OpenBSD Journal

a Patch available for local root exploit

Contributed by Dengue on from the format-string-bugs-bite-again dept.

There is a new patch available to correct a local root exploit in chpass . All systems with local users are advised to update immediately. As a work-around, until your system can be patched, it is recommended that you
# chmod u-s /usr/bin/chpass
As always, instructions for patching your system are contained in the patch itself. This affects OpenBSD 2.7 and presumably prior versions as well. Users of -current after July 1 are safe.

Exploits in the wild for this bug became known on October 2.

(Comments are closed)

  1. By jslag () on

    "Only one localhost hole in two years..." doesn't sound quite as good as "Two years without a localhost hole", but I give the team big points for honesty.

  2. By sessya () on

    from securityfocus it is said that the affected code is part of a

    is chpass the only application that uses this library? or are there
    any other?

    i am currently setting up a server that will handle email, and act
    as a bastion. i am going to use OBSD 2.7.

    also are the OBSD2.8 snapshots stable enough for a production
    server? the OBSD2.8 branch is not affected accdg to securityfocus.



Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]