libressl/openbsd
CVE History
| CVE | Affected | Published | CVSS v3 | CVSS v2 |
|---|---|---|---|---|
| < 2026-06-18 | 5.3 MEDIUM | — | ||
OpenBSD before commit 6a23123 (2026-06-18) contains an out-of-bounds read vulnerability in the mpls_do_error function within sys/netmpls/mpls_input.c that allows remote attackers to disclose kernel stack memory by sending crafted MPLS frames with 16 labels and no Bottom-of-Stack bit set. | ||||
| <= 7.8 | 4.3 MEDIUM | — | ||
In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an "nd_opt_len * 8 - 2" expression with no preceding check for whether nd_opt_len is zero. | ||||
| < 7.5, = 7.5, = 7.6 | 6.5 MEDIUM | — | ||
In OpenBSD 7.6 before errata 006 and OpenBSD 7.5 before errata 015, traffic sent over wg(4) could result in kernel crash. | ||||
| < 7.4, = 7.4 | 7.9 HIGH | — | ||
In OpenBSD 7.4 before errata 014, vmm(4) did not restore GDTR limits properly on Intel (VMX) CPUs. | ||||
| < 7.3, = 7.3, = 7.4 | 7.5 HIGH | — | ||
In OpenBSD 7.4 before errata 006 and OpenBSD 7.3 before errata 020, httpd(8) is vulnerable to a NULL dereference when handling a malformed fastcgi request. | ||||
| < 7.4, = 7.4 | 5 MEDIUM | — | ||
In OpenBSD 7.5 before errata 009 and OpenBSD 7.4 before errata 022, exclude any '/' in readdir name validation to avoid unexpected directory traversal on untrusted file systems. | ||||
| < 7.4, = 7.4, = 7.5 | 9.8 CRITICAL | — | ||
In OpenBSD 7.5 before errata 008 and OpenBSD 7.4 before errata 021, avoid possible mbuf double free in NFS client and server implementation, do not use uninitialized variable in error handling of NFS server. | ||||
| = 6.9 | 5.5 MEDIUM | — | ||
OpenBSD Kernel Multicast Routing Uninitialized Memory Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of OpenBSD Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the implementation of multicast routing. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel. . Was ZDI-CAN-14540. | ||||
| = 6.9 | — | — | ||
OpenBSD Kernel Multicast Routing Uninitialized Memory Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of OpenBSD Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the implementation of multicast routing. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel. . Was ZDI-CAN-16112. | ||||
| <= 7.4 | 9.8 CRITICAL | — | ||
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers to execute arbitrary code via a bug that is unrelated to memory corruption. | ||||
| < 7.3, = 7.3 | 7.5 HIGH | — | ||
In OpenBSD 7.3 before errata 016, npppd(8) could crash by a l2tp message which has an AVP (Attribute-Value Pair) with wrong length. | ||||
| < 7.4, = 7.4 | 6.2 MEDIUM | — | ||
In OpenBSD 7.4 before errata 009, a race condition between pf(4)'s processing of packets and expiration of packet states may cause a kernel panic. | ||||
| < 7.3, = 7.3, = 7.4 | 7.5 HIGH | — | ||
In OpenBSD 7.4 before errata 002 and OpenBSD 7.3 before errata 019, a network buffer that had to be split at certain length that could crash the kernel after receiving specially crafted escape sequences. | ||||
| < 7.3, = 7.3 | 5.3 MEDIUM | — | ||
In OpenBGPD before 8.1, incorrect handling of BGP update data (length of path attributes) set by a potentially distant remote actor may cause the system to incorrectly reset a session. This is fixed in OpenBSD 7.3 errata 006. | ||||
| = 7.3 | 5.5 MEDIUM | — | ||
OpenBSD 7.3 before errata 014 is missing an argument-count bounds check in console terminal emulation. This could cause incorrect memory access and a kernel crash after receiving crafted DCS or CSI terminal escape sequences. | ||||
