2 <html lang=en id=errata>
5 <title>OpenBSD 5.7 Errata</title>
6 <meta name="description" content="the OpenBSD CD errata page">
7 <meta name="viewport" content="width=device-width, initial-scale=1">
8 <link rel="stylesheet" type="text/css" href="openbsd.css">
9 <link rel="canonical" href="https://www.openbsd.org/errata57.html">
13 IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
19 <i>Open</i><b>BSD</b></a>
24 For errata on a certain release, click below:<br>
25 <a href="errata20.html">2.0</a>,
26 <a href="errata21.html">2.1</a>,
27 <a href="errata22.html">2.2</a>,
28 <a href="errata23.html">2.3</a>,
29 <a href="errata24.html">2.4</a>,
30 <a href="errata25.html">2.5</a>,
31 <a href="errata26.html">2.6</a>,
32 <a href="errata27.html">2.7</a>,
33 <a href="errata28.html">2.8</a>,
34 <a href="errata29.html">2.9</a>,
35 <a href="errata30.html">3.0</a>,
36 <a href="errata31.html">3.1</a>,
37 <a href="errata32.html">3.2</a>,
38 <a href="errata33.html">3.3</a>,
39 <a href="errata34.html">3.4</a>,
40 <a href="errata35.html">3.5</a>,
42 <a href="errata36.html">3.6</a>,
43 <a href="errata37.html">3.7</a>,
44 <a href="errata38.html">3.8</a>,
45 <a href="errata39.html">3.9</a>,
46 <a href="errata40.html">4.0</a>,
47 <a href="errata41.html">4.1</a>,
48 <a href="errata42.html">4.2</a>,
49 <a href="errata43.html">4.3</a>,
50 <a href="errata44.html">4.4</a>,
51 <a href="errata45.html">4.5</a>,
52 <a href="errata46.html">4.6</a>,
53 <a href="errata47.html">4.7</a>,
54 <a href="errata48.html">4.8</a>,
55 <a href="errata49.html">4.9</a>,
56 <a href="errata50.html">5.0</a>,
57 <a href="errata51.html">5.1</a>,
59 <a href="errata52.html">5.2</a>,
60 <a href="errata53.html">5.3</a>,
61 <a href="errata54.html">5.4</a>,
62 <a href="errata55.html">5.5</a>,
63 <a href="errata56.html">5.6</a>,
64 <a href="errata58.html">5.8</a>,
65 <a href="errata59.html">5.9</a>,
66 <a href="errata60.html">6.0</a>,
67 <a href="errata61.html">6.1</a>,
68 <a href="errata62.html">6.2</a>,
69 <a href="errata63.html">6.3</a>,
70 <a href="errata64.html">6.4</a>,
71 <a href="errata65.html">6.5</a>,
72 <a href="errata66.html">6.6</a>,
73 <a href="errata67.html">6.7</a>,
74 <a href="errata68.html">6.8</a>,
76 <a href="errata69.html">6.9</a>,
77 <a href="errata70.html">7.0</a>,
78 <a href="errata71.html">7.1</a>,
79 <a href="errata72.html">7.2</a>,
80 <a href="errata73.html">7.3</a>,
81 <a href="errata74.html">7.4</a>,
82 <a href="errata75.html">7.5</a>.
86 Patches for the OpenBSD base system are distributed as unified diffs.
87 Each patch is cryptographically signed with the
88 <a href="https://man.openbsd.org/OpenBSD-5.7/signify.1">signify(1)</a> tool and contains
90 All the following patches are also available in one
91 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7.tar.gz">tar.gz file</a>
95 Patches for supported releases are also incorporated into the
96 <a href="stable.html">-stable branch</a>.
102 <li id="p001_sparc64_miniroot">
103 <strong>001: INSTALL ISSUE: May 1, 2015</strong>
104 <i>sparc64</i><br>
105 The "miniroot" install method is broken (related to the addition of
106 softraid support). This method is used by the official CD 3 as
107 well, so it fails to boot on sparc64 machines.
109 No patch is available for obvious reasons, so use a different install method.
112 <li id="p002_libxfont">
113 <strong>002: SECURITY FIX: March 18, 2015</strong>
114 <i>All architectures</i><br>
115 Buffer overflows in libXfont
117 For more information, see the
118 <a href="http://www.x.org/wiki/Development/Security/Advisory-2015-03-17/">X.org advisory</a>.
120 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/002_libxfont.patch.sig">
121 A source code patch exists which remedies this problem.</a>
122 <br>Note that the instructions should read <code>cd /usr/xenocara/lib/libXfont</code>.
