a Fixes for 2.9 and 3.0

Contributed by Dengue on 2001-11-14 from the proactive-security dept.

Patches for OpenBSD 3.0 are available for the following:

Patch02: sshd(8) is being upgraded from OpenSSH 3.0 to OpenSSH 3.0.1 to fix a few problems:
- A security hole that may allow an attacker to partially authenticate if -- and only if -- the administrator has enabled KerberosV.
- By default, OpenSSH KerberosV support only becomes active after KerberosV has been properly configured.
- An excessive memory clearing bug (which we believe to be unexploitable) also exists, but since this may cause daemon crashes, we are providing a patch as well.
- Various other non-critical fixes.
Patch03: (sparc64) Access to a CD drive on the PCI ultrasparc machines results in a continuous stream of bogus interrupt messages, causing great user anguish.
Patch04: (i386) Hifn7751 based cards may stop working on certain motherboards due to DMA errors.
Patch05: (macppc) Execution of Altivec instructions will crash the kernel.
Patch06: pf(4) was incapable of dealing with certain ipv6 icmp packets, resulting in a crash.
Patch07: A security issue exists in the vi.recover script that may allow an attacker to remove arbitrary zero-length files, regardless of ownership.

Also new for OpenBSD 2.9 is:

Patch016 : A security issue exists in the vi.recover script that may allow an attacker to remove arbitrary zero-length files, regardless of ownership.

(Comments are closed)

Comments

By Ed () none@please on 2001-11-14 10:57 mailto:none@please

Hey! Theo said that CDs will start shipping before 10 Nov. Why ?
Maybe waiting some days before burning 3.0 will avoid 3.0patch
Like WinXP also OpenBSD 3.0 has patch BEFORE RELEASE ! Please Theo don't go so quickly, thinks twice before However, OpenBSD is always OpenBSD ;-) Anything could change it. Thanks.
Comments
1. By Alex de Haas () alex@purebsd.com on 2001-11-14 21:05 http://www.purebsd.com
  
  I think that's a quick judgement. Too quick if you'd ask me. I remember something on the mailinglist about the fabrication process. That something went faster than expected and that there would be no point in delaying the delivery of the CDs.
2. By Anonymous Coward () on 2001-11-15 14:29
  
  so if he waited to tag 3.0 till today to pick up those extra bug fixes, what happens when we find another bug tomorrow? re-tag and delay shipment? what happens with the next bug, and the next bug? we could delay the 3.0 release indefinately.
3. By randomjoker () on 2001-11-20 02:13
  
  If you check it out, BSD 2.11 is STILL taking patches.. I think they are beyond 400!
  
  I can only imagine trying to patch a pdp11 400 times... argh!
  
  Seeing as that code was released in like 1983-84, if you were to wait for the patches, to stop, you would be STILL waiting!!!
By Ian Linwood () ian@untouchable.org.uk on 2001-11-14 11:27 mailto:ian@untouchable.org.uk

I get the feeling that 3.0 is out a tad too quickly. Seven patches already. With this kind of maintenance requirement, I'll not be u/grading from 2.9. but wait till the dust settles and see what future releases bring.

This will also allow me to stick with IPF - a known quantity.
Comments
1. By niekze () niekze@yahoo.com on 2001-11-25 21:06 http://www.nothingkillsfaster.com
  
  I have no doubts about pf. Dhartmei knows what he is doing. It looks better than ipf from the information that i've read. But, you're opinion is similiar to mine. I usually wait 2 weeks after a release before I install on any 'production' machines. I'd say that many of the bugs in a release are found in that time.
  But I'd wonder about someone who would upgrade production machines within 2 weeks of a release for any OS. (as for Windoze releases, change that 2 weeks to 2 months...heheh)
  Comments
  1. By niekze () niekze@yahoo.com on 2001-11-25 21:07 http://www.nothingkillsfaster.com
    
    Jesus Christ my grammar sucks.
    
    Comments
    
    By john () john@maKintosh.com on 2001-12-04 07:25 mailto:john@maKintosh.com
    
    Yep.
By Bent () on 2001-11-15 00:12

hmmm there aren't any patches on
http://www.openbsd.org/errata.html
for OpenBSD 3.0.

So is that true?
Comments
1. By R�mi Guyomarch () rguyomarch@ifn.fr on 2001-11-14 13:07 mailto:rguyomarch@ifn.fr
  
  $subject
By Anonymous Coward () on 2001-11-15 12:09

OpenBSD almost always has patches made available for -release before the CD's are in anyone's hands. Why is this upsetting?

No wait, you're right, they should sit on the fixes until the official release date so as not to upset the customers.

Do you even bother reading the security+reliability fix reports? 90% of the ones I've seen since using OpenBSD (circa 2.5/2.6)have not directly affected me, either due to being related to hardware I don't own, programs I don't install, or configurations I don't use. Moreover, such an experience should be true of most people who run the default installs.

Not to say there's no need to patch or keep current, but it should hardly be much of a kink in your life to apply some patches.
Comments
1. By Anonymous Coward () on 2001-11-15 01:35
  
  The point is not how fast the patches are out, but a complete lack of QA. Look at the FreeBSD project, 4.4-RELEASE has been out for a couple months now, and there's NO updates required. Now THAT'S quality assurance. Geez, 7 patches already!
  Comments
  1. By Anonymous Coward () on 2001-11-15 02:28
    
    just flame crap.
    I really enjoy running all *BSDs, but your comments are
    bullshit.
    Before open your mouth, contribute and help.
    
    Comments
    
    By Anonymous Coward () on 2001-11-15 02:40
    
    I actively contribute bug reports and fixes to various FreeBSD packages in ports that I use regularly and am an active member of various FreeBSD help forums/mailing lists. It's reasons like this that I'm really not interesting in supporting OpenBSD...well, that and Theo. ;-)
    
    Comments
    
    By Anonymous Coward () on 2001-11-15 15:58
    
    How niiiiceee...
    Instead of drop useless flames and waste other people time, try help even more fbsd.
    please dont waste our time with this kind of thread.
    We dont care.
    
    By ThomasJ () on 2001-11-16 16:21
    
    > It's reasons like this that I'm really not interesting in supporting OpenBSD
    
    Oh my! Aren't you?
    Well, nice meeting you. Please greet the FreeBSD fellows, when you get back.
    
    Maybe we should visit the FreeBSD fora once in a while... Nah...
  2. By anomdebus () on 2001-11-15 05:15
    
    You are comparing a rather mature release vs a 0 release. Give them a break, already!
    
    Comments
    
    By Ray () intangible@usa.net on 2001-11-15 23:36 mailto:intangible@usa.net
    
    Actually, no. As far as I know, OpenBSD does not go by the same numbering system that FreeBSD goes by. Each .1 increase in the number just marks another release, which goes out every 6 months. Hence, there ARE no "mature release"s. Well... I suppose some could argue that every release IS a "mature release".
    
    Comments
    
    By Cindy () on 2001-11-16 23:50 www.junkware.2y.net
    
    mature? From what I have been reading, there is nothing mature being said, or done. Expect for OpenBSD 3.0 being released. I am finding more and more that the policts, fans, users, etc surarounding anything (OpenBSD, FreeBSD (which I will never use again), NetBSD, Gnu, Microsoft, condoms, hats, shoes, films, music, etc) are getting more and more childish, and silly. After reading these posts, I am not sure if I should laugh, cry, or drop out of Comp Sci and never touch a keyboard again. OpenBSD, Austin, Theo, et al were some of the reasons why I stay with computers. And yes, Austin is one of my heros, just do not tell him I wrote that. Maybe I should drop out, and become a neo-deadhead. Aw, hell if these silly posts continue, I will just start to wish that the world will be nuked. Yeah, yeah, that's the ticket, if the world got nuke we wouldn't have these comments. So, until that happens I will be doing like Phil Katz, and hanging with Mr. Daniels listing to Bowie. byte me
    
    --Cindy
    
    Comments
    
    By Ray () intangible@usa.net on 2001-11-17 23:38 mailto:intangible@usa.net
    
    I don't get it. Are you agreeing with me, or disagreeing with me?
    I don't think you understand what I was trying to say. I was just trying to say that the numbering scheme for OpenBSD is different from most other Unix software numbering schemes. I was trying to explain that there are no "mature releases" nor "minor releases" in the OpenBSD numbering scheme, there are just 6 month releases. I don't see what's so silly about my comments.
    Maybe my post would have made more sense if you read the post that I was replying to. Sorry if I offended you in any way.
    
    Comments
    
    By Cindy () on 2001-11-18 03:11 www.junkware.2y.net
    
    I understood what you meant.....I think you miss my point. I was commenting on all the posts. Not just yours. And to restate my point, I am fed up with all the crap that is going on. Not just with the post on this site. And not just with other posts on other sites. I am fed up with all the crap that is going on with computers, and the rest of the stuff in this world. I could write more...but this is not the place for my rants...
    
    byte me
    
    --Cindy
    
    Comments
    
    By Anonymous Coward () on 2001-11-18 04:43
    
    Welcome to the REAL WORLD. It's called "politics," and you'll find it regardless of the field that you're in. Deal with it like the rest of us do, and if you feel really brave, take a side that you like to argue.
    
