OpenBSD 43 Errata

013 RELIABILITY 013_pf

April 11, 2009

When pf attempts to perform translation on a specially crafted IP datagram, a null pointer dereference will occur, resulting in a kernel panic. In certain configurations this may be triggered by a remote attacker.
Restricting translation rules to protocols that are specific to the IP version in use, is an effective workaround until the patch can be installed. As an example, for IPv4 nat/binat/rdr rules you can use:

     nat/rdr ... inet proto { tcp udp icmp } ...

Or for IPv6 nat/binat/rdr rules you can use:

     nat/rdr ... inet6 proto { tcp udp icmp6 } ...

A source code patch exists which remedies this problem.

012 RELIABILITY 012_openssl

April 8, 2009

The OpenSSL ASN.1 handling code could be forced to perform invalid memory accesses through the use of certain invalid strings (CVE-2009-0590) or under certain error conditions triggerable by invalid ASN.1 structures (CVE-2009-0789). These vulnerabilities could be exploited to achieve a denial-of-service. A more detailed description of these problems is available in the OpenSSL security advisory, but note that the other issue described there "Incorrect Error Checking During CMS verification" relates to code not enabled in OpenBSD.
A source code patch exists which remedies this problem.

011 SECURITY 011_sudo

February 22, 2009

sudo(8) may allow a user listed in the sudoers file to run a command as a different user than their access rule specifies when a Unix group is used in the RunAs portion of the rule. The bug only manifests when the user being granted privileges is also a member of the group in the RunAs portion of the rule.
A source code patch exists which remedies this problem.

010 RELIABILITY 010_bgpd

February 18, 2009

bgpd(8) did not correctly prepend its own AS to very long AS paths, causing the process to terminate because of the resulting corrupt path.
A source code patch exists which remedies this problem.

009 RELIABILITY 009_bgpd

January 30, 2009

Upon reception of an invalid update with 4-byte AS attributes, bgpd - adhering to the RFCs - closed the session to the neighbor. This error in the specification allowed 3rd parties to close remote BGP sessions. In the worst case Internet connectivity could be lost.
A source code patch exists which remedies this problem.

008 SECURITY 008_bind

January 14, 2009

named(8) did not correctly check the return value of a DSA verification function, potentially allowing bypass of verification of DNSSEC DSA signatures. CVE-2009-0025.
A source code patch exists which remedies this problem.

007 SECURITY 007_openssl

January 9, 2009

The OpenSSL libraries did not correctly check the return value from certain verification functions, allowing validation to be bypassed and permitting a remote attacker to conduct a "man in the middle attack" against SSL/TLS connections if the server is configured with a DSA or ECDSA certificate. CVE-2008-5077.
A source code patch exists which remedies this problem.

006 SECURITY 006_ndp

October 2, 2008

The Neighbor Discovery Protocol (ndp) did not correctly verify neighbor solicitation requests maybe allowing a nearby attacker to intercept traffic. The attacker must have IPv6 connectivity to the same router as their target for this vulnerability to be exploited. CVE-2008-2476.
A source code patch exists which remedies this problem.

005 RELIABILITY 005_pcb

July 29, 2008

Some kinds of IPv6 usage would leak kernel memory (in particular, this path was exercised by the named(8) patch for port randomization). Since INET6 is enabled by default, this condition affects all systems.
A source code patch exists which remedies this problem.

004 SECURITY 004_bind

July 23, 2008

2nd revision, July 23, 2008
A vulnerability has been found with BIND. An attacker could use this vulnerability to poison the cache of a recursive resolving name server. CVE-2008-1447.
A source code patch exists which remedies this problem.

003 SECURITY 003_xorg

July 15, 2008

Multiple vulnerabilities have been discovered in X.Org.
RENDER Extension heap buffer overflow, RENDER Extension crash, RENDER Extension memory corruption, MIT-SHM arbitrary memory read, RECORD and Security extensions memory corruption. CVE-2008-2360, CVE-2008-2361, CVE-2008-2362, CVE-2008-1379, CVE-2008-1377.
A source code patch exists which remedies this problem.

002 SECURITY 002_openssh2

April 3, 2008

Avoid possible hijacking of X11-forwarded connections with sshd(8) by refusing to listen on a port unless all address families bind successfully.
A source code patch exists which remedies this problem.

001 SECURITY 001_openssh

March 30, 2008

sshd(8) would execute ~/.ssh/rc even when a sshd_config(5) ForceCommand directive was in effect, allowing users with write access to this file to execute arbitrary commands. This behaviour was documented, but was an unsafe default and an extra hassle for administrators.
A source code patch exists which remedies this problem.