125 <li id="p003_openssl">
126 <strong>003: SECURITY FIX: March 19, 2015</strong>
127 <i>All architectures</i><br>
128 Fix several crash causing defects from OpenSSL.<br>
130 CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error<br>
131 CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp<br>
132 CVE-2015-0287 - ASN.1 structure reuse memory corruption<br>
133 CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref<br>
134 CVE-2015-0289 - PKCS7 NULL pointer dereferences<br>
136 Several other issues did not apply or were already fixed.<br>
137 For more information, see the
138 <a href="https://www.openssl.org/news/secadv_20150319.txt">OpenSSL advisory</a>.
140 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/003_openssl.patch.sig">
141 A source code patch exists which remedies this problem.</a>
145 <strong>004: RELIABILITY FIX: April 17, 2015</strong>
146 <i>All architectures</i><br>
147 Fix a logic error in smtpd handling of SNI.
148 This could allow a remote user to crash the server or provoke a disconnect of other sessions.
150 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/004_smtpd.patch.sig">
151 A source code patch exists which remedies this problem.</a>
155 <strong>005: RELIABILITY FIX: April 30, 2015</strong>
156 <i>All architectures</i><br>
157 A remote user can crash httpd by forcing the daemon to log to a file
158 before the logging system was initialized.
160 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/005_httpd.patch.sig">
161 A source code patch exists which remedies this problem.</a>
165 <strong>006: SECURITY FIX: April 30, 2015</strong>
166 <i>All architectures</i><br>
167 Malformed binaries could trigger kernel panics or view kernel memory.
169 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/006_elf.patch.sig">
170 A source code patch exists which remedies this problem.</a>
174 <strong>007: SECURITY FIX: April 30, 2015</strong>
175 <i>All architectures</i><br>
176 Multiple issues in tar/pax/cpio:
178 <li>extracting a malicious archive could create files outside of
179 the current directory without using pre-existing symlinks to 'escape',
180 and could change the timestamps and modes on preexisting files
181 <li>tar without -P would permit extraction of paths with ".." components
182 <li>there was a buffer overflow in the handling of pax extension headers
184 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/007_tar.patch.sig">
185 A source code patch exists which remedies this problem.</a>
189 <strong>008: RELIABILITY FIX: June 11, 2015</strong>
190 <i>All architectures</i><br>
191 Fix multiple reliability issues in smtpd:
193 <li>a local user can cause smtpd to fail by writing an invalid imsg to control socket.
194 <li>a local user can prevent smtpd from serving new requests by exhausting descriptors.
196 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/008_smtpd.patch.sig">
197 A source code patch exists which remedies this problem.</a>
200 <li id="p009_openssl">
201 <strong>009: SECURITY FIX: June 11, 2015</strong>
202 <i>All architectures</i><br>
203 Fix several defects from OpenSSL:
205 <li>CVE-2015-1788 - Malformed ECParameters causes infinite loop
206 <li>CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
207 <li>CVE-2015-1792 - CMS verify infinite loop with unknown hash function
209 Note that CMS was already disabled in LibreSSL.
210 Several other issues did not apply or were already fixed and one is under review.<br>
211 For more information, see the
212 <a href="https://www.openssl.org/news/secadv_20150611.txt">OpenSSL advisory</a>.
214 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/009_openssl.patch.sig">
215 A source code patch exists which remedies this problem.</a>
219 <strong>010: SECURITY FIX: July 14, 2015</strong>
220 <i>All architectures</i><br>
221 A TCP socket can become confused and not properly cleanup resources.
223 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/010_tcp_persist.patch.sig">
224 A source code patch exists which remedies this problem.</a>
227 <li id="p011_execve">
228 <strong>011: RELIABILITY FIX: July 26, 2015</strong>
229 <i>All architectures</i><br>
230 A kernel memory leak could be triggered by an unprivileged user in
231 a failure case when using execve under systrace.
233 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/011_execve.patch.sig">
234 A source code patch exists which remedies this problem.</a>
238 <strong>012: SECURITY FIX: July 26, 2015</strong>
239 <i>All architectures</i><br>
240 The patch utility could be made to invoke arbitrary commands via
241 the obsolete RCS support when processing a crafted input file.
242 This patch deletes the RCS support.
244 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/012_patch.patch.sig">
245 A source code patch exists which remedies this problem.</a>
249 <strong>013: SECURITY FIX: July 30, 2015</strong>
250 <i>All architectures</i><br>
251 The patch utility could become desyncronized processing ed(1)-style diffs.
253 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig">
254 A source code patch exists which remedies this problem.</a>
258 <strong>014: SECURITY FIX: August 16, 2015</strong>
259 <i>All architectures</i><br>
260 A change to sshd resulted in incorrect permissions being applied to pseudo
261 terminal devices, allowing local users to write to (but not read from) them.
