$erdelynet: binpatch.txt,v 1.32 2008/07/30 18:07:09 mike Exp $

Gerardo Santana came up Binpatch to keep many OpenBSD systems up to date without having to compile updates on each OpenBSD box or having to do an upgrade to release(8).

I maintain binpatches for the systems I maintain. After a new release, I create binpatches for the previous release until I’ve upgraded all of my machines to the new release. I do not build xenocara binpatches because binpatch does not support that (for now).

For our first Capital Area BSD Users Group (CapBUG) meeting, I gave a presentation about binpatch.

Please note that these binpatches are ONLY supported by me. Do not go to *@openbsd.org for support. Do not go to Gerardo for support. They are released under the BSD License.

At this time, I maintain OpenBSD 4.3 (i386, amd64, sparc64) and OpenBSD 4.2 (i386, amd64, sparc64) binpatches:

• 4.3
  • Checksums are available for binpatches, Makefile and bsd.binpatch.mk.
  • Cumulative binpatch (i386, amd64, sparc64): Contains all binpatches up to and including 005_pcb.
  • 005_pcb: RELIABILITY FIX: July 29, 2008:
    Some kinds of IPv6 usage would leak kernel memory (in particular, this path was exercised by the named(8) patch for port randomization). Since INET6 is enabled by default, this condition affects all systems.
    Binpatches: [i386], [amd64], [sparc64]
  • 004_bind: SECURITY FIX: July 23, 2008:
    A vulnerability has been found with BIND. An attacker could use this vulnerability to poison the cache of a recursive resolving name server. (CVE-2008-1447)
    Binpatches: [i386], [amd64], [sparc64]
  • 002_openssh2: SECURITY FIX: April 3, 2008:
    Avoid possible hijacking of X11-forwarded connections with sshd(8) by refusing to listen on a port unless all address families bind successfully.
    Binpatches: [i386], [amd64], [sparc64]
  • 001_openssh: SECURITY FIX: March 30, 2008:
    sshd(8) would execute ~/.ssh/rc even when a sshd_config(5) ForceCommand directive was in effect, allowing users with write access to this file to execute arbitrary commands. This behaviour was documented, but was an unsafe default and an extra hassle for administrators.
    Binpatches: [i386], [amd64], [sparc64]

• 4.2
  • Checksums are available for binpatches, Makefile and bsd.binpatch.mk.
  • Cumulative binpatch (i386, amd64, sparc64): Contains all binpatches up to and including 014_pcb.
  • 014_pcb: RELIABILITY FIX: July 29, 2008:
    Some kinds of IPv6 usage would leak kernel memory (in particular, this path was exercised by the named(8) patch for port randomization). Since INET6 is enabled by default, this condition affects all systems.
    Binpatches: [i386], [amd64], [sparc64]
  • 013_bind: SECURITY FIX: July 23, 2008:
    A vulnerability has been found with BIND. An attacker could use this vulnerability to poison the cache of a recursive resolving name server. (CVE-2008-1447)
    Binpatches: [i386], [amd64], [sparc64]
  • 011_openssh2: SECURITY FIX: April 3, 2008:
    Avoid possible hijacking of X11-forwarded connections with sshd(8) by refusing to listen on a port unless all address families bind successfully.
    Binpatches: [i386], [amd64], [sparc64]
  • 010_openssh: SECURITY FIX: March 30, 2008:
    sshd(8) would execute ~/.ssh/rc even when a sshd_config(5) ForceCommand directive was in effect, allowing users with write access to this file to execute arbitrary commands. This behaviour was documented, but was an unsafe default and an extra hassle for administrators.
    Binpatches: [i386], [amd64], [sparc64]
  • 009_ppp: SECURITY FIX: March 7, 2008:
    Buffer overflow in ppp command prompt parsing.
    Binpatches: [i386], [amd64], [sparc64]
  • 008_ip6rthdr: RELIABILITY FIX: February 25, 2008:
    Malformed IPv6 routing headers can cause a kernel panic.
    Binpatches: [i386], [amd64], [sparc64]
  • 007_tcprespond: RELIABILITY FIX: February 22, 2008:
    Incorrect assumptions in tcp_respond can lead to a kernel panic.
    Binpatches: [i386], [amd64], [sparc64]
  • 005_ifrtlabel: RELIABILITY FIX: January 11, 2008:
    A missing NULL pointer check can lead to a kernel panic.
    Binpatches: [i386], [amd64], [sparc64]
  • 004_pf: RELIABILITY FIX: November 27, 2007:
    A memory leak in pf can lead to machine lockups.
    Binpatches: [i386], [amd64], [sparc64]
  • 003_i386_boot: CD BOOT FAILURE ON OLDER COMPUTERS: October 30, 2007:
    Some older BIOSes are unable to boot CD1. Work around by using CD2, press space at the boot> prompt, insert CD1 and type "boot /4.2/i386/bsd.rd"
  • 002_openssl: SECURITY FIX: October 10, 2007:
    The SSL_get_shared_ciphers() function in OpenSSL contains an off-by-one overflow.
    Binpatches: [i386], [amd64], [sparc64]
  • 001_dhcpd: SECURITY FIX: October 9, 2007:
    Malicious DHCP clients could cause dhcpd(8) to corrupt its stack.
    A DHCP client that claimed to require a maximum message size less than the minimum IP MTU could cause dhcpd(8) to overwrite stack memory.
    Binpatches: [i386], [amd64], [sparc64]