridge">
<font color="#009000"><strong>016: RELIABILITY FIX: August 26, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
As
<a href="https://marc.info/?l=bugtraq&amp;m=109345131508824&amp;w=2">reported</a>
by Vafa Izadinia
<a href="https://man.openbsd.org/OpenBSD-3.5/bridge.4">bridge(4)</a>
with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/016_bridge.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="icmp">
<font color="#009000"><strong>015: RELIABILITY FIX: August 25, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Improved verification of ICMP errors in order to minimize the impact of ICMP attacks
against TCP.
<br>
<a href="http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html">http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html</a>
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/015_icmp.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="rnd">
<font color="#009000"><strong>014: RELIABILITY FIX: July 25, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Under a certain network load the kernel can run out of stack space.  This was
encountered in an environment using CARP on a VLAN interface.  This issue initially
manifested itself as a FPU related crash on boot up.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/014_rnd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="httpd">
<font color="#009000"><strong>013: SECURITY FIX: June 12, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Multiple vulnerabilities have been found in
<a href="https://man.openbsd.org/OpenBSD-3.5/httpd.8">httpd(8)</a>
/ mod_ssl.
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987">CAN-2003-0987</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488">CAN-2004-0488</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492">CAN-2004-0492</a>.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/013_httpd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="isakmpd">
<font color="#009000"><strong>012: SECURITY FIX: June 10, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
As
<a href="http://seclists.org/lists/fulldisclosure/2004/Jun/0191.html">disclosed</a>
by Thomas Walpuski
<a href="https://man.openbsd.org/OpenBSD-3.5/isakmpd.8">isakmpd(8)</a>
is still vulnerable to unauthorized SA deletion.  An attacker can delete IPsec
tunnels at will.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/012_isakmpd.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="cvs3">
<font color="#009000"><strong>011: SECURITY FIX: June 9, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Multiple remote vulnerabilities have been found in the
<a href="https://man.openbsd.org/OpenBSD-3.5/cvs.1">cvs(1)</a>
server that allow an attacker to crash the server or possibly execute arbitrary
code with the same privileges as the CVS server program.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/011_cvs3.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="fifofs">
<font color="#009000"><strong>010: RELIABILITY FIX: June 9, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
A FIFO bug was introduced in OpenBSD 3.5 that occurs when a FIFO is opened in
non-blocking mode for writing when there are no processes reading the FIFO.
One program affected by this is the <a href="http://www.qmail.org/">qmail</a>
mail server which could go into an infinite loop and consume all CPU.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/010_fifofs.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="kerberos">
<font color="#00900"><strong>009: SECURITY FIX: May 30, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
A flaw in the Kerberos V
<a href="https://man.openbsd.org/OpenBSD-3.5/kdc">kdc(8)</a>
server could result in the administrator of a Kerberos realm having
the ability to impersonate any principal in any other realm which
has established a cross-realm trust with their realm. The flaw is due to
inadequate checking of the "transited" field in a Kerberos request. For
more details see <a href="http://www.pdc.kth.se/heimdal/advisory/2004-04-01/">
Heimdal's announcement</a>.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/009_kerberos.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="xdm">
<font color="#00900"><strong>008: SECURITY FIX: May 26, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
With the introduction of IPv6 code in
<a href="https://man.openbsd.org/OpenBSD-3.5/xdm.1">xdm(1)</a>,
one test on the 'requestPort' resource was deleted by accident. This
makes xdm create the chooser socket even if xdmcp is disabled in
xdm-config, by setting requestPort to 0. See
<a href="http://bugs.xfree86.org/show_bug.cgi?id=1376">XFree86
bugzilla</a> for details.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/008_xdm.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="cvs2">
<font color="#009000"><strong>007: SECURITY FIX: May 20, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
A heap overflow in the
<a href="https://man.openbsd.org/OpenBSD-3.5/cvs.1">cvs(1)</a>
server has been discovered that can be exploited by clients sending
malformed requests, enabling these clients to run arbitrary code
with the same privileges as the CVS server program.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/007_cvs2.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="procfs">
<font color="#009000"><strong>006: SECURITY FIX: May 13, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Check for integer overflow in procfs.  Use of procfs is not recommended.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/006_procfs.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="tcp">
<font color="#009000"><strong>005: RELIABILITY FIX: May 6, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Reply to in-window SYN with a rate-limited ACK.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/005_tcp.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="scsi">
<font color="#009000"><strong>004: RELIABILITY FIX: May 5, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Restore the ability to negotiate tags/wide/sync with some SCSI controllers ( i.e.
<a href="https://man.openbsd.org/OpenBSD-3.5/siop.4">siop(4)</a>,
<a href="https://man.openbsd.org/OpenBSD-3.5/trm.4">trm(4)</a>,
<a href="https://man.openbsd.org/OpenBSD-3.5/iha.4">iha(4)</a>
).
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/004_scsi.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="gdt">
<font color="#009000"><strong>003: RELIABILITY FIX: May 5, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Under load "recent model"
<a href="https://man.openbsd.org/OpenBSD-3.5/gdt.4">gdt(4)</a>
controllers will lock up.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/003_gdt.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="cvs">
<font color="#009000"><strong>002: SECURITY FIX: May 5, 2004</strong></font>
&nbsp; <i>All architectures</i><br>
Pathname validation problems have been found in
<a href="https://man.openbsd.org/OpenBSD-3.5/cvs.1">cvs(1)</a>,
allowing malicious clients to create files outside the repository, allowing
malicious servers to overwrite files outside the local CVS tree on
the client and allowing clients to check out files outside the CVS
repository.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patch">
A source code patch exists which remedies this problem.</a>
<p>
<li id="autobook_package">
<font color="#009000"><strong>001: BROKEN PACKAGE ON CD: May 4, 2004</strong></font>&nbsp; <i>macppc only</i><br>
The powerpc autobook-1.3.tgz package found on CD2 has been found to be corrupt,
and will not extract.
A replacement package can be found on the ftp sites.
<p>

</ul>

<hr>

</body>
</html>