NOTICE:
This server provides access to the official patches for BSD/OS.
All patches are Copyright 1997 Berkeley Software Design, Inc.,
all rights reserved. Other copyrights may apply to some patches.
Access to some of these patches is restricted to Macnica BSD/OS
customers with valid update or support contracts.
If you are reading this after obtaining it from the
patches@bsdi.macnica.co.jp mail-back server, you have already
been authenticated. You can request any of these files directly
through the email server.
If you wish to access the protected files via ftp, you must first
obtain a group-id/password pair from the patches@bsdi.macnica.co.jp
mail-back server and then enter the appropriate `site group' and
`site gpass' commands before requesting the files from the ftp
server. See the help message from the patches@bsdi.macnica.co.jp
mail-back server for more information. Send an "cust xxxxxxxx"
message to the address patches@bsdi.macnica.co.jp and the server
will respond with the help message.
This directory contains patches for BSD/OS.
The patch naming scheme consists of:
A letter indicating what part of the system the patch
is concerned with. The most common letters will be `K'
indicating a kernel patch or `U' indicating a patch for a
utility.
Three digits indicating the release number (e.g., 210 for
the 2.1 release).
A dash.
Three digits indicating the patch number.
The patch named K210-001 would be the first kernel patch for the
2.1 release.
Please contact support@bsdi.macnica.co.jp if you have any questions regarding
the patches in this directory.
===========================================================================
PATCH:
K210-001
SUMMARY:
This patch fixes two separate problems. The first is a bug
introduced in 2.1. When switching from variable length record to
fixed length records the system would panic with a divide by zero
trap. The second change allows the kernel to recognize non-compliant
Sony DDS1 (DAT) drives.
md5 checksum: 3f8af9cb23c12fce5d4ad9cecfdf5537 K210-001
===================================================================
PATCH:
K210-002
SUMMARY:
Add support for the 2940U. Also add support for
on board controllers with a PCI device id of 0x5578.
md5 checksum: a71041d15f73c4b17b8944e098ea7a19 K210-002
===================================================================
PATCH:
K210-003
SUMMARY:
Some systems have DMA contention problems between SCSI
host bus adapters and the floppy disk controller. This change allows
the floppy controller to retry many more times when a DMA under run
occurs. This problem is not new, but changes in other parts of the
system caused it to show up more often. Install is where this
problem is most often seen.
md5 checksum: 9b2754cc9b1ca4b5c8efa12edc67e445 K210-003
===================================================================
PATCH:
K210-004
SUMMARY:
This patch fixes corrupted IP packets when bpf (tcpdump)
is enabled on PPP/SLIP connections.
This patch also addresses a problem with back to back framing
characters on PPP connections. Although the connection worked
fine, it would report a very high number of input errors.
md5 checksum: d987756903b6a104dc45a07e774d1a0e K210-004
===================================================================
PATCH:
K210-005
SUMMARY:
This patch fixes several problems with DMA buffer underruns (program
not keeping up with soundcard), including a page fault panic in certain
conditions.
md5 checksum: 563ad9261b73b22e398cc423aa6de4ad K210-005
===================================================================
PATCH:
K210-006
SUMMARY:
PPP was initialized with a cmap of 0xfffffff (28 bits) instead of
0xffffffff (32 bits). This could cause PPP to send non-escaped
control characters (0x1f, 0x1e, 0x1d, 0x1d) during LCP negotitation,
which the other side may choose to ignore, there by causing that
LCP packet to be corrupted.
Several messages about invalid packets are now only printed when
IFF_DEBUG is turned on on the ppp or sl interface. These messages
were almost always printed at the start, and perhaps at the end of
a session as traiing garbage from the login sequence was fed to
PPP/SLIP. These messages were not the sign of anything wrong
happening, but they were annoying none the less.
md5 checksum: 912b5f7c371dab31977ec775e987eff9 K210-006
===================================================================
PATCH:
K210-007
SUMMARY:
This patch allows some IDE controllers which do not comply with
the ATA-2 spec to be recognized. One of the tests used to determine
if a controller is present involved writing a data pattern to a
register which should not read that pattern back, this test has
been removed.
To install a system with one of these controllers use the boot
floppy image from:
ftp://ftp.bsdi.com/bsdi/support/misc/boot1.wdc_broken.image.
There is no need to install this patch unless you have an IDE
controller that is not being recognized at boot time.
md5 checksum: 850a4858aa78d6e2ff624372364948ad K210-007
===================================================================
PATCH:
K210-008
SUMMARY:
This patch fixes page fault panics during operations on revoked
vnodes, most commonly seen during fchmod() system calls on busy
systems with many modems. A fix to the pseudo-tty driver to properly
handle revoked vnodes is also included.
md5 checksum: fec10046849034176ccfdbd7b4dbf377 K210-008
===================================================================
PATCH:
K210-009
SUMMARY:
This patch fixes a page fault panic when the master side of a pty
is opened, the slave side of the same pty has never been opened,
ttyp0 has never been opened, and an ioctl is issued against the
master. Ttyp0 can also be corrupted in some cases instead of
the system suffering a page fault. This problem can occur when
starting the Xylogics rtelnet program from rc.local.
md5 checksum: 8d0b041a7b74624334a09b7aa12f4587 K210-009
===================================================================
PATCH:
K210-010
SUMMARY:
This patch fixes a crash that can occur when a program attempts
to read out of band data from a socket that has become disconnected.
The problem is indicated if `netstat -m' on a crash dump shows
various occurrences of <mbuf type NNN>.
NOTE: some customers received a preliminary version of this patch
called K210-mbuf. This patch supercedes that patch. If you
have installed that patch, the original versions of the patched
files must be re-installed before installing this patch; do this
with the commands:
mv kern/uipc_usrreq.c.orig kern/uipc_usrreq.c
mv net/raw_usrreq.c.orig net/raw_usrreq.c
mv netinet/raw_ip.c.orig netinet/raw_ip.c
mv netinet/tcp_usrreq.c.orig netinet/tcp_usrreq.c
mv netinet/udp_usrreq.c.orig netinet/udp_usrreq.c
This patch also fixes two TCP problems. It was possible for
newer TCP options to be sent to a host that did not support them
if the remote host sent no TCP options when opening the connection.
It was also possible for a connection to hang if the window was
retracted and then a packet was lost.
md5 checksum: 369de1affd867f13a75a1b0c9f531f43 K210-010
===================================================================
PATCH:
K210-011
SUMMARY:
This patch adds support for several more PCI bus Adaptec
controllers. It is also possible to force the driver to attach
a unknown Adaptec PCI type by setting the low order bit in the flags
field. The following Adaptec PCI ids are recognized:
0x5078, /* AIC-7850 Single-chip PCI 2 Fast SCSI */
0x5578, /* Do not know, may not exist */
0x7078, /* AIC-7870 Single-chip PCI 2 Fast SCSI */
0x7178, /* AHA-2940 PCI 2 Fast SCSI
AHA-2940W PCI 2 Fast and Wide Single-ended SCSI */
0x7478, /* AHA-2944W PCI 2 Fast and Wide Differential SCSI */
0x8078, /* AIC-7880 Single-chip PCI 2 Ultra SCSI */
0x8178, /* AHA-2940{,W} using AIC-7870D Single-chip PCI 2
Fast SCSI */
md5 checksum: 1f53601ef7c628714d0d04566f9fad4e K210-011
===================================================================
PATCH:
K210-012
SUMMARY:
In BSD/OS 2.1, raw reads into shared memory destroy sharing.
This patch changes the way that the kernel treats user
memory in raw reads so that sharing will be preserved.
md5 checksum: 7ebbbd312273acf5c96ccb1e61fe1f49 K210-012
===================================================================
PATCH:
K210-013
SUMMARY:
This patch fixes two bugs in mlock() that can crash a 2.1 system.
It was possible to panic the system by attempting to lock enough
memory using mlock() such that it required the allocation of
a page table page. This patch prevents the crash by forcing
mlock() to allocate the necessary page table pages.
If a process used mlock() to lock memory that was mapped
copy-on-write, then attempted a fork() call, the system was
unable to find locked pages in the underlying VM object and
panicked. This patch makes the system pursue locked pages
beyond the topmost object where modified copies of pages reside,
and avoids the crash.
md5 checksum: 366995368a71566cf842eabcab383061 K210-013
===================================================================
PATCH:
K210-014
SUMMARY:
On very large (typically RAID based) file systems, the
amount of free space as returned to user code from the
statfs() system call is incorrect due to an internal
overflow. (The file system itself is okay.) Typically the
`df' program shows a negative `capacity'.
md5 checksum: fd45ab91d53e95a4b3393ea68fc26b9f K210-014
===================================================================
PATCH:
K210-015
SUMMARY:
Jumbo patch to 3COM driver, fixes primarily targeted at
59x series cards (including the defective 595s). Also
includes performance fixes to allow cards with small buffers
to drop fewer packets in systems with IDE disks.
*** Note: This patch was reissued about a day after its first
release due to some beta PCMCIA code (all ifdefed out) being
included by mistake. Both versions of the patch compile into
idential binary code, there is no reason to reapply it if the
earlier version was applied.
md5 checksum: 3663c470aa470a244d5af70aa8d5e58c K210-015
===================================================================
PATCH:
K210-016
SUMMARY:
The slip modem control routine was missing from the line switch
table. This prevented slip from noticing loss of carrier when
a session was dropped. The symptoms of this problem are that
ppp(8) continues to run on slip sessions, even though the modem
has hung up.
md5 checksum: f80a0999e671e119c7dee59058c5136b K210-016
===================================================================
PATCH:
K210-017
SUMMARY:
This patch fixes a problem where under heavy load the
kernel could occassionally panic with "timeout table full". It also
provides the following changes which were missing from the object
version of K210-011.
