errata37.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenBSD 3.7 Errata</title>
<meta name="description" content="the OpenBSD CD errata page">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/errata37.html">
</head>

<!--
			IMPORTANT REMINDER
	IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
-->

<body bgcolor="#ffffff" text="#000000" link="#23238E">

<h2>
<a href="index.html">
<font color="#0000ff"><i>Open</i></font><font color="#000084">BSD</font></a>
<font color="#e00000">3.7 Errata</font>
</h2>
<hr>

For errata on a certain release, click below:<br>
<a href="errata21.html">2.1</a>,
<a href="errata22.html">2.2</a>,
<a href="errata23.html">2.3</a>,
<a href="errata24.html">2.4</a>,
<a href="errata25.html">2.5</a>,
<a href="errata26.html">2.6</a>,
<a href="errata27.html">2.7</a>,
<a href="errata28.html">2.8</a>,
<a href="errata29.html">2.9</a>,
<a href="errata30.html">3.0</a>,
<a href="errata31.html">3.1</a>,
<a href="errata32.html">3.2</a>,
<a href="errata33.html">3.3</a>,
<a href="errata34.html">3.4</a>,
<a href="errata35.html">3.5</a>,
<a href="errata36.html">3.6</a>,
<br>
<a href="errata38.html">3.8</a>,
<a href="errata39.html">3.9</a>,
<a href="errata40.html">4.0</a>,
<a href="errata41.html">4.1</a>,
<a href="errata42.html">4.2</a>,
<a href="errata43.html">4.3</a>,
<a href="errata44.html">4.4</a>,
<a href="errata45.html">4.5</a>,
<a href="errata46.html">4.6</a>,
<a href="errata47.html">4.7</a>,
<a href="errata48.html">4.8</a>,
<a href="errata49.html">4.9</a>,
<a href="errata50.html">5.0</a>,
<a href="errata51.html">5.1</a>,
<a href="errata52.html">5.2</a>,
<a href="errata53.html">5.3</a>,
<br>
<a href="errata54.html">5.4</a>,
<a href="errata55.html">5.5</a>,
<a href="errata56.html">5.6</a>,
<a href="errata57.html">5.7</a>,
<a href="errata58.html">5.8</a>,
<a href="errata59.html">5.9</a>,
<a href="errata60.html">6.0</a>,
<a href="errata61.html">6.1</a>,
<a href="errata62.html">6.2</a>,
<a href="errata63.html">6.3</a>,
<a href="errata64.html">6.4</a>.
<hr>

<p>
Patches for the OpenBSD base system are distributed as unified diffs.
Each patch contains usage instructions.
All the following patches are also available in one
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7.tar.gz">tar.gz file</a>
for convenience.

<p>
Patches for supported releases are also incorporated into the
<a href="stable.html">-stable branch</a>.