    Comments
    
    By Cindy () on 2001-11-18 16:34 www.junkware.2y.net
    
    You miss my point also, so byte me.
    
    -- Cindy
    
    Comments
    
    By Anonymous Coward () on 2001-11-18 16:57
    
    No, he quite clearly responded to both your points. Please take your superiority complex elsewhere, m'kay?
    
    Comments
    
    By Cindy () on 2001-11-18 17:29 www.junkware.2y.net
    
    Gee, it is neat to see how these comments have nothing to do with the topic.
    
    --Cindy
    
    Comments
    
    By Ray () intangible@usa.net on 2001-11-19 05:15 mailto:intangible@usa.net
    
    I guess these replies to your comments kind of prove the point you were trying to make, huh?
    
    -Ray-
    
    Comments
    
    By fansipans () on 2001-11-19 18:42 http://dub.gmu.edu/~fansipans/
    
    There's a really great king missile song (the guy who did detachable penis) called "the adventures of planky". it's all about a plucky lump of plankton named planky smith, he goes off on adventure, and meets a stick called sticky who joins the adventure
    then they meet a monkey swinging on a tree (a half invisible monkey!) who's name is monkey-y, but instead of joining on the adventure, monkey-y just goes to swim in a puddle of stagnant water with some maggots (stagnant water!) and then the climax of the story unfolds (i don't want to give it away, it's an epic saga tale!)
    
    um wait what were we talking about? sorry, got offtrack. check it out! good song "The Adventures of Planky"
    
    --fansipans
  3. By Brent Graveland () bgraveland@hyperchip.com on 2001-11-15 05:37 mailto:bgraveland@hyperchip.com
    
    At the risk of causing even more flames:
    
    Is the lack of 4.4-release patches a sign of quality, or a sign that there is a lack of auditing?
    
    I'm quite happy to have patches released... I've been running 3.0 for a while now. I've ordered 20 CD's for my company, but why bother waiting for CD's to install? make build works fine for me.
    
    Just because the CD's have not arrived yet doesn't mean 3.0 isn't released.
    
    Comments
    
    By Anonymous Coward () on 2001-11-15 07:00
    
    Is the lack of 4.4-release patches a sign of quality, or a sign that there is a lack of auditing? As opposed to PF not working with ipv6 icmp? Speaking of lack of quality...
    
    Comments
    
    By Anonymous Coward () on 2001-11-15 07:30
    
    Do you use ipf with ipv6 ?
    Do you know any packet filter which has all that pf has, and build in less than 6 months ?
    
    I use 3.0 since some times now, and i've no problem with it.
    
    If you don't like OpenBSD, what are you doing here ?
    
    Comments
    
    By Anonymous Coward () on 2001-11-15 17:28
    
    Do you use ipf with ipv6 ?
    
    Yes, I do.
    
    Do you know any packet filter which has all that pf has, and build in less than 6 months ?
    
    I think you've hit it on the head right there. Pf has only been around for 6 months, and not even that! I don't know about you, but I really am not going to entrust my network to a 6-month-old firewall.
    
    If you don't like OpenBSD, what are you doing here ?
    
    I do like OpenBSD, I think it's a great operating system, but I think there's a distinct lack of QA taking place in the hopes of rushing a release out the door on schedule. This is clearly evidenced by pages and pages of errata, most of which trike me as just plain stupid mistakes that were missed.
    
    Comments
    
    By Anonymous Coward () on 2001-11-15 17:58
    
    http://www.freebsd.org/security/
    
    Comments
    
    By Anonymous Coward () on 2001-11-15 18:27
    
    http://www.freebsd.org/releases/4.4R/errata.html
    
    Nothing. Compare.
    
    Comments
    
    By Anonymous Coward () on 2001-11-16 17:12
    
    No, comparison is good with 4.0
    
    Comments
    
    By Anonymous Coward () on 2001-11-16 18:58
    
    No it's not, 3.0 is effectively 2.10, there's nothing major in there.
    
    By Anonymous Coward () on 2001-11-15 20:44
    
    go away mr. reed
    
    By Anonymous Coward () on 2001-11-16 17:10
    
    Yeah sure, if everybody were doing like you the first firewall would be still in test.
    
