errata65.html

<!doctype html>
<html lang=en id=errata>
<meta charset=utf-8>

<title>OpenBSD 6.5 Errata</title>
<meta name="description" content="the OpenBSD errata page">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/errata65.html">

<!--
			IMPORTANT REMINDER
	IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
-->

<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
6.5 Errata
</h2>
<hr>

For errata on a certain release, click below:<br>
<a href="errata20.html">2.0</a>,
<a href="errata21.html">2.1</a>,
<a href="errata22.html">2.2</a>,
<a href="errata23.html">2.3</a>,
<a href="errata24.html">2.4</a>,
<a href="errata25.html">2.5</a>,
<a href="errata26.html">2.6</a>,
<a href="errata27.html">2.7</a>,
<a href="errata28.html">2.8</a>,
<a href="errata29.html">2.9</a>,
<a href="errata30.html">3.0</a>,
<a href="errata31.html">3.1</a>,
<a href="errata32.html">3.2</a>,
<a href="errata33.html">3.3</a>,
<a href="errata34.html">3.4</a>,
<a href="errata35.html">3.5</a>,
<br>
<a href="errata36.html">3.6</a>,
<a href="errata37.html">3.7</a>,
<a href="errata38.html">3.8</a>,
<a href="errata39.html">3.9</a>,
<a href="errata40.html">4.0</a>,
<a href="errata41.html">4.1</a>,
<a href="errata42.html">4.2</a>,
<a href="errata43.html">4.3</a>,
<a href="errata44.html">4.4</a>,
<a href="errata45.html">4.5</a>,
<a href="errata46.html">4.6</a>,
<a href="errata47.html">4.7</a>,
<a href="errata48.html">4.8</a>,
<a href="errata49.html">4.9</a>,
<a href="errata50.html">5.0</a>,
<a href="errata51.html">5.1</a>,
<br>
<a href="errata52.html">5.2</a>,
<a href="errata53.html">5.3</a>,
<a href="errata54.html">5.4</a>,
<a href="errata55.html">5.5</a>,
<a href="errata56.html">5.6</a>,
<a href="errata57.html">5.7</a>,
<a href="errata58.html">5.8</a>,
<a href="errata59.html">5.9</a>,
<a href="errata60.html">6.0</a>,
<a href="errata61.html">6.1</a>,
<a href="errata62.html">6.2</a>,
<a href="errata63.html">6.3</a>,
<a href="errata64.html">6.4</a>,
<a href="errata66.html">6.6</a>,
<a href="errata67.html">6.7</a>,
<a href="errata68.html">6.8</a>,
<br>
<a href="errata69.html">6.9</a>,
<a href="errata70.html">7.0</a>,
<a href="errata71.html">7.1</a>,
<a href="errata72.html">7.2</a>,
<a href="errata73.html">7.3</a>,
<a href="errata74.html">7.4</a>,
<a href="errata75.html">7.5</a>,
<a href="errata76.html">7.6</a>,
<a href="errata77.html">7.7</a>.
<hr>

<p>
Patches for the OpenBSD base system are distributed as unified diffs.
Each patch is cryptographically signed with the
<a href="https://man.openbsd.org/OpenBSD-6.5/signify.1">signify(1)</a> tool and contains
usage instructions.
All the following patches are also available in one
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5.tar.gz">tar.gz file</a>
for convenience.

<p>
Alternatively, the <a href="https://man.openbsd.org/syspatch">syspatch(8)</a>
utility can be used to apply binary updates on the following architectures:
amd64, i386, arm64.

<p>
Patches for supported releases are also incorporated into the
<a href="stable.html">-stable branch</a>.