| = 7.2, = 7.3 | 9.8 CRITICAL | — | ||
A double free or use after free could occur after SSL_clear in OpenBSD 7.2 before errata 026 and 7.3 before errata 004, and in LibreSSL before 3.6.3 and 3.7.x before 3.7.3. NOTE: OpenSSL is not affected. | ||||
| < 7.0 | 9.8 CRITICAL | — | ||
x509/x509_verify.c in LibreSSL before 3.4.2, and OpenBSD before 7.0 errata 006, allows authentication bypass because an error for an unverified certificate chain is sometimes discarded. | ||||
| < 7.2 | 5.3 MEDIUM | — | ||
An issue was discovered in x509/x509_verify.c in LibreSSL before 3.6.1, and in OpenBSD before 7.2 errata 001. x509_verify_ctx_add_chain does not store errors that occur during leaf certificate verification, and therefore an incorrect error is returned. This behavior occurs when there is an installed verification callback that instructs the verifier to continue upon detecting an invalid certificate. | ||||
| = 7.2, = 7.1 | 7.8 HIGH | — | ||
ascii_load_sockaddr in smtpd in OpenBSD before 7.1 errata 024 and 7.2 before errata 020, and OpenSMTPD Portable before 7.0.0-portable commit f748277, can abort upon a connection from a local, scoped IPv6 address. | ||||
| = 7.2 | 7.5 HIGH | — | ||
In OpenBSD 7.2, a TCP packet with destination port 0 that matches a pf divert-to rule can crash the kernel. | ||||
| = 6.9, = 7.0 | 7.5 HIGH | 5 MEDIUM | ||
slaacd in OpenBSD 6.9 and 7.0 before 2022-03-22 has an integer signedness error and resultant heap-based buffer overflow triggerable by a crafted IPv6 router advertisement. NOTE: privilege separation and pledge can prevent exploitation. | ||||
| = 7.0, = 6.9 | 7.5 HIGH | 5 MEDIUM | ||
engine.c in slaacd in OpenBSD 6.9 and 7.0 before 2022-02-21 has a buffer overflow triggerable by an IPv6 router advertisement with more than seven nameservers. NOTE: privilege separation and pledge can prevent exploitation. | ||||
| — | 5.5 MEDIUM | 4.3 MEDIUM | ||
x509_constraints_parse_mailbox in lib/libcrypto/x509/x509_constraints.c in LibreSSL through 3.4.0 has a stack-based buffer over-read. When the input exceeds DOMAIN_PART_MAX_LEN, the buffer lacks '\0' termination. | ||||
| = 4.6, = 6.3, = 4.9, = 8.0 | 7.5 HIGH | 5 MEDIUM | ||
It was found in FreeBSD 8.0, 6.3 and 4.9, and OpenBSD 4.6 that a null pointer dereference in ftpd/popen.c may lead to remote denial of service of the ftpd service. | ||||
| = 6.6 | 5.3 MEDIUM | 2.6 LOW | ||
An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. | ||||
| <= 6.7 | 9.8 CRITICAL | 7.5 HIGH | ||
iked in OpenIKED, as used in OpenBSD through 6.7, allows authentication bypass because ca.c has the wrong logic for checking whether a public key matches. | ||||
| = 5.0 | 7.5 HIGH | 7.8 HIGH | ||
regcomp in the BSD implementation of libc is vulnerable to denial of service due to stack exhaustion. | ||||
| <= 6.6 | 7.8 HIGH | 7.2 HIGH | ||
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root. | ||||
| all versions | 7.4 HIGH | 4.9 MEDIUM | ||
A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel. | ||||
| all versions | 9.8 CRITICAL | 7.5 HIGH | ||
lib/libc/stdlib/random.c in OpenBSD returns 0 when seeded with 0. | ||||
| = 6.6 | 9.8 CRITICAL | 7.5 HIGH | ||
libc in OpenBSD 6.6 allows authentication bypass via the -schallenge username, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth_subr.c and gen/authenticate.c in libc (and login/login.c and xenocara/app/xenodm/greeter/verify.c). | ||||
