errata56.html

<!doctype html>
<html lang=en id=errata>
<meta charset=utf-8>

<title>OpenBSD 5.6 Errata</title>
<meta name="description" content="the OpenBSD CD errata page">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/errata56.html">

<!--
			IMPORTANT REMINDER
	IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
-->


<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
5.6 Errata
</h2>
<hr>

For errata on a certain release, click below:<br>
<a href="errata20.html">2.0</a>,
<a href="errata21.html">2.1</a>,
<a href="errata22.html">2.2</a>,
<a href="errata23.html">2.3</a>,
<a href="errata24.html">2.4</a>,
<a href="errata25.html">2.5</a>,
<a href="errata26.html">2.6</a>,
<a href="errata27.html">2.7</a>,
<a href="errata28.html">2.8</a>,
<a href="errata29.html">2.9</a>,
<a href="errata30.html">3.0</a>,
<a href="errata31.html">3.1</a>,
<a href="errata32.html">3.2</a>,
<a href="errata33.html">3.3</a>,
<a href="errata34.html">3.4</a>,
<a href="errata35.html">3.5</a>,
<br>
<a href="errata36.html">3.6</a>,
<a href="errata37.html">3.7</a>,
<a href="errata38.html">3.8</a>,
<a href="errata39.html">3.9</a>,
<a href="errata40.html">4.0</a>,
<a href="errata41.html">4.1</a>,
<a href="errata42.html">4.2</a>,
<a href="errata43.html">4.3</a>,
<a href="errata44.html">4.4</a>,
<a href="errata45.html">4.5</a>,
<a href="errata46.html">4.6</a>,
<a href="errata47.html">4.7</a>,
<a href="errata48.html">4.8</a>,
<a href="errata49.html">4.9</a>,
<a href="errata50.html">5.0</a>,
<a href="errata51.html">5.1</a>,
<br>
<a href="errata52.html">5.2</a>,
<a href="errata53.html">5.3</a>,
<a href="errata54.html">5.4</a>,
<a href="errata55.html">5.5</a>,
<a href="errata57.html">5.7</a>,
<a href="errata58.html">5.8</a>,
<a href="errata59.html">5.9</a>,
<a href="errata60.html">6.0</a>,
<a href="errata61.html">6.1</a>,
<a href="errata62.html">6.2</a>,
<a href="errata63.html">6.3</a>,
<a href="errata64.html">6.4</a>,
<a href="errata65.html">6.5</a>,
<a href="errata66.html">6.6</a>,
<a href="errata67.html">6.7</a>,
<a href="errata68.html">6.8</a>,
<br>
<a href="errata69.html">6.9</a>,
<a href="errata70.html">7.0</a>,
<a href="errata71.html">7.1</a>,
<a href="errata72.html">7.2</a>,
<a href="errata73.html">7.3</a>,
<a href="errata74.html">7.4</a>,
<a href="errata75.html">7.5</a>,
<a href="errata76.html">7.6</a>,
<a href="errata77.html">7.7</a>.
<hr>

<p>
Patches for the OpenBSD base system are distributed as unified diffs.
Each patch is cryptographically signed with the
<a href="https://man.openbsd.org/OpenBSD-5.6/signify.1">signify(1)</a> tool and contains
usage instructions.
All the following patches are also available in one
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6.tar.gz">tar.gz file</a>
for convenience.

<p>
Patches for supported releases are also incorporated into the
<a href="stable.html">-stable branch</a>.