This patch adds support for several more PCI bus Adaptec
controllers. It is also possible to force the driver to attach
a unknown Adaptec PCI type by setting the low order bit in the flags
field. The following Adaptec PCI ids are recognized:
0x5078, /* AIC-7850 Single-chip PCI 2 Fast SCSI */
0x5578, /* Do not know, may not exist */
0x7078, /* AIC-7870 Single-chip PCI 2 Fast SCSI */
0x7178, /* AHA-2940 PCI 2 Fast SCSI
AHA-2940W PCI 2 Fast and Wide Single-ended SCSI */
0x7478, /* AHA-2944W PCI 2 Fast and Wide Differential SCSI */
0x8078, /* AIC-7880 Single-chip PCI 2 Ultra SCSI */
0x8178, /* AHA-2940{,W} using AIC-7870D Single-chip PCI 2
Fast SCSI */
md5 checksum: be01d53cfa77a009089670267101ce22 K210-017
===================================================================
PATCH:
K210-018
SUMMARY:
This patch supercedes the informal patch K210-rtsock. In addition
to the leftover pointer to a freed block, this patch fixes incorrect
handling of the gateway route. In some cases an incorrect route
was returned by rtrequest() which actually used a block of memory
which had been freed. This resulted in a system crash. One symptom
of the bugs fixed by this patch is that the value which caused the
crash is sometimes equal to 0xc0001.
md5 checksum: a23c5691c4a587a87b1ce678d576f432 K210-018
===================================================================
PATCH:
K210-019
SUMMARY:
This patch adds several TCP performance enhancements.
o PCB hashing
o Optimized delayed ACK processing
o Optimized TIME-WAIT state processing
o Initial congestion window fixes
o Eliminate sending small packets when more data is
waiting to be copied from the application, but
don't delay them unnecessarily when there isn't.
This patch also includes a new kernel config option,
INET_SERVER. Turning on this option will cause the
PCB hashing code to use a much larger hash table.
Typically this would be useful on busy WEB servers.
md5 checksum: 9527c357be5a70f718236073a66fad94 K210-019
===================================================================
PATCH:
K210-020
SUMMARY:
Fixes certain kernel page fault panics which may occur when
mounting and unmounting filesystems.
md5 checksum: f219909d9f9617e7f40d1b9460315bb1 K210-020
===================================================================
PATCH:
K210-021
SUMMARY:
This patch adds two networking features that can help defeat
and detect some types of denial of service attacks.
The first feature is a limit on the number of fragmented IP
packets in the IP reassembly queue. The default limit is 200
and can be changed with the sysctl(8) variable
"net.inet.ip.maxfragpackets". To change the limit of the
number of packets on the IP reassembly queue add a command
like the following to the end of /etc/netstart. This example
would reduce the limit on outstanding fragments to 100:
sysctl -w net.inet.ip.maxfragpackets=100
The second feature is an optional test to insure that packets
are received on the expected interface. This feature looks up
the route back to the source of received IP packets. If there
is no route to the source available, or the packet did not
arrive on the expected interface the packet is discarded. The
expected interface is the one that would be used to send a
packet back to the reported source of the packet.
IP source address verification should not be used when
concurrent alternate paths exist from the BSD/OS system where
this feature is enabled, as this may cause valid packets to be
discarded. For example, a small ISP that has one connection to a
backbone network and one connection to each of it's clients
could enable this feature. If the same ISP has two
connections to a backbone network, or one connection to each
of two backbone networks they should not enable this feature.
IP source address verification is an valuable tool for
protecting against some forms of IP-spoofing as described in
CERT advisory CA 96.21, "TCP SYN Flooding and IP Spoofing
Attacks". The full text of this advisory is available as
ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding.
If you are a service provider, using IP source verification
will protect your customers against attacks from the Internet
which appear to be coming from your customers' networks, and
it will ensure that packets sent from your customers' networks
have a source address on your customers' networks (preventing
them from spoofing source addresses and/or attacking others).
This feature is enabled via the "net.inet.ip.sourcecheck"
sysctl(8) variable or by adding the "IPSOURCECHECK" option
when building a kernel. For example, to enable IP source
address verification, add the following command to the end of
/etc/netstart:
sysctl -w net.inet.ip.sourcecheck=1
The IP source address verification code will log a message
when discarding a packet. To prevent a large number of
these packets from using an excessive amount of disk space
log messages are limited to one per IP address per time
interval. The time interval defaults to five seconds and
may be configured with the "net.inet.ip.sourcecheck_logint"
sysctl(8) variable. A value of zero disables the time
interval.
This patch requires U210-025 which provides new copies of
sysctl(8) and netstat(1) for configuration and monitoring of
these new features.
md5 checksum: c386e72f41d0e409d91b493631e364dd K210-021
===================================================================
PATCH:
K210-022
SUMMARY:
This patch adds a TCP SYN cache which reduces and/or
eliminates the effects of SYN-type denial of service attacks
such as those discussed in CERT advisory CA 96.21. When
a large number of SYN packets arrive for the same TCP port,
the old code would drop the excess SYN packets, assuming
that they will be retransmitted and that the current 1/2
open connections will soon be completed and removed from
the queue.
However, due to one-way and/or long paths, or malicious
intent, the queue can become clogged with 1/2 open connections
that will never complete, preventing any valid connections
from being established.
With the SYN cache, when the accept queue overflows a
minimal amount of state is stored in the SYN cache, and
a SYN,ACK response is sent. If a valid ACK comes back,
a complete connection is created. If there is no route
or a TCP RST or ICMP Unreachable comes back, the entry
is deleted. Otherwise, the entries will just time out.
There are several new sysctl entries. Note that they
should not be changed unless there is evidence that the
default values are not adequate.
o net.inet.tcp.syn_cache_limit
This specifies the maximum number of entries
that may be held into the SYN cache.
o net.inet.tcp.syn_bucket_limit
This specifies the maximum number of entries
that may be held in any individual hash bucket
of the SYN cache.
o net.inet.tcp.syn_cache_interval
This specifies in 0.5 second increments, how
often the timeout routine for the SYN cache
should be run.