263 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/014_sshd.patch.sig">
264 A source code patch exists which remedies this problem.</a>
267 <li id="p015_relayd">
268 <strong>015: RELIABILITY FIX: September 28, 2015</strong>
269 <i>All architectures</i><br>
270 Various problems were identified in relayd and merged back from
271 current to 5.7 in this maintenance update.
273 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/015_relayd.patch.sig">
274 A source code patch exists which remedies this problem.</a>
278 <strong>016: RELIABILITY FIX: September 28, 2015</strong>
279 <i>All architectures</i><br>
280 An incorrect operation in uvm could result in system panics.
282 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/016_uvm.patch.sig">
283 A source code patch exists which remedies this problem.</a>
287 <strong>017: SECURITY FIX: October 1, 2015</strong>
288 <i>All architectures</i><br>
289 Fix multiple reliability and security issues in smtpd:<br>
291 <li>local and remote users could make smtpd crash or stop serving requests.
292 <li>a buffer overflow in the unprivileged, non-chrooted smtpd (lookup)
293 process could allow a local user to cause a crash or potentially
294 execute arbitrary code.
295 <li>a use-after-free in the unprivileged, non-chrooted smtpd (lookup)
296 process could allow a remote attacker to cause a crash or potentially
297 execute arbitrary code.
298 <li>hardlink and symlink attacks allowed a local user to unset chflags or
299 leak the first line of an arbitrary file.
301 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/017_smtpd.patch.sig">
302 A source code patch exists which remedies this problem.</a>
305 <li id="p018_kevent">
306 <strong>018: RELIABILITY FIX: October 14, 2015</strong>
307 <i>All architectures</i><br>
308 A problem with timer kevents could result in a kernel hang (local denial
310 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/018_kevent.patch.sig">
311 A source code patch exists which remedies this problem.</a>
314 <li id="p019_obj2txt">
315 <strong>019: RELIABILITY FIX: October 15, 2015</strong>
316 <i>All architectures</i><br>
317 The OBJ_obj2txt function in libcrypto contains a one byte buffer overrun
318 and memory leak, as reported by Qualys Security.<br>
319 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/019_obj2txt.patch.sig">
320 A source code patch exists which remedies this problem.</a>
324 <strong>020: RELIABILITY FIX: November 9, 2015</strong>
325 <i>All architectures</i><br>
326 Insufficient validation of RSN element group cipher values in 802.11
327 beacons and probe responses could result in system panics.<br>
328 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/020_rsn.patch.sig">
329 A source code patch exists which remedies this problem.</a>
332 <li id="p021_clientcert">
333 <strong>021: RELIABILITY FIX: Dec 3, 2015</strong>
334 <i>All architectures</i><br>
335 A NULL pointer deference could be triggered by a crafted certificate sent to
336 services configured to verify client certificates on TLS/SSL connections.<br>
337 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/021_clientcert.patch.sig">
338 A source code patch exists which remedies this problem.</a>
342 <strong>022: SECURITY FIX: January 14, 2016</strong>
343 <i>All architectures</i><br>
344 Experimental roaming code in the ssh client could be tricked by a hostile sshd
345 server, potentially leaking key material. CVE-2016-0777 and CVE-0216-0778.
347 Prevent this problem immediately by adding the line "UseRoaming no" to
348 <b>/etc/ssh/ssh_config</b>.
350 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/022_ssh.patch.sig">
351 A source code patch exists which remedies this problem.</a>
355 <strong>023: SECURITY FIX: March 10, 2016</strong>
356 <i>All architectures</i><br>
357 <a href="https://www.openssh.com/txt/x11fwd.adv">
358 Lack of credential sanitization allows injection of commands to xauth(1).</a>
360 Prevent this problem immediately by not using the "X11Forwarding" feature
361 (which is disabled by default)
363 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/023_sshd.patch.sig">
364 A source code patch exists which remedies this problem.</a>
367 <li id="p024_in6bind">
368 <strong>024: SECURITY FIX: March 16, 2016</strong>
369 <i>All architectures</i><br>
370 Insufficient checks in IPv6 socket binding and UDP IPv6 option
371 processing allow a local user to send UDP packets with a source
372 (IPv6 address + port) already reserved by another user.
374 <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/024_in6bind.patch.sig">
375 A source code patch exists which remedies this problem.</a>