<hr>

<ul>

<li id="p001_rxr">
<strong>001: RELIABILITY FIX: September 5, 2014</strong>
&nbsp; <i>All architectures</i><br>
Incorrect RX ring computation leads to panics under load with bge(4), em(4) and ix(4).
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/001_rxr.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p002_nd6">
<strong>002: RELIABILITY FIX: October 1, 2014</strong>
&nbsp; <i>All architectures</i><br>
If IPv6 autoconf is active on an interface and the autoconfprivacy extension is used,
redundant addresses are added whenever an autoconfprivacy address expires.
The autoconfprivacy extension is used by default and can be disabled with ifconfig(8)
as a workaround:
<pre>
# ifconfig em0 -autoconfprivacy
</pre>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/002_nd6.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p003_nginx">
<strong>003: SECURITY FIX: October 1, 2014</strong>
&nbsp; <i>All architectures</i><br>
nginx can reuse cached SSL sessions in unrelated contexts, allowing virtual
host confusion attacks in some configurations.
This issue was assigned CVE-2014-3616.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/003_nginx.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p004_kernexec">
<strong>004: RELIABILITY FIX: October 20, 2014</strong>
&nbsp; <i>All architectures</i><br>
Executable headers with an unaligned address will trigger a kernel panic.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/004_kernexec.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p005_nosslv3">
<strong>005: SECURITY FIX: October 20, 2014</strong>
&nbsp; <i>All architectures</i><br>
This patch disables the SSLv3 protocol by default.
<p>
<i>
Applications depending on SSLv3 may need to be recompiled with
</i>
<pre>    SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3);</pre>
<i>
but we recommend against the continued use of this obsolete protocol.
</i>
<p>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/005_nosslv3.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p006_relayd">
<strong>006: RELIABILITY FIX: November 17, 2014</strong>
&nbsp; <i>All architectures</i><br>
Certain http requests can crash relayd.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/006_relayd.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p007_pfctl">
<strong>007: RELIABILITY FIX: November 17, 2014</strong>
&nbsp; <i>All architectures</i><br>
A PF rule using an IPv4 address
followed by an IPv6 address and then a dynamic address, e.g. "pass
from {192.0.2.1 2001:db8::1} to (pppoe0)", will have an incorrect /32
mask applied to the dynamic address.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/007_pfctl.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p008_asr">
<strong>008: RELIABILITY FIX: November 17, 2014</strong>
&nbsp; <i>All architectures</i><br>
Querying an invalid hostname with gethostbyname(3) could cause a NULL deref.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/008_asr.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p009_httpd">
<strong>009: RELIABILITY FIX: November 18, 2014</strong>
&nbsp; <i>All architectures</i><br>
httpd was developed very rapidly in the weeks before 5.6 release, and
it has a few flaws.  It would be nice to get these flaws fully
remediated before the next release, and that requires the community to
want to use it.  Therefore here is a "jumbo" patch that brings in the
most important fixes.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/009_httpd.patch.sig">
A source code patch exists which remedies this problem.</a>
<br>
<i>Unfortunately the source tree found on the CD set contains a slightly different
checkout, from just before the release was finished and is missing a few httpd
commits. Therefore, the patch above will not apply correctly. Users are encouraged
to use cvs to get the latest httpd sources if interested.</i>
<p>

<li id="p010_pipex">
<strong>010: RELIABILITY FIX: December 5, 2014</strong>
&nbsp; <i>All architectures</i><br>
Several bugs were fixed that allowed a crash from remote when an active pipex
session exists.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/010_pipex.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p011_pppoe">
<strong>011: RELIABILITY FIX: December 5, 2014</strong>
&nbsp; <i>All architectures</i><br>
An incorrect memcpy call would result in corrupted MAC addresses when
using PPPOE.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/011_pppoe.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p012_unbound">
<strong>012: RELIABILITY FIX: December 9, 2014</strong>
&nbsp; <i>All architectures</i><br>
Fix a denial of service where a malicious authority could make the resolver chase an
endless series of delegations. (CVE-2014-8602)
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/012_unbound.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p013_virtio">
<strong>013: RELIABILITY FIX: December 9, 2014</strong>
&nbsp; <i>All architectures</i><br>
Missing memory barriers in virtio(4) can lead to hangs with virtio devices,
like vio(4) and vioblk(4).
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/013_virtio.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p014_xserver">
<strong>014: SECURITY FIX: December 9, 2014</strong>
&nbsp; <i>All architectures</i><br>
One year after Ilja van Sprundel discovered and reported a large number
of issues in the way the X server code base handles requests from X clients,
they have been fixed.
<br>
<a href="http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/">X Advisory</a>
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/014_xserver.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p015_libevent">
<strong>015: SECURITY FIX: January 13, 2015</strong>
&nbsp; <i>All architectures</i><br>
Fix CVE-2014-6272 in libevent 1.4 event buffer handling.  OpenBSD
base uses it for the programs: cu tmux ftp-proxy httpd ldapd relayd
tftp-proxy tftpd
<br>
<a href="http://www.wangafu.net/~nickm/volatile/advisory.txt.asc">Libevent Advisory</a>
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/015_libevent.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p016_xserver">
<strong>016: SECURITY FIX: March 3, 2015</strong>
&nbsp; <i>All architectures</i><br>
Information leak in the XkbSetGeometry request of X servers.
<br>
For more information, see the
<a href="http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/">X.org advisory</a>.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/016_xserver.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p017_openssl">
<strong>017: SECURITY FIX: March 13, 2015</strong>
&nbsp; <i>All architectures</i><br>
Don't permit TLS client connections to be downgraded to weak keys.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/017_openssl.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p018_freetype">
<strong>018: SECURITY FIX: March 13, 2015</strong>
&nbsp; <i>All architectures</i><br>
Another fix for buffer overflows in malformed fonts.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/018_freetype.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p019_libxfont">
<strong>019: SECURITY FIX: March 18, 2015</strong>
&nbsp; <i>All architectures</i><br>
Buffer overflows in libXfont
<br>
For more information, see the
<a href="http://www.x.org/wiki/Development/Security/Advisory-2015-03-17/">X.org advisory</a>.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/019_libxfont.patch.sig">
A source code patch exists which remedies this problem.</a>
<br>Note that the instructions should read <code>cd /usr/xenocara/lib/libXfont</code>.
<p>