    I think you must like oldies which have a lot of security holes, isn't it ?
  4. By Anonymous Coward () on 2001-11-15 14:36
    
    no patches would be indicitive of a complete lack of QA. a significant number of patches is indicitive of continual testing. would you like us to stop testing after we tag a release so you can get a warm tingly feeling inside that your machine has to be secure because there are no reported bugs?
    
    as to fbsd 4.4. freebsd does active development on 5.0 and backports heavily tested components to the 4.x tree. i don't consider 4.x to be releases, more of maintaining the old stable tree.
  5. By Roo () on 2001-11-15 22:21
    
    Congrats to FreeBSD 4.4...
    
    Then again this little flurry of fixes around release time is normal for OpenBSD. Sure, it would be nice if it was right first time, but it's pretty good to have the patches there before the CD.
    
    The only real concern I have amongst the list of errata there is the pf/ipv6 one as it reminds us of pf's immaturity. It would have been nice to have an IPF->PF migration release, but sadly politics often gets in the way of the ideal solution...
    
    If I managed production machines, I would probably continue to run 2.9 on the firewalls and evaluate an upgrade to 3.0 (with patches of course) on internal servers.
    
    Quality is part of a continuous process, and perfection is elusive. Of course being a cynic, I never believe something's perfect. ;)
    
    Cheers,
    Rupert
    
    Comments
    
    By Marc Espie () espie@openbsd.org on 2001-11-16 12:25 mailto:espie@openbsd.org
    
    This is not politics, at least not on OpenBSD
    part.
    
    The licence of IPF was not respected, and we couldn't respect it. So IPF was pulled out.
    
    I heard that Darren changed his licence then,
    very late... too late for OpenBSD 3.0.
    
    Not as if we had a real choice, if we wanted to do things by the book...
    
    Comments
    
    By Roo () on 2001-11-18 12:38
    
    Ack, sorry Marc. You're right to straighten that out, Politics is a dirty word.
    
    I'm damn glad that OpenBSD are as thorough about licensing as they are. Another good feature of OpenBSD : I don't have to worry too much about things been yanked out from underneath my preferred OS. It's tackled pro-actively.
    
    Now to wander off on a tangent...
    
    One thing which has impressed me about OpenBSD is that there doesn't seem to be any serious evidence of NIH syndrome. The IPF/PF switch is the exception with proves the rule, you guys switched because you had to.
    
    Code re-use = good. :)
    
    Keep up the good work, it's much appreciated ! Especially by people who like to get work done rather than fight OSes & vendors. :)
    
    Cheers,
    Rupert.
  6. By Buck Pyland () buck@stlbsd.org on 2001-11-15 23:00 http://www.stlbsd.org/
    
    I believe the place you need to look is 4-STABLE. Any patches would, rightly, go there.
    
    "ARSE!" -- Jed the Tourette's Syndrome Taxidermist
2. By Sacha Ligthert () on 2001-11-17 13:04 http://teksec.xs4all.nl/~outcast/
  
  Virtually everybody is an anonymous coward. You can't take them serious.
  Comments
  1. By Cindy () on 2001-11-17 16:30 www.junkware.2y.net
    
    yep, you are right. If someone is not mature to take responiblity for what one writes, then he or she should be shot. Ok, maybe that would be a little extreme. Let's just make them use Microsoft products instead. :)
By Punkball () punkball@ccs.neu.edu on 2001-11-15 15:11 mailto:punkball@ccs.neu.edu

If something is broken, fix it! Don't whine about having to install a patch. #1 it's not hard and #2 it'll keep your system safe

If you want unpatched systems or easy administration, try win2k...
By Anonymous Coward () on 2001-11-15 18:09

Atleast they're actively finding them, besides, this is 3.0 not 3.9. Just like FreeBSD 4.0 when it came out, look at all the 'more serious' holes/patches they needed. This is a 'major' change, not a 'minor change' hence 3.0 vs 2.9.

I'm glad they've atleast found these, or whoever did, and they wrote patches before someone malicious user can use them.
Comments
1. By Ray () intangible@usa.net on 2001-11-15 23:42 mailto:intangible@usa.net
  
  As I posted in deeper thread, the numbers behind the decimal point are not significant. This could have been called 2.10 and it wouldn't have made a difference. 3.0 just marks that it is .1 greater than 2.9. Remember, evolutionary, not revolutionary.
  Comments
  1. By Anonymous Coward () on 2001-11-16 16:34
    
    I have to disagree with that, 3.x vs 2.x is a major change, vs a minor change. else, would be 2.9.1. On the other hand 2.10 and 2.1 in decimal are the same.
    
