Bugtraq mailing list archives
Re: New OpenBSD patches
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Sun, 28 May 2000 19:09:43 -0600
Disclaimer: I am not an OpenBSD developer; I'm just a user. There were two security patches released for OpenBSD 2.6 on May 25. From http://www.openbsd.org/errata26.html: ----- 023: SECURITY FIX: May 25, 2000 A misuse of ipf(8) keep-state rules can result in firewall rules being bypassed. This patch also includes fixes for an unaligned timestamp issue, and reliability fixes for ipmon and the in-kernel ftp proxy. A jumbo patch exists, which remedies this problem, and updates ipf to version 3.3.16.
It's a funny security problem. You have to misconfigure ipf to run into this problem. This problem has already been talked about on BUGTRAQ, since it affects many operating systems.
022: SECURITY FIX: May 25, 2000 xlockmore has a localhost attack against it which allows recovery of the encrypted hash of the root password. The damage to systems using DES passwords from this attack is pretty heavy, but to systems with a well-chosen root password under blowfish encoding (see crypt(3)) the impact is much reduced. (Aside: We do not consider this a localhost root hole in the default install, since we have not seen a fast blowfish cracker yet ;-) A source code patch exists, which remedies this problem.
This has not been reported yet for a funny reason. It affects a wide variety of operating systems -- but as I describe, as far as I know all other system using xlockmore fare worse than we do. I've been waiting for NAI to publish about it, but in the meantime a patch is available.. I really did not want to steal their thunder, but we had this patch quite a while back.
I have no idea if these issues are present in these programs on other operating systems (*BSD, Linux, *nix...) or if they are OpenBSD-specific. (OpenBSD, to my knowledge, doesn't announce their patches anywhere except on their Web page. Users appear to be expected to either check the Web page frequently, track the development tree, or use some other mechanism to keep abreast of patches. This is not a complaint on my part; this is merely an explanation as to why I'm posting this to Bugtraq.)
I agree that we should do something more about it. I have only one defense. It would be a list we wouldn't need to post to often ;-)
Current thread:
- New OpenBSD patches Richard Trott (May 28)
- Re: New OpenBSD patches Theo de Raadt (May 28)