Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New OpenBSD patches

From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Sun, 28 May 2000 19:09:43 -0600


Disclaimer:  I am not an OpenBSD developer; I'm just a user.

There were two security patches released for OpenBSD 2.6 on May 25.  From
http://www.openbsd.org/errata26.html:

-----

023: SECURITY FIX: May 25, 2000
      A misuse of ipf(8) keep-state rules can result in firewall rules
being bypassed. This patch also includes fixes for an unaligned timestamp
issue, and reliability fixes for ipmon and the in-kernel ftp proxy.  A
jumbo patch exists, which remedies this problem, and updates ipf to
version 3.3.16.


It's a funny security problem.  You have to misconfigure ipf to run
into this problem.  This problem has already been talked about on
BUGTRAQ, since it affects many operating systems.


022: SECURITY FIX: May 25, 2000
      xlockmore has a localhost attack against it which allows recovery of
the encrypted hash of the root password. The damage to systems using DES
passwords from this attack is pretty heavy, but to systems with a
well-chosen root password under blowfish encoding (see crypt(3)) the
impact is much reduced.  (Aside: We do not consider this a localhost root
hole in the default install, since we have not seen a fast blowfish
cracker yet ;-)
      A source code patch exists, which remedies this problem.


This has not been reported yet for a funny reason.  It affects a wide
variety of operating systems -- but as I describe, as far as I know
all other system using xlockmore fare worse than we do.  I've been
waiting for NAI to publish about it, but in the meantime a patch is
available..  I really did not want to steal their thunder, but we had
this patch quite a while back.


I have no idea if these issues are present in these programs on other
operating systems (*BSD, Linux, *nix...) or if they are OpenBSD-specific.

(OpenBSD, to my knowledge, doesn't announce their patches anywhere except
on their Web page.  Users appear to be expected to either check the Web
page frequently, track the development tree, or use some other mechanism
to keep abreast of patches.  This is not a complaint on my part; this is
merely an explanation as to why I'm posting this to Bugtraq.)


I agree that we should do something more about it.  I have only one
defense.  It would be a list we wouldn't need to post to often ;-)
Previous By Date Next
Previous By Thread Next

Current thread: