Contributed by grey on from the we'll keep posting errata as stories dept.
Insufficient checking in the zlib compression library (installed as libz on OpenBSD) can result in a buffer overflow and a program crash. It is not known at this time whether maliciously-crafted compressed files can be used to execute arbitrary code.
Since zlib is in wide use throughout the base OS, as well as in ports, users are advised to patch their systems as soon as possible.
A fix has been committed to OpenBSD-current as well as the 3.6 and 3.7 -stable branches. Patches are also available for OpenBSD 3.6 and 3.7. OpenBSD versions 3.4 and lower are not affected as they use an older version of zlib that does not contain the vulnerable code.
3.6 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/019_libz.patch
3.7 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/004_libz.patch
The 3.6 patch also applies to OpenBSD 3.5.
As always, be sure to check http://www.openbsd.org/errata.html as well.
(Comments are closed)
By daddy2times (134.174.91.40) on
I run a number of OpenBSD servers (patch branch) but I have an old and slow 'build' machine that I always use to build and create an iso to update all of the servers. Seems like every time I update to patch branch, make a release and make an iso (usually takes about 15 hours), there is new patch the next day or two.
Luckily, I did all this over the weekend. For a moment there I thought I'd wasted all those cpu cycles again.
(Of course, this doesn't preclude a new patch to be issued tomorrow, but I'll just keep my digits crossed :)
By Chas (147.154.235.51) on
The 3.6 patch also applies to OpenBSD 3.5.
3.5 was/is a fantastic release. I bought the 3.7 CD set, but I am going to sit tight on 3.5 for several servers and try to hold out, maybe for 3.8 or even further.
I do eye the improvements of later releases (privsep dhcp and ftp, smp, spamd tarpits, etc.), but so far nothing has made me want to jump ship.
Thanks again for a 3.5-compatible patch!
Comments
By Anonymous Coward (69.158.152.118) on
How about security updates? I wouldn't expect 3.5 compatible patches all the time and you said you are running servers. Probably a good idea to run a release on servers that is supported by developers.
By Ray Percival (12.18.141.172) on
Comments
By Chas (147.154.235.51) on
Upgrades in OpenBSD are sometimes more traumatic than you might realize...
OpenBSD 3.4 introduced the ELF executable format, which broke binary compatibility (and made for a more difficult upgrade). Binary compatibility has been broken a few other times, but I started in at 3.2 so I'm not sure when. A wipe/reinstall was strongly advocated at 3.4.
In a normal upgrade, many uninstall all packages, which can get very messy. A wipe/reinstall is advocated when convenient.
Upgrades are only supported between adjacent version numbers, unlike redhat where skipping both minor and major releases works.
i386 went to gcc3 in 3.7. gcc3 has its own problems - the one that bit me was the inability to compile C code that calls varargs.h (fwtk won't build completely anymore - http-gw compile dies).
It is common to see a number of other "gotchas" in the upgrade documentation from release to release.
Comments
By Anonymous Coward (220.240.54.229) on
By Marc Espie (62.212.102.210) espie@openbsd.org on
I haven't seen any request from you anywhere to actually port that software to OpenBSD, and fix the varargs stuff...
Comments
By Marc Espie (62.212.102.210) espie@openbsd.org on
FWTK isn't free software, and it's not maintained any more, hasn't
been for 7 years, in fact.
What's the point ? There's bound to be holes in that software. I won't know for sure, because I'm not going to go through an obnoxious licence agreement to look at the code.
But 7 years old, come on, seriously... you're trusting your gw security on 7 years old stuff ?
Comments
By Chas (147.154.235.52) on
I'm currently using fwtk to isolate a QA network of VAX, Unisys, and HP-UX systems. This is not being done for security, but for development and testing purposes, and it is a lot simpler to do with fwtk than pf. I don't care about security in this case, as long as these QA servers don't touch anything on my real network. My current round of kudos for getting this done obviate any condemnation that you might proffer.
If I am relying upon the fwtk code at all, then OpenBSD would be the place to do it, since I have W^X and ProPolice on this platform.
By Ray Percival (12.18.141.172) ray.percival@summitsite.com on
Been awhile since you last worked with RH, hasn't it. :P
By m0rf (68.104.17.51) on
If he has the money to pay for a supported 3.5 system for life, he probably has enough money to hire a bunch of coders to support it for him without begging on undeadly.org for it.
Comments
By djm@ (218.214.226.34) on
Comments
By m0rf (68.104.17.51) on
Comments
By djm@ (203.217.30.86) on
Comments
By Chas (147.154.235.53) on
...I have said a few times that I would like 5-year support for a "stable" OpenBSD release. I've learned to be quiet about it, and appreciate everything that I can get.
By Anonymous Coward (82.73.147.65) on