The default maximum cache size is 10255, with a hash
table size of 293 and a maximum per bucket limit of
105 (10255 = 293*35, 105 = 3*35). If INET_SERVER
is defined, the default maximum cache size is 34895,
a hash table size of 997, and a per bucket limit of
105 (34895 = 997*35, 105 = 3*35).
md5 checksum: 9ec62b5e9cc424b9b42089504256d926 K210-022
===================================================================
PATCH:
K210-023
SUMMARY:
Synchronize de driver with latest stable version from Matt
Thomas. Includes support for the DE500-AA and fixes several
bugs, one of which caused systems to hang or corrupt packets
under heavy network load. This version of the driver does
NOT add support for the Znyx 346 multiport card or the
SMC9332BDT (the follow on to the EtherPower 10/100); the
SMC9332BDT is recognized as an SMC 8432BA and does not
operate.
Note: This driver supports sharing interrupts on the PCI bus
but an problem in 2.1 (unrelated to the de driver) causes
a warning message to be generated at boot time when interrupts
are shared. This message is benign as long as the drivers
sharing the interrupt are written to share interrupts.
md5 checksum: f9322e8e2cfba4a6862e59896f2ce3a3 K210-023
===================================================================
PATCH:
K210-024
SUMMARY:
This patch enhances the K210-021 and K210-022 patches.
IP fragmentation:
o Setting "sysctl -w net.inet.ip.maxfragpackets=0"
will now cause all IP fragments to be dropped.
o Setting "sysctl -w net.inet.ip.maxfragpackets=-1"
will effectively remove the limit.
o If maxfragpackets is reduced, the fragment queue
will now be trimmed back to the new, lower limit,
rather than waiting for fragments to time out.
TCP SYN caching:
o Receiving an ICMP Unreachable or a RST for a cached
connection will now remove that cached entry.
o We no longer send out the Timestamps or Scale option
if we receive a SYN without any TCP options, and the
MAXSEG value is now filled in correctly (it was byte
swapped).
o When turning around the TCP packet for the SYN,ACK,
make sure we have space for the TCP options, and if
not, make some space.
md5 checksum: d7dfc8b6c528ab18f4a10aa572eda1b8 K210-024
===================================================================
PATCH:
K210-025
SUMMARY:
This patch solves a problem that can cause a panic
due to a page fault on systems that uses PPP with TCP
header compression, have installed patch K210-021, and
have enabled IP source route checking.
When TCP header compression is used on a PPP interface,
a value was not initialized when receiving a ACK-only
packet. The K210-021 patch added code that trips over
this bug when when IP source route checking is enabled.
To see if IP source route checking is enabled, (after
U210-025 has been applied) use:
/usr/sbin/sysctl net.inet.ip.sourcecheck
Although the problem as it relates to IP source route
checking has been identified, there may be other places
in the kernel that could also trip over the unitialized
receive interface pointer.
md5 checksum: 17f6e4e608f9f0942d4575d67ab26838 K210-025
===================================================================
PATCH:
K210-026
SUMMARY:
Change the Specialix multiport card driver's interrupt handler
to clear interrupts before acknowledging them. This should prevent
"lost intr" messages. Also declare some volatiles which were not.
md5 checksum: 7f6303c3d2ccba70b995806335684836 K210-026
===================================================================
PATCH:
K210-027
SUMMARY:
Changes in Apache 1.2b are exercising a problem in the
kernel where sockets can get stuck in the FIN-WAIT-2
state, if the final FIN never arrives from the other side.
This patch ensures that when a process closes a socket
that is in FIN-WAIT-2 state, a timer will be set. If
the final FIN never arrives, the timer will expire and
the socket will be removed.
md5 checksum: 49df19100ebf60aebd27a27305b6ef8e K210-027
===================================================================
PATCH:
K210-028
SUMMARY:
For reasons that are unclear on systems without 3.3 volts,
maybe only pentium pro systems, we can not dma command phase directly to
scsi bus. We instead load command into fifo and have u_code pump
it out of fifo to scsi bus.
md5 checksum: e7d7804e4ef65376b8b4bd559e9f2715 K210-028
===================================================================
PATCH:
K210-029
SUMMARY:
This patch addresses a security problem with core dumps
from setuid programs.
md5 checksum: 081a6a11849ee6c8bb27427781cd3361 K210-029
===================================================================
PATCH:
K210-030
SUMMARY:
This mod works around a bug in Intel Pentium and Pentium/MMX
CPU's that allows a malicious user mode program to hang a
machine (without running setuid root or otherwise raising the
IO privilege level). This bug causes vulnerability to certain
types of denial of service attacks.
The workaround uses about 4K of extra kernel memory when
activated, and is only activated if the CPU reports that it is
an Intel Pentium or Pentium/MMX (family code 5, CPUID
'GenuineIntel'). If the workaround is not desired, the
kernel global 'hang_fix' can be patched (with bpatch or
gdb) to '0'. If the workaround is desired on a CPU
non-Intel CPU, 'hang_fix' can be patched to 1.
Thanks to Intel Corporation for contacting BSDI with data that
led to the fix.
md5 checksum: 84bcf488f262cb542bef71957376ed85 K210-030
===================================================================
PATCH:
K210-031
SUMMARY:
This mod implements a simpler fix to the Intel Pentium and
Pentium/MMX invalid instruction hang. The fix changes the
way the IDT is used by the CPU such that there is no run
time performance penalty, even for the less used interrupts
that were emulated by K210-030. The workaround is active
on all CPU types.
