[15085] in bugtraq
New OpenBSD patches
daemon@ATHENA.MIT.EDU (Richard Trott)
Sun May 28 15:37:29 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.10.10005280937060.21758-100000@www>
Date: Sun, 28 May 2000 10:06:20 -0700
Reply-To: trott@SLOWPOISONERS.COM
From: Richard Trott <trott@SLOWPOISONERS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Disclaimer: I am not an OpenBSD developer; I'm just a user.
There were two security patches released for OpenBSD 2.6 on May 25. From
http://www.openbsd.org/errata26.html:
-----
023: SECURITY FIX: May 25, 2000
A misuse of ipf(8) keep-state rules can result in firewall rules
being bypassed. This patch also includes fixes for an unaligned timestamp
issue, and reliability fixes for ipmon and the in-kernel ftp proxy. A
jumbo patch exists, which remedies this problem, and updates ipf to
version 3.3.16.
022: SECURITY FIX: May 25, 2000
xlockmore has a localhost attack against it which allows recovery of
the encrypted hash of the root password. The damage to systems using DES
passwords from this attack is pretty heavy, but to systems with a
well-chosen root password under blowfish encoding (see crypt(3)) the
impact is much reduced. (Aside: We do not consider this a localhost root
hole in the default install, since we have not seen a fast blowfish
cracker yet ;-)
A source code patch exists, which remedies this problem.
-----
I have no idea if these issues are present in these programs on other
operating systems (*BSD, Linux, *nix...) or if they are OpenBSD-specific.
(OpenBSD, to my knowledge, doesn't announce their patches anywhere except
on their Web page. Users appear to be expected to either check the Web
page frequently, track the development tree, or use some other mechanism
to keep abreast of patches. This is not a complaint on my part; this is
merely an explanation as to why I'm posting this to Bugtraq.)