    Comments
    
    By Ray () intangible@usa.net on 2001-11-16 21:14 mailto:intangible@usa.net
    
    What are you basing your claims on? When was the last time OpenBSD had a major change? When has OpenBSD released a minor change? (i.e. 2.9.1)
    Also, when I said 2.10, I meant it to read two point ten, not two point one.
    If you claim that this is a "major change", then what, exactly, was the major change? Replacing IPF with pf? sparc/64 port? Do those constitute "major" changes? Are these changes more "major" compared to a "minor change", such as 2.9, which include softupdates updates and dirpref code, and a port to the Apple Titanium Powerbook G4?
By BluNereid () frank@blunereid.net on 2001-11-16 12:57 mailto:frank@blunereid.net

I'm posting this here, in case anyone else has had problems with applying 002_ssh.patch.

When I applied the patch, the patch ran just fine, then, i had to go to /usr/src/usr.sbin/ssh and run 'make obj && make clean && make install'

make obj and make clean work just fine, but when i run make install, i got this error message:

make install
===> lib
===> ssh
install -c -s -o root -g bin -m 4555
ssh /usr/bin
install: ssh: No such file or directory
*** Error code 71

What I had to do, to fix it, was to run 'make', then 'make install'

Has anyone else had problems with this before?

b.t.w. I'm running OpenBSD 3.0-stable
Comments
1. By Anonymous Coward () on 2001-11-16 05:49
  
  What you experienced was normal. You are supposed to run 'make' first and only after that 'make install'. 'make obj' and 'make clean' on the other hand are optional, but recommended.
2. By Anonymous Coward () on 2001-11-16 15:02
  
  Call me an idiot if you want, but coming from the FreeBSD world.. if I cvs update -rOPENBSD_2_9 won't that give me all the latest and greatest patches, such as this one and ring me to -stable as well?
  Comments
  1. By Anonymous Coward () on 2001-11-16 15:53
    
    You are right,
    doing
    cd /usr/src ; cvs update -rOPENBSD_2_9 ; make build
    
    will do all that. The problem is that it takes a long time to do "make build" on slower systems. Takes about 30 hours on my Sparc-5 for example and only few minutes if I want to patch the system instead of rebuilding everything.
    
    Another thing - you can patch the system on-line, while it's in production. Doing "make build" is not a good thing to do on a running server though.
3. By BluNereid () on 2001-11-16 16:10
  
  I was running OpenBSD 3.0-stable, 3 weeks old.
  
  My point is, which has been already addressed on misc@ is that the instructions on the patch file were wrong!
  
  Also, I didn't ask, "what did i do wrong?" cause I already know what I had to do, I was just curious if other people experienced the same problem.
By Anonymous Coward () on 2001-11-17 18:32

As has been stated by Theo in previous interviews and on the mailing lists, and in the FAQ, OpenBSD issues a release every six months. Theo has decided to increment version nubmers every six months. So viola! guess what gets released in June 2002? 3.1 and two years later, in June 2004? Why then it will be 3.5. So, 4.0 will come out in December 2006. As Theo has said, the development process is evolutionary, with thousands of small changes being incorporated between each release, and whatever happens to be the stable code near the time the tree freezes becomes the object for more testing and with minor fixes becomes the next release. Theo doesn't want to crank some version number just because some bell or whistle gets added. Writing code is enough work, without worrying about the equivalent of the auto industry's model years.

So the code gets tested (not by enough of us, and developers can't check every possible combination), then it gets sent to the CD makers, and (that takes time) then it is available for shipping. During the time between code going Gold (ha! Microsoft terminology!) and shipping, what should everyone do? Remember thie process is evolutionary, like grass growing. They keep checking and working, and when they fix things it gets put in the tree when it is unfrozen.

The other BSDs do things their way, and there is very little in common in the way releases happen.

Patches come out for things that need to be addressed instead of waiting for the next release. So cool down, and ask yourself, how can I help the process by testing snapshots and reporting bugs, instead of saying the code isn't stable.

I'm just a user, buy cds, and have had a few things fixed that I noticed were broken along the way, by posting a message to bugs@ or misc@. Recently it seems you need an asbestos monitor to read some of the mailing lists though....
By Dave () dave@fatblokeforpopidol.co.uk on 2001-11-21 13:20 www.ratemypoo.com

when the 3.0 folder appears on ftp sites will these patches be already be applied? or do you have to apply them yourself?

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]