Bugtraq mailing list archives
New OpenBSD patches
From: trott () SLOWPOISONERS COM (Richard Trott)
Date: Sun, 28 May 2000 10:06:20 -0700
Disclaimer: I am not an OpenBSD developer; I'm just a user. There were two security patches released for OpenBSD 2.6 on May 25. From http://www.openbsd.org/errata26.html: ----- 023: SECURITY FIX: May 25, 2000 A misuse of ipf(8) keep-state rules can result in firewall rules being bypassed. This patch also includes fixes for an unaligned timestamp issue, and reliability fixes for ipmon and the in-kernel ftp proxy. A jumbo patch exists, which remedies this problem, and updates ipf to version 3.3.16. 022: SECURITY FIX: May 25, 2000 xlockmore has a localhost attack against it which allows recovery of the encrypted hash of the root password. The damage to systems using DES passwords from this attack is pretty heavy, but to systems with a well-chosen root password under blowfish encoding (see crypt(3)) the impact is much reduced. (Aside: We do not consider this a localhost root hole in the default install, since we have not seen a fast blowfish cracker yet ;-) A source code patch exists, which remedies this problem. ----- I have no idea if these issues are present in these programs on other operating systems (*BSD, Linux, *nix...) or if they are OpenBSD-specific. (OpenBSD, to my knowledge, doesn't announce their patches anywhere except on their Web page. Users appear to be expected to either check the Web page frequently, track the development tree, or use some other mechanism to keep abreast of patches. This is not a complaint on my part; this is merely an explanation as to why I'm posting this to Bugtraq.)
Current thread:
- New OpenBSD patches Richard Trott (May 28)
- Re: New OpenBSD patches Theo de Raadt (May 28)