<hr>

<ul>

<li id="p001_rip6cksum">
<strong>001: RELIABILITY FIX: May 3, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
If a userland program sets the IPv6 checksum offset on a raw socket,
an incoming packet could crash the kernel.  ospf6d is such a program.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/001_rip6cksum.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p002_srtp">
<strong>002: RELIABILITY FIX: May 16, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
LibreSSL servers did not provide an SRTP profile, so DTLS negotiation failed.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/002_srtp.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p003_mds">
<strong>003: SECURITY FIX: May 29, 2019</strong>
&nbsp; <i>amd64</i>
<br>
Intel CPUs have a cross privilege side-channel attack (MDS).
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/003_mds.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p004_bgpd">
<strong>004: RELIABILITY FIX: June 10, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
Several issues were corrected in bgpd: "network" statements with no fixed
prefix were incorrectly removed when configuration was reloaded, "export
default-route" did not work, and "network 0.0.0.0/0" could not be used
in some cases.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/004_bgpd.patch.sig">
A source code patch exists which remedies these problems.</a>
<p>

<li id="p005_libssl">
<strong>005: RELIABILITY FIX: June 10, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
TLS handshakes fail if a client supporting TLS 1.3 tries to connect to
an OpenBSD server and sends a key share extension that does not include
X25519.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/005_libssl.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p006_tcpsack">
<strong>006: RELIABILITY FIX: July 25, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
By creating long chains of TCP SACK holes, an attacker could possibly
slow down the system temporarily.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/006_tcpsack.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p007_smtpd">
<strong>007: RELIABILITY FIX: August 2, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
smtpd can crash on excessively large input, causing a denial of service.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/007_smtpd.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p008_swapgs">
<strong>008: SECURITY FIX: August 9, 2019</strong>
&nbsp; <i>amd64</i>
<br>
Intel CPUs have another cross privilege side-channel attack. (SWAPGS)
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/008_swapgs.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p009_resume">
<strong>009: RELIABILITY FIX: September 2, 2019</strong>
&nbsp; <i>amd64</i>
<br>
Resume forgot to restore MSR/PAT configuration.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/009_resume.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p010_frag6ecn">
<strong>010: RELIABILITY FIX: September 2, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
When processing ECN bits on incoming IPv6 fragments, the kernel
could crash.  Per default pf fragment reassemble prevents the crash.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/010_frag6ecn.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p011_expat">
<strong>011: SECURITY FIX: September 14, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
Libexpat 2.2.6 was affected by the heap overflow CVE-2019-15903.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/011_expat.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p012_sysupgrade">
<strong>012: RELIABILITY FIX: October 3, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
The sysupgrade utility can be used to upgrade the system to the next
release or to a new snapshot.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/012_sysupgrade.patch.sig">
A source code patch exists which adds this utility.</a>
<p>