| = 6.6 | 7.8 HIGH | 4.6 MEDIUM | ||
xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen. | ||||
| = 6.6 | 7.8 HIGH | 4.6 MEDIUM | ||
In OpenBSD 6.6, local users can use the su -L option to achieve any login class (often excluding root) because there is a logic error in the main function in su/su.c. | ||||
| = 6.6 | 7.8 HIGH | 7.2 HIGH | ||
OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root. | ||||
| <= 6.5 | 7.5 HIGH | 5 MEDIUM | ||
OpenBSD kernel version <= 6.5 can be forced to create long chains of TCP SACK holes that causes very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service. | ||||
| all versions | — | 7.2 HIGH | ||
The barracudavpn component of the Barracuda VPN Client prior to version 5.0.2.7 for Linux, macOS, and OpenBSD runs as a privileged process and can allow an unprivileged local attacker to load a malicious library, resulting in arbitrary code executing as root. | ||||
| = 6.2, = 6.3 | — | 4.9 MEDIUM | ||
tss_alloc in sys/arch/i386/i386/gdt.c in OpenBSD 6.2 and 6.3 has a Local Denial of Service (system crash) due to incorrect I/O port access control on the i386 architecture. | ||||
| — | — | 5.8 MEDIUM | ||
The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c in LibreSSL 2.7.0 before 2.7.1 does not support a certain special case of a zero name length, which causes silent omission of hostname verification, and consequently allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: the LibreSSL documentation indicates that this special case is supported, but the BoringSSL documentation does not. | ||||
| <= 6.1 | — | 6.4 MEDIUM | ||
The OpenBSD qsort() function is recursive, and not randomized, an attacker can construct a pathological input array of N elements that causes qsort() to deterministically recurse N/4 times. This allows attackers to consume arbitrary amounts of stack memory and manipulate stack memory to assist in arbitrary code execution attacks. This affects OpenBSD 6.1 and possibly earlier versions. | ||||
| <= 6.1 | — | 7.5 HIGH | ||
A flaw exists in OpenBSD's implementation of the stack guard page that allows attackers to bypass it resulting in arbitrary code execution using setuid binaries such as /usr/bin/at. This affects OpenBSD 6.1 and possibly earlier versions. | ||||
| = 6.0 | — | 7.8 HIGH | ||
httpd in OpenBSD allows remote attackers to cause a denial of service (memory consumption) via a series of requests for a large file using an HTTP Range header. | ||||
| = 5.9, = 5.8 | — | 4.9 MEDIUM | ||
OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (kernel panic) via a large size in a getdents system call. | ||||
| = 5.9, = 5.8 | — | 4.9 MEDIUM | ||
OpenBSD 5.8 and 5.9 allows certain local users with kern.usermount privileges to cause a denial of service (kernel panic) by mounting a tmpfs with a VNOVAL in the (1) username, (2) groupname, or (3) device name of the root node. | ||||
| = 5.9, = 5.8 | — | 4.9 MEDIUM | ||
OpenBSD 5.8 and 5.9 allows certain local users to cause a denial of service (kernel panic) by unmounting a filesystem with an open vnode on the mnt_vnodelist. | ||||
| = 5.9, = 5.8 | — | 4.9 MEDIUM | ||
thrsleep in kern/kern_synch.c in OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (kernel panic) via a crafted value in the tsp parameter of the __thrsleep system call. | ||||
| = 5.9, = 5.8 | — | 4.9 MEDIUM | ||
OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (assertion failure and kernel panic) via a large ident value in a kevent system call. | ||||