This mod is not critical; K210-030 will continue to work
as advertised, however a slight performance penalty is
exacted with the previous fix.
Should this mod cause any problems on a non-Intel machine
it may be disabled by using bpatch to set the variable
"hang_fix" to 0.'
md5 checksum: 8cd049827204a2eacff4b66e436f51ff K210-031
===================================================================
PATCH:
K210-032
SUMMARY:
Fix a data integrity problem with core dumps from
setuid/setgid programs. Once this patch is installed,
programs that are setuid and setgid will no longer be
able to generate core dumps!
md5 checksum: 2cc92a1dd277dce46a12c74caf748834 K210-032
===================================================================
PATCH:
U210-001
SUMMARY:
This patch fixes a configuration problem in the BSD/OS 2.1
release of the elm programs. They were configured to do
dot-locking, and dot-locking is not permitted in BSD/OS for
security reasons. The symptom is that elm will repeatedly
attempt to acquire a lock, but will eventually fail and
refuse to run.
md5 checksum: a963a94347703f3a5e55797bd055b6a3 U210-001
===================================================================
PATCH:
U210-002
SUMMARY:
This patch fixes a bug in the BSD/OS 2.1 release of the inn
programs. A fix that we made between the 2.0 and 2.1
releases introduced a bug that caused innd to incorrectly
parse dates. The symptom is that inn programs fail with
"437 Bad "Date" header" in the /var/log/news/news file, or
that Pnews will fail with "441 Can't parse "Date" header"
messages.
md5 checksum: 4a1a6808caa28cb0986a977cb08cb6f9 U210-002
===================================================================
PATCH:
U210-003
SUMMARY:
This patch fixes several problems with the configuration system:
Selection between 10mb and 100mb on DEC based ethernet cards
is no longer inverted.
One can now select TP on SMC Ultra (we) ethernet cards.
The config_dns program did not allow configuration of a primary
DNS server.
md5 checksum: 5452c5a0f99fb3449b985852c152e433 U210-003
===================================================================
PATCH:
U210-004
SUMMARY:
This patch fixes a bug which prevented setting the block
size for drives operating in fixed length mode.
md5 checksum: 2c3924ea2c19d231c4b4641bc650df42 U210-004
===================================================================
PATCH:
U210-005
SUMMARY:
This patch fixes two problems in the BSD/OS 2.1 release of
the sendmail program. First, when sendmail cannot find any
other place to store rejected email, it attempts to put it
in /usr/tmp, when, on BSD/OS it should use /var/tmp. The
symptom is messages of the form:
sendmail[308]: Losing qfGAA00303: savemail panic
sendmail[308]: GAA00303: SYSERR(root): savemail: cannot
save rejected email anywhere: No such file or directory
in the sendmail log file. The second problem is a security
problem, and these changes follow the official sendmail 8.7.4
patch.
md5 checksum: b8a6f8fa388407ff27b8b862a7e9f53c U210-005
===================================================================
PATCH:
D210-006
SUMMARY:
THIS PATCH IS FOR THE KERBEROS PACKAGE FROM THE DOMESTIC
FLOPPY. IT CONTAINS DES CODE AND MAY NOT BE LEGALLY EXPORTED
FROM THE UNITED STATES WITHOUT A SPECIFIC LICENSE.
YOU DO NOT NEED THIS PATCH IF YOU ARE NOT RUNNING KERBEROS.
This patch addresses CERT(sm) Advisory CA-96.03, February 21,
1996, "Vulnerability in Kerberos 4 Key Server." Kerberos 4 makes
use of some random numbers that are predictable enough to allow
some kerberos keys to be cracked. The fix involves using a better
random number generator primed with secret key.
The enclosed program "/sbin/fix_kdb_keys" will re-calculate some
critical keys in the kerberos database that were chosen randomly
with the old random number generator. This program must be run on
the kerberos server machine; kill the running "kerberos" daemon,
run fix_kdb_keys and then start the new kerberos daemon. If you
have used "kstash" to store your kerberos master key, the -n
option of fix_kdb_keys may be used to read it from disk.
NOTE that ANY OUTSTANDING TICKET GRANTING TICKETS WILL IMMEDIATELY
BECOME INVALID. Users will need to run "kinit" to get new tickets
or log out and back in. Run fix_kdb_keys when it will not disrupt
your user community or at a pre-announced time.
md5 checksum: 70f9ee252201f678d319dbaab2304096 D210-006
===================================================================
PATCH:
U210-007
SUMMARY:
This patch fixes two problems in the BSD/OS 2.1 release
of the pcnfsd program. They relate to system security,
and should be installed immediately.
md5 checksum: 7de0fb2254759b22e1d806e233014aeb U210-007
===================================================================
PATCH:
U210-008
SUMMARY:
This patch fixes a problem with cron in which the PATH
environment variable was not set correctly.
This patch also strengthens the checks on authentication
modules (/usr/libexec/login_*) and the /etc/login.conf files.
These must now be regular files, owned by root, and not group
or world writable.
md5 checksum: 1a56a9ef427b2db4fb84bd20f0dd3638 U210-008
===================================================================
PATCH:
U210-009
SUMMARY:
The 2.1 release was shipped without the support files needed
to create 2.0-compatible binaries. This patch adds a compatible
shlib.map.2.0 file for 2.0 libraries, in 2.1 format, and restores
the 2.0 stub libraries.
md5 checksum: 033abd8365753c868e11c5409832c99d U210-009
===================================================================
PATCH:
U210-010
SUMMARY:
This patch fixes a configuration problem in the BSD/OS 2.1
release of the elm programs. The Configuration script
provided with elm does not correctly handle hostnames in
mixed-case. The symptom is that elm will always send email
from .bsdi.com, instead of from the current system.
md5 checksum: 68edeeaaafb187bea4dfea7d1ccda56d U210-010
===================================================================
PATCH:
U210-011
SUMMARY:
This patch fixes a problem in the BSD/OS 2.1 release
of the /etc/security script. The symptom is that the
nightly security email will contain erroneous lists
of device additions and deletions.
md5 checksum: 9bbd32f1284be84163b2cfad75bf9bc6 U210-011
===================================================================
PATCH:
U210-012
SUMMARY:
This patch fixes a problem in the BSD/OS 2.1 release of the
bsdi-man CGI. The changes were due to slight differences
in the new Apache httpd.
md5 checksum: 2fec18d94658918031c300e999615d59 U210-012
===================================================================
PATCH:
U210-013
SUMMARY:
This patch fixes a problem in the BSD/OS 2.1 release of the
ftpd program. The symptom is that the -i and -o options
don't log transfers to /var/log/xferlog, even though the -A
option is also specified.
md5 checksum: 2c125f4c4da14b9bf2d145cb816113bf U210-013
===================================================================
PATCH:
U210-014
SUMMARY:
This patch fixes a problem in the BSD/OS 2.1 release of the
ping program. The symptom is that output redirected from
ping to a file won't appear if the -c option is specified.
md5 checksum: 1757be3caf30bcc1a797a9501e739815 U210-014
===================================================================
PATCH:
U210-015
SUMMARY:
This patch fixes some shell syntax problems in the BSD/OS 2.1
port of metamails shownonascii program. The symptom is errors
when attempting to display non-ascii text via metamail.
md5 checksum: e4148a872adaca7deca2e3acbda8ce56 U210-015
===================================================================
PATCH:
D210-016
SUMMARY:
THIS PATCH IS FOR THE KERBEROS PACKAGE FROM THE DOMESTIC
FLOPPY. IT CONTAINS DES CODE AND MAY NOT BE LEGALLY EXPORTED
FROM THE UNITED STATES WITHOUT A SPECIFIC LICENSE.
YOU DO NOT NEED THIS PATCH IF YOU ARE NOT RUNNING KERBEROS.
This patch fixes a long standing minor security problem with
kerberos authentication. The problem did not allow external or
arbitrary users unauthorized access to the system and hence
this is considered a minor security patch. BSDI does, however,
recommend that all sites using KerberosIV install this patch.
If you require sources for this patch, please contact
<support@bsdi.com>. The source version of this patch will be
made more widely available in the future.
md5 checksum: 5da8c716b14111084d4ac2d507822955 D210-016
===================================================================
PATCH:
U210-017
SUMMARY:
This patch address the security issues as discussed in
CERT(sm) Advisory CA-96.12 Vulnerability in suidperl
for BSD/OS 2.1.
md5 checksum: 6224ff121b16bd8f990345b5e1f388df U210-017
===================================================================
PATCH:
D210-018
U210-018
SUMMARY:
This patch addresses a security problem in the rdist program.
If you have not installed the Kerberos package, install the U210-018
version of this patch. You do NOT need to install the D210-018
version unless you are running Kerberos.
If you are running Kerberos, you should install the D210-018
version of the patch instead of the U210-018 version.
Both versions of the patch install the same binary (/usr/bin/rdist),
so installing the second version of the patch will over-write
whichever was installed first.
THE D210-018 VERSION OF THIS PATCH IS FOR THE KERBEROS PACKAGE
FROM THE DOMESTIC FLOPPY. IT CONTAINS DES CODE AND MAY NOT BE
LEGALLY EXPORTED FROM THE UNITED STATES WITHOUT A SPECIFIC
LICENSE.
md5 checksum: b2060ec4eb9b18ace4e76bcb9441353f D210-018
md5 checksum: 86005d8bbb67eb737120741bd254d26a U210-018
===================================================================
PATCH:
U210-019
SUMMARY:
This binary patch adds the Squid Internet object cache to
BSD/OS 2.1 systems. Squid can act as both an HTTP proxy
and an HTTP accelerator, providing significant improvements
in HTTP performance as well as reducing unnecessary network
traffic.
Source code is available from:
ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/squid-src.tar.gz
md5 checksum: e845288889e56b109ffb37a5e33ee426 U210-019
md5 checksum: 0fc5968e44c2100d0a3f45dc2334f7b2 squid-src.tar.gz
===================================================================
PATCH:
U210-020
SUMMARY:
This patch changes the ownership of the configuration files
in /var/www/conf to be owned by root rather than www. In
the original configuration (where the configuration files
were owned by www) compromising the www user could allow
unauthorized root access.
md5 checksum: c934f2db8b8d727881d473f00b2fb4b1 U210-020
===================================================================
PATCH:
U210-021
D210-021
SUMMARY:
This patch fixes a vulnerability with rlogin.
THE D210-021 VERSION OF THIS PATCH IS FOR THE KERBEROS PACKAGE
FROM THE DOMESTIC FLOPPY. IT CONTAINS DES CODE AND MAY NOT BE
LEGALLY EXPORTED FROM THE UNITED STATES WITHOUT A SPECIFIC
LICENSE.
md5 checksum: 8b9b66e463715e999a85298fd9a0720b U210-021
md5 checksum: c3e1249337942bf5656b99f5ddbd3267 D210-021
===================================================================
PATCH:
U210-022
SUMMARY:
A security vulnerability exists in bash 1.14.5 which was
shipped with BSD/OS 2.1. This patch replaces that version with
batch 1.14.7
md5 checksum: 1d6ea7a97e27f45967e762916e0e5aea U210-022
===================================================================
PATCH:
U210-023
SUMMARY:
A security vulnerability exists in the Xt library distributed
with BSD/OS 2.1. This vulnerability can and has been exploited
via setuid-root programs such as xterm. The enclosed replacements
for the shared and un-shared Xt libraries fixes the problem
md5 checksum: 15abd9a9c072097ec9be53398ceb7c70 U210-023
===================================================================
PATCH:
U210-024
SUMMARY:
This patch updates sendmail to the official 8.7.6 release which
fixes some security problems from previous versions including
those in the CA-96.20 CERT advisory and a recent Bugtraq posting.
md5 checksum: baa7f3139d40c95f42f4f30725339314 U210-024
===================================================================
PATCH:
U210-025
SUMMARY:
This patch should be installed in conjunction with IP source
address check and IP fragmentation queue limit patch
(K210-021) and SYN flooding patch (K210-022).
The /usr/sbin/netstat and /usr/sbin/sysctl binaries have been
updated to monitor and configure the kernel security patches
mentioned above. Both of these binaries can be run in
conjunction with a kernel that does not have the above two
patches installed. The only side-effect will be that the new
/usr/sbin/netstat will display garbage for the new counters.
The /usr/sbin/inetd binary has been updated to add the -u
option which provides limited UDP source port checking.
By default the new version of inetd will ignore requests
to internal services which appear to come from internal
services (to eliminate the loops which have been the source
of some attacks). See the manual page inetd(8) for
more information.
md5 checksum: d2ee01238ab6040e9b7a1bd2c3bf1016 U210-025
===================================================================
PATCH:
U210-026
SUMMARY:
This patch fixes a potential security problem in the DNS
lookup code where the library routine was too trusting of data
returned from the remote server.
md5 checksum: d87b9efdf24f73ddef868388ecdf25f0 U210-026
===================================================================
PATCH:
U210-027
SUMMARY:
This patch updates sendmail to the official 8.8.2 release which
fixes some security problems from previous versions.
md5 checksum: 6aa1980f928fdc0cf3e7ec4204e54e2c U210-027
===================================================================
PATCH:
U210-028
SUMMARY:
This patch fixes a buffer overflow problem in lpr which can allow
local users to gain root access. This problem has received
press recently via Bugtraq, and an exploitation script was
recently posted to bsdi-users.
md5 checksum: 2afffb5ac46465a9aa51a7573c8ce639 U210-028
===================================================================
PATCH:
U210-029
SUMMARY:
This patch updates sendmail to the official 8.8.3 release which
fixes some security problems from previous versions (mainly
the "root shell by lying about argv[0] and sending a signal" bug
found by Leshka Zakharoff <leshka@leshka.chuvashia.su> and recently
posted to the bsdi-users@BSDI.COM mailing list).
md5 checksum: 91bf5fc0e88becf494f9b681c892cb53 U210-029
===================================================================
PATCH:
U210-030
SUMMARY:
This patch updates sendmail to the official 8.8.4 release which
fixes some security problems from previous versions (including
those detailed in the recent AUSCERT advisory and in the December
US CERT advisory).
md5 checksum: 9d125ea1705553c769cb3816ad69230c U210-030
===================================================================
PATCH:
U210-031
SUMMARY:
This patch updates cron(8) and crontab(1) to the BSD/OS 3.0 versions
which fixes some security problems from previous versions (including
those detailed in the recent AUSCERT advisory.)
md5 checksum: 512b6929edb96ef46b90ce66f22ff659 U210-031
old md5 checksum: 5590213ab641ff1efe85b596e23f69e9 U210-031.bad
===================================================================
PATCH:
U210-032
SUMMARY:
This patch fixes security problems in the BSD/OS 2.1 release
of the /etc/daily.local and /etc/security scripts.
PLEASE NOTE: As distributed in BSD/OS 2.1, the lines in the
/etc/daily.local script that are being updated by this patch
were commented out. For this reason, if this patch fails to
apply correctly, it is important that you review the patch
and apply the modifications by hand!