<hr>

<ul>

<li id="xorg">
<font color="#009000"><strong>013: SECURITY FIX: May 2, 2006</strong></font>
&nbsp; <i>All architectures</i><br>
A security vulnerability has been found in the X.Org server --
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1526">CVE-2006-1526</a>.
Clients authorized to connect to the X server are able to crash it and to execute
malicious code within the X server.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/013_xorg.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="sendmail">
<font color="#009000"><strong>012: SECURITY FIX: March 25, 2006</strong></font>
&nbsp; <i>All architectures</i><br>
A race condition has been reported to exist in the handling by sendmail of
asynchronous signals. A remote attacker may be able to execute arbitrary code with the
privileges of the user running sendmail, typically root.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/012_sendmail.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="ssh">
<font color="#009000"><strong>011: SECURITY FIX: February 12, 2006</strong></font>
&nbsp; <i>All architectures</i><br>
Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the
<a href="https://man.openbsd.org/OpenBSD-3.7/system.3">system(3)</a>
function in
<a href="https://man.openbsd.org/OpenBSD-3.7/scp.1">scp(1)</a>
when performing copy operations using filenames that are supplied by the user from the command line.
This can be exploited to execute shell commands with privileges of the user running
<a href="https://man.openbsd.org/OpenBSD-3.7/scp.1">scp(1)</a>.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/011_ssh.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="i386machdep">
<font color="#009000"><strong>010: RELIABILITY FIX: January 13, 2006</strong></font>
&nbsp; <i>i386 architecture</i><br>
Constrain
<a href="https://man.openbsd.org/OpenBSD-3.7/i386/i386_set_ioperm.2">i386_set_ioperm(2)</a>
so even root is blocked from accessing the ioports
unless the machine is running at lower securelevels or with an open X11 aperture.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7/i386/010_i386machdep.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="i386pmap">
<font color="#009000"><strong>009: RELIABILITY FIX: January 13, 2006</strong></font>
&nbsp; <i>i386 architecture</i><br>
Change the implementation of i386 W^X so that the "execute line" can move around.
Before it was limited to being either at 512MB (below which all code normally
lands) or at the top of the stack. Now the line can float as
<a href="https://man.openbsd.org/OpenBSD-3.7/mprotect.2">mprotect(2)</a>
and
<a href="https://man.openbsd.org/OpenBSD-3.7/mmap.2">mmap(2)</a>
requests need it to. This is now implemented using only GDT selectors
instead of the LDT so that it is more robust as well.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7/i386/009_i386pmap.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="fd">
<font color="#009000"><strong>008: SECURITY FIX: January 5, 2006</strong></font>
&nbsp; <i>All architectures</i><br>
Do not allow users to trick suid programs into re-opening files via /dev/fd.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/008_fd.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="perl">
<font color="#009000"><strong>007: SECURITY FIX: January 5, 2006</strong></font>
&nbsp; <i>All architectures</i><br>
A buffer overflow has been found in the Perl interpreter with the sprintf function which
may be exploitable under certain conditions.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/007_perl.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="nat-t">
<font color="#009000"><strong>006: RELIABILITY FIX: November 5, 2005</strong></font>
&nbsp; <i>All architectures</i><br>
Due to wrong advertisement of RFC 3947 compliance interoperability problems with
<a href="https://man.openbsd.org/OpenBSD-3.7/isakmpd.8">isakmpd(8)</a>
may occur.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/006_nat-t.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="libz2">
<font color="#009000"><strong>005: SECURITY FIX: July 21, 2005</strong></font>
&nbsp; <i>All architectures</i><br>
A buffer overflow has been found in
<a href="https://man.openbsd.org/OpenBSD-3.7/compress.3">compress(3)</a>
which may be exploitable.<br>
Please note that this fixes a different buffer overflow than the <a href="#libz">previous</a> zlib patch.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/005_libz.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="libz">
<font color="#009000"><strong>004: SECURITY FIX: July 6, 2005</strong></font>
&nbsp; <i>All architectures</i><br>
A buffer overflow has been found in
<a href="https://man.openbsd.org/OpenBSD-3.7/compress.3">compress(3)</a>
which may be exploitable.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/004_libz.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="sudo">
<font color="#009000"><strong>003: SECURITY FIX: June 20, 2005</strong></font>
&nbsp; <i>All architectures</i><br>
Due to a race condition in its command pathname handling, a user with
<a href="https://man.openbsd.org/OpenBSD-3.7/sudo.8">sudo(8)</a>
privileges may be able to run arbitrary commands if the user's entry
is followed by an entry that grants <tt>sudo ALL</tt> privileges to
another user.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/003_sudo.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="getsockopt">
<font color="#009000"><strong>002: RELIABILITY FIX: June 15, 2005</strong></font>
&nbsp; <i>All architectures</i><br>
As discovered by Stefan Miltchev calling
<a href="https://man.openbsd.org/OpenBSD-3.7/getsockopt.2">getsockopt(2)</a>
to get
<a href="https://man.openbsd.org/OpenBSD-3.7/ipsec.4">ipsec(4)</a>
credentials for a socket can result in a kernel panic.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/002_getsockopt.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="cvs">
<font color="#009000"><strong>001: SECURITY FIX: June 7, 2005</strong></font>
&nbsp; <i>All architectures</i><br>

Fix a buffer overflow, memory leaks, and NULL pointer dereference in
<a href="https://man.openbsd.org/OpenBSD-3.7/cvs.1">cvs(1)</a>
. None of these issues are known to be exploitable.
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753">CAN-2005-0753</a>
.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/001_cvs.patch">
A source code patch exists which remedies this problem.</a>
<p>

</ul>

<hr>

</body>
</html>