| = 5.9, = 5.8 | — | 7.2 HIGH | ||
Integer overflow in the amap_alloc1 function in OpenBSD 5.8 and 5.9 allows local users to execute arbitrary code with kernel privileges via a large size value. | ||||
| = 5.9, = 5.8 | — | 7.2 HIGH | ||
Integer truncation error in the amap_alloc function in OpenBSD 5.8 and 5.9 allows local users to execute arbitrary code with kernel privileges via a large size value. | ||||
| = 5.9, = 5.8 | — | 4.9 MEDIUM | ||
The mmap extension __MAP_NOFAULT in OpenBSD 5.8 and 5.9 allows attackers to cause a denial of service (kernel panic and crash) via a large size value. | ||||
| = 5.9, = 5.8 | — | 4.9 MEDIUM | ||
OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (NULL pointer dereference and panic) via a sysctl call with a path starting with 10,9. | ||||
| = 5.9 | — | 4.9 MEDIUM | ||
Integer overflow in the uvm_map_isavail function in uvm/uvm_map.c in OpenBSD 5.9 allows local users to cause a denial of service (kernel panic) via a crafted mmap call, which triggers the new mapping to overlap with an existing mapping. | ||||
| = 5.9 | — | 7.8 HIGH | ||
The sys_thrsigdivert function in kern/kern_sig.c in the OpenBSD kernel 5.9 allows remote attackers to cause a denial of service (panic) via a negative "ts.tv_sec" value. | ||||
| = 3.6 | — | 5 MEDIUM | ||
The TCP stack in 4.3BSD Net/2, as used in FreeBSD 5.4, NetBSD possibly 2.0, and OpenBSD possibly 3.6, does not properly implement the session timer, which allows remote attackers to cause a denial of service (resource consumption) via crafted packets. | ||||
| = 2.8, = 3.1, = 3.3, = 2.0, = 2.9, = 2.4, = 3.6, = 2.7, = 3.2, = 2.1, = 2.2, = 3.5, = 3.4, = 2.6, = 3.0, = 2.3, = 2.5, <= 3.7 | — | 9.3 HIGH | ||
The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896. | ||||
| = 4.1, = 3.7, = 2.8, = 3.8, = 4.4, = 3.1, = 3.3, = 2.9, = 4.7, = 4.0, = 3.2, = 4.2, = 2.3, = 2.4, = 3.9, = 3.0, = 4.3, = 2.5, = 4.5, = 2.7, = 2.6, = 2.1, = 2.2, = 3.6, = 3.5, = 4.6, = 2.0, = 3.4, <= 4.8 | — | 5 MEDIUM | ||
Multiple integer overflows in the glob implementation in libc in OpenBSD before 4.9 might allow context-dependent attackers to have an unspecified impact via a crafted string, related to the GLOB_APPEND and GLOB_DOOFFS flags, a different issue than CVE-2011-0418. | ||||
| = 4.8 | — | 4.3 MEDIUM | ||
Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd. | ||||
| <= 4.8 | — | 7.2 HIGH | ||
Integer signedness error in the drm_modeset_ctl function in (1) drivers/gpu/drm/drm_irq.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.38 and (2) sys/dev/pci/drm/drm_irq.c in the kernel in OpenBSD before 4.9 allows local users to trigger out-of-bounds write operations, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via a crafted num_crtcs (aka vb_num) structure member in an ioctl argument. | ||||
| = 4.7 | — | 4 MEDIUM | ||
The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. | ||||
| = 4.7 | — | 4 MEDIUM | ||
The glob implementation in libc in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, and OpenBSD 4.7, and Libsystem in Apple Mac OS X before 10.6.8, allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. | ||||
| = 4.4, = 4.5, = 4.6 | — | 4.9 MEDIUM | ||
OpenBSD 4.4, 4.5, and 4.6, when running on an i386 kernel, does not properly handle XMM exceptions, which allows local users to cause a denial of service (kernel panic) via unspecified vectors. | ||||
| = 4.4, = 4.5, = 4.2, = 4.3 | — | 7.8 HIGH | ||
The pf_test_rule function in OpenBSD Packet Filter (PF), as used in OpenBSD 4.2 through 4.5, NetBSD 5.0 before RC3, MirOS 10 and earlier, and MidnightBSD 0.3-current allows remote attackers to cause a denial of service (panic) via crafted IP packets that trigger a NULL pointer dereference during translation, related to an IPv4 packet with an ICMPv6 payload. | ||||
| = 4.5 | — | 6.8 MEDIUM | ||
Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number. | ||||
| = 4.1, = 3.7, = 2.8, = 3.8, <= 4.4, = 3.1, = 3.3, = 2.9, = 2.1, = 3.6, = 3.5, = 2.7, = 2.2, = 2.3, = 4.0, = 3.9, = 3.2, = 4.3, = 3.0, = 2.0, = 3.4, = 2.6, = 4.2, = 2.4, = 2.5 | — | 4.9 MEDIUM | ||
Integer overflow in the fts_build function in fts.c in libc in (1) OpenBSD 4.4 and earlier and (2) Microsoft Interix 6.0 build 10.0.6030.0 allows context-dependent attackers to cause a denial of service (application crash) via a deep directory tree, related to the fts_level structure member, as demonstrated by (a) du, (b) rm, (c) chmod, and (d) chgrp on OpenBSD; and (e) SearchIndexer.exe on Vista Enterprise. | ||||
| = 4.4, = 4.3 | — | 5 MEDIUM | ||
The aspath_prepend function in rde_attr.c in bgpd in OpenBSD 4.3 and 4.4 allows remote attackers to cause a denial of service (application crash) via an Autonomous System (AS) advertisement containing a long AS path. | ||||
| = 4.1, = 3.8, = 3.7, = 2.8, = 3.3, = 2.1, = 3.1, = 2.2, = 2.9, = *, = 2.5, = 4.2, = 2.0, = 4.0, = 3.9, = 3.2, = 4.3, = 2.4, = 3.6, = 3.5, = 2.7, = 2.6, = 3.0, = 3.4, = current, = 2.3, all versions | — | 7.1 HIGH | ||
The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress. | ||||
| = 4.2, = 4.3 | — | 9.3 HIGH | ||
The IPv6 Neighbor Discovery Protocol (NDP) implementation in (1) FreeBSD 6.3 through 7.1, (2) OpenBSD 4.2 and 4.3, (3) NetBSD, (4) Force10 FTOS before E7.7.1.1, (5) Juniper JUNOS, and (6) Wind River VxWorks 5.x through 6.4 does not validate the origin of Neighbor Discovery messages, which allows remote attackers to cause a denial of service (loss of connectivity) or read private network traffic via a spoofed message that modifies the Forward Information Base (FIB). | ||||
| = 4.3 | — | 7.5 HIGH | ||
ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser. | ||||
| = 4.1, = 4.2 | — | 4.6 MEDIUM | ||
Stack-based buffer overflow in the command_Expand_Interpret function in command.c in ppp (aka user-ppp), as distributed in FreeBSD 6.3 and 7.0, OpenBSD 4.1 and 4.2, and the net/userppp package for NetBSD, allows local users to gain privileges via long commands containing "~" characters. | ||||
| = 2.6, = 2.7, = 2.8, = 2.9, = 3.0, = 3.1, = 3.2, = 3.3, = 3.4, = 3.5, = 3.6, = 3.7, = 3.8, = 3.9, = 4.0, = 4.1, = 4.2 | — | 6.8 MEDIUM | ||
A certain pseudo-random number generator (PRNG) algorithm that uses ADD with 0 random hops (aka "Algorithm A0"), as used in OpenBSD 3.5 through 4.2 and NetBSD 1.6.2 through 4.0, allows remote attackers to guess sensitive values such as (1) DNS transaction IDs or (2) IP fragmentation IDs by observing a sequence of previously generated values. NOTE: this issue can be leveraged for attacks such as DNS cache poisoning, injection into TCP packets, and OS fingerprinting. | ||||
| = 2.6, = 2.7, = 2.8, = 2.9, = 3.0, = 3.1, = 3.2, = 3.3, = 3.4, = 3.5, = 3.6, = 3.7, = 3.8, = 3.9, = 4.0, = 4.1, = 4.2 | — | 6.8 MEDIUM | ||
A certain pseudo-random number generator (PRNG) algorithm that uses XOR and 2-bit random hops (aka "Algorithm X2"), as used in OpenBSD 2.6 through 3.4, Mac OS X 10 through 10.5.1, FreeBSD 4.4 through 7.0, and DragonFlyBSD 1.