<li id="p020_openssl">
<strong>020: SECURITY FIX: March 19, 2015</strong>
&nbsp; <i>All architectures</i><br>
Fix several crash causing defects from OpenSSL.<br>
These include:<br>
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error<br>
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp<br>
CVE-2015-0287 - ASN.1 structure reuse memory corruption<br>
CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref<br>
CVE-2015-0289 - PKCS7 NULL pointer dereferences<br>
<br>
Several other issues did not apply or were already fixed.<br>
For more information, see the
<a href="https://www.openssl.org/news/secadv_20150319.txt">OpenSSL advisory</a>.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/020_openssl.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p021_smtpd">
<strong>021: RELIABILITY FIX: April 17, 2015</strong>
&nbsp; <i>All architectures</i><br>
Fix a logic error in smtpd handling of SNI.
This could allow a remote user to crash the server or provoke a disconnect of other sessions.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/021_smtpd.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p022_httpd">
<strong>022: RELIABILITY FIX: April 30, 2015</strong>
&nbsp; <i>All architectures</i><br>
A remote user can crash httpd by forcing the daemon to log to a file
before the logging system was initialized.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/022_httpd.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p023_elf">
<strong>023: SECURITY FIX: April 30, 2015</strong>
&nbsp; <i>All architectures</i><br>
Malformed binaries could trigger kernel panics or view kernel memory.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/023_elf.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p024_tar">
<strong>024: SECURITY FIX: April 30, 2015</strong>
&nbsp; <i>All architectures</i><br>
Multiple issues in tar/pax/cpio:
<ul>
<li>extracting a malicious archive could create files outside of
the current directory without using pre-existing symlinks to 'escape',
and could change the timestamps and modes on preexisting files
<li>tar without -P would permit extraction of paths with ".." components
<li>there was a buffer overflow in the handling of pax extension headers
</ul>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/024_tar.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p025_smtpd">
<strong>025: RELIABILITY FIX: June 11, 2015</strong>
&nbsp; <i>All architectures</i><br>
Fix multiple reliability issues in smtpd:
<ul>
<li>a local user can cause smtpd to fail by writing an invalid imsg to control socket.
<li>a local user can prevent smtpd from serving new requests by exhausting descriptors.
</ul>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/025_smtpd.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p026_openssl">
<strong>026: SECURITY FIX: June 11, 2015</strong>
&nbsp; <i>All architectures</i><br>
Fix several defects from OpenSSL:
<ul>
<li>CVE-2015-1788 - Malformed ECParameters causes infinite loop
<li>CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
<li>CVE-2015-1792 - CMS verify infinite loop with unknown hash function
</ul>
Note that CMS was already disabled in LibreSSL.
Several other issues did not apply or were already fixed and one is under review.<br>
For more information, see the
<a href="https://www.openssl.org/news/secadv_20150611.txt">OpenSSL advisory</a>.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/026_openssl.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p027_tcp">
<strong>027: SECURITY FIX: July 14, 2015</strong>
&nbsp; <i>All architectures</i><br>
A TCP socket can become confused and not properly cleanup resources.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/027_tcp_persist.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p028_execve">
<strong>028: RELIABILITY FIX: July 26, 2015</strong>
&nbsp; <i>All architectures</i><br>
A kernel memory leak could be triggered by an unprivileged user in
a failure case when using execve under systrace.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/028_execve.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p029_patch">
<strong>029: SECURITY FIX: July 26, 2015</strong>
&nbsp; <i>All architectures</i><br>
The patch utility could be made to invoke arbitrary commands via
the obsolete SCCS and RCS support when processing a crafted input file.
This patch deletes the SCCS and RCS support.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/029_patch.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p030_patch">
<strong>030: SECURITY FIX: July 30, 2015</strong>
&nbsp; <i>All architectures</i><br>
The patch utility could become desyncronized processing ed(1)-style diffs.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/030_patch.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p031_smtpd">
<strong>031: SECURITY FIX: October 1, 2015</strong>
&nbsp; <i>All architectures</i><br>
Fix multiple reliability and security issues in smtpd:<br>
<ul>
<li>local and remote users could make smtpd crash or stop serving requests.
<li>a buffer overflow in the unprivileged, non-chrooted smtpd (lookup)
    process could allow a local user to cause a crash or potentially
    execute arbitrary code.
<li>a use-after-free in the unprivileged, non-chrooted smtpd (lookup)
    process could allow a remote attacker to cause a crash or potentially
    execute arbitrary code.
<li>hardlink and symlink attacks allowed a local user to unset chflags or
    leak the first line of an arbitrary file.
</ul>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/031_smtpd.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p032_kevent">
<strong>032: RELIABILITY FIX: October 14, 2015</strong>
&nbsp; <i>All architectures</i><br>
A problem with timer kevents could result in a kernel hang (local denial
of service).<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/032_kevent.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p033_obj2txt">
<strong>033: RELIABILITY FIX: October 15, 2015</strong>
&nbsp; <i>All architectures</i><br>
The OBJ_obj2txt function in libcrypto contains a one byte buffer overrun
and memory leak, as reported by Qualys Security.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/033_obj2txt.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

</ul>

<hr>