PLEASE NOTE: This patch replaces the entire contents of both
the /etc/security (and if present) the /usr/src/etc/security
files. If you have local modifications to these files, you
should review your original files (/etc/security.orig and
/usr/src/etc/security.orig) after applying this patch and add
your local modifications back into the new file.
md5 checksum: a4683ee9aa8416bcb60c44a598bcfc48 U210-032
old md5 checksum: e13d491b6020b440985b7b0bc1331248 U210-032.bad
===================================================================
PATCH:
U210-033
SUMMARY:
This patch fixes a security problem in the BSD/OS 2.1
release of the ftpd utility, as recently reported on
the wu-ftpd mailing list.
md5 checksum: 69f9a990aa60d53e6051a5c64539ae2c U210-033
old md5 checksum: 6c329115058388ea2ddb04f643c00370 U210-033
===================================================================
PATCH:
U210-034
SUMMARY:
This patch fixes a couple of security problems in support routines
used by the BSD/OS 2.1 release version of the adduser and addgroup
programs. Specifically, the new version ensures that the /etc/group
file is not left writable by anyone other than root and it ensures
that the temporary copy of the /etc/master.passwd file is never
readable by anyone other than root (previously it could be read while
adduser was rebuilding the database versions of the password file).
This patch also fixes a problem in rmuser. In the old version,
rmuser could occasionally remove more users than requested if they
had the same UID as the user it was supposed to remove.
md5 checksum: 8e2ff944f23b2bf132b7ac5bf97db94a U210-034
===================================================================
PATCH:
U210-035
SUMMARY:
This patch fixes some security problems the BSD/OS 2.1
version of the talk daemon, /usr/libexec/ntalkd.
md5 checksum: ad84cc180e9e2bdb26c41f4ef6ebf81b U210-035
old md5 checksum: 7d2e6e3d424c6a1d9af4f78d3bea870b U210-035
===================================================================
PATCH:
U210-036
SUMMARY:
This patch updates sendmail to the official 8.8.5 release which
fixes some security problems from previous versions.
md5 checksum: 0137dbc93e7554468930852c28099c3b U210-036
===================================================================
PATCH:
U210-037 (normal version)
D210-037 (kerberos version)
SUMMARY:
This patch fixes a security hole that can allow unauthorized
remote access. In addition to installing this patch, another
way to protect your systems from this attack is to disallow
IP source routed packets from entering your networks. If your
gateway is a BSD/OS system, this can be done via:
/sbin/sysctl -w net.inet.ip.forwsrcrt=0
Note that the kerberized versions of rsh and rlogind are not at
risk to this attack. It is only the use of .rhosts for allowing
access to the system that is at risk.
Most sites should install the U210-037 version. Only sites
who have installed the Kerberos package from the DOMESTIC
floppy should install the D210-037 version of this patch.
The tcpd source change is simply to remove the -DKILL_IP_OPTIONS
option from the CLFLAGS definition in Makefile.defs. This change
is not included in the source patches below.
BSDI would like to thank Oliver Friedrichs and Secure
Networks Inc., for identifying this problem and possible
solutions to it.
md5 checksum: aded511e67e025a21295e15fa5bd7690 U210-037
md5 checksum: 78594e78579f1e26f7023f690f1d3060 D210-037
===================================================================
Mod : U210-038
Submods: U210-038.man U210-038.uobj
Update named and named-xfer to the 4.9.6-REL (latest named 4)
versions. This version fixes some security issues from the
version originally distributed with BSD/OS. This mod does not
include the source (since it is large and requires the update
of the resolver library as well in order to build). The resolver
library (and libc) will be updated in our next release. If you
require the source, the complete BIND 4.9.6-REL package is available
from ftp://ftp.bsdi.com/patches/patches-3.0/bind-4.9.6-REL.tar.gz
or from the official BIND archive sites.
NOTE: the conversion of serial numbers with dots in them changed
between the old and new versions. If you use serial numbers
with dots (e.g., RCS version numbers) as the serial number,
you will probably need to have your secondary servers force
a re-load of your zones. None of the BSDI administration tools
(e.g., config_dns) use dots in version numbers.
md5 checksum: 8ce46cd2d1aff3b294a84ae54e82a824 U210-038
===================================================================
PATCH:
U210-039
SUMMARY:
This patch fixes some security problems the BSD/OS 2.1
version of the amd program, /usr/sbin/amd.
md5 checksum: 1302acafa9c1cd972add8e4b0eea0731 U210-039
===================================================================
PATCH:
U210-040
SUMMARY:
This patch fixes some security problems with metamail as
described in CERT advisory CA-97.14.
md5 checksum: f1c7405a95becf603ff36c3df2536b5f U210-040
===================================================================
PATCH:
U210-041
SUMMARY:
This patch fixes a security problem with the 2.1 version of
the X11 library.
md5 checksum: 666514ad51eccfa38a9aae5d115a59ce U210-041
===================================================================
PATCH:
U210-042
SUMMARY:
This patch fixes some security problems the BSD/OS 2.1
version of the xlock program, /usr/X11R6/bin/xlock, as
described in CERT advisory CA-97.13.
md5 checksum: 2991a2253ba429ef9a1a2fee38db8710 U210-042
===================================================================
PATCH:
U210-043
SUMMARY:
This patch fixes a potential security problem in libtermcap.
md5 checksum: 98c0dfb3c3b1a709109ce8cdc352be81 U210-043
===================================================================
PATCH:
U210-044
SUMMARY:
This patch addresses some security concerns as described in
"SNI-19:BSD lpd vulnerability"
md5 checksum: 30f874a17ee25f14597b1e29b020b4c4 U210-044
===================================================================
PATCH:
U210-045
SUMMARY:
The filter program has some security problems. Since the Elm group
claims it is not supported and will not be in the next release we
delete it now.
md5 checksum: 74e8e166b3d5f5f8b2ca580d08050220 U210-045
===================================================================
ftpパッチサイトへ