<li id="p013_unbound">
<strong>013: RELIABILITY FIX: October 5, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
Specially crafted queries may crash unwind and unbound.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/013_unbound.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p014_dhcpd">
<strong>014: SECURITY FIX: October 5, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
dhcpd leaks 4 bytes of stack to the network.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/014_dhcpd.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p015_net80211">
<strong>015: RELIABILITY FIX: November 16, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
The kernel could crash due to a NULL pointer dereference in net80211.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/015_net80211.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p016_sysupgrade">
<strong>016: RELIABILITY FIX: November 16, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
A new kernel may require newer firmware images when using sysupgrade.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/016_sysupgrade.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p017_ifioctl">
<strong>017: SECURITY FIX: November 16, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
A regular user could change some network interface parameters due
to missing checks in the ioctl(2) system call.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/017_ifioctl.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p018_inteldrm">
<strong>018: SECURITY FIX: November 22, 2019</strong>
&nbsp; <i>i386 and amd64</i>
<br>
A local user could cause the system to hang by reading specific
registers when Intel Gen8/Gen9 graphics hardware is in a low power state.
A local user could perform writes to memory that should be blocked with
Intel Gen9 graphics hardware.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/018_inteldrm.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p019_mesa">
<strong>019: SECURITY FIX: November 22, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
Shared memory regions used by some Mesa drivers had permissions which
allowed others to access that memory.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/019_mesa.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p020_mesaxlock">
<strong>020: SECURITY FIX: December 4, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
Environment-provided paths are used for dlopen() in mesa, resulting in
escalation to the auth group in xlock(1).
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/020_mesaxlock.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p021_libcauth">
<strong>021: SECURITY FIX: December 4, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
libc's authentication layer performed insufficient username validation.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/021_libcauth.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p022_xenodm">
<strong>022: SECURITY FIX: December 4, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
xenodm uses the libc authentication layer incorrectly.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/022_xenodm.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p023_suauth">
<strong>023: SECURITY FIX: December 8, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
A user can log in with a different user's login class.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/023_suauth.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p024_ldso">
<strong>024: SECURITY FIX: December 11, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
ld.so may fail to remove the LD_LIBRARY_PATH environment variable for
set-user-ID and set-group-ID executables in low memory conditions.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/024_ldso.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p025_eret">
<strong>025: SECURITY FIX: December 18, 2019</strong>
&nbsp; <i>arm64</i>
<br>
ARM64 CPUs speculatively execute instructions after ERET.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/025_eret.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p026_ftp">
<strong>026: SECURITY FIX: December 20, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
ftp(1) will follow remote redirects to local files.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/026_ftp.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p027_ripd">
<strong>027: SECURITY FIX: December 20, 2019</strong>
&nbsp; <i>All architectures</i>
<br>
ripd(8) fails to validate authentication lengths.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/027_ripd.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p028_inteldrmctx">
<strong>028: SECURITY FIX: January 17, 2020</strong>
&nbsp; <i>i386 and amd64</i>
<br>
Execution Unit state was not cleared on context switch with Intel Gen9
graphics hardware.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/028_inteldrmctx.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p029_smtpd_tls">
<strong>029: RELIABILITY FIX: January 30, 2020</strong>
&nbsp; <i>All architectures</i>
<br>
smtpd can crash on opportunistic TLS downgrade, causing a denial of service.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/029_smtpd_tls.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p030_smtpd_exec">
<strong>030: SECURITY FIX: January 30, 2020</strong>
&nbsp; <i>All architectures</i>
<br>
An incorrect check allows an attacker to trick mbox delivery into executing
arbitrary commands as root and lmtp delivery into executing arbitrary commands
as an unprivileged user.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/030_smtpd_exec.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p031_smtpd_envelope">
<strong>031: SECURITY FIX: February 24, 2020</strong>
&nbsp; <i>All architectures</i>
<br>
An out of bounds read in smtpd allows an attacker to inject arbitrary
commands into the envelope file which are then executed as root.
Separately, missing privilege revocation in smtpctl allows arbitrary
commands to be run with the _smtpq group.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/031_smtpd_envelope.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p032_sysctl">
<strong>032: RELIABILITY FIX: March 10, 2020</strong>
&nbsp; <i>All architectures</i>
<br>
Missing input validation in sysctl(2) can be used to crash the kernel.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/032_sysctl.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p033_sosplice">
<strong>033: RELIABILITY FIX: March 13, 2020</strong>
&nbsp; <i>All architectures</i>
<br>
Local outbound UDP broadcast or multicast packets sent by a spliced
socket can crash the kernel.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/033_sosplice.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p034_dhcpd">
<strong>034: SECURITY FIX: April 7, 2020</strong>
&nbsp; <i>All architectures</i>
<br>
dhcpd could reference freed memory after releasing a lease with an
unusually long uid.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/034_dhcpd.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p035_drm">
<strong>035: SECURITY FIX: April 19, 2020</strong>
&nbsp; <i>i386, amd64, arm64, loongson, macppc, sparc64</i>
<br>
There was an incorrect test for root in the DRM Linux compatibility code.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/035_drm.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p036_ospfd_lsa">
<strong>036: RELIABILITY FIX: May 10, 2020</strong>
&nbsp; <i>All architectures</i>
<br>
ospfd could generate corrupt OSPF Router (Type 1) LSAs in certain situations.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/036_ospfd_lsa.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li id="p037_wscons">
<strong>037: SECURITY FIX: May 13, 2020</strong>
&nbsp; <i>All architectures</i>
<br>
An out-of-bounds index access in wscons(4) can cause a kernel crash.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/037_wscons.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

</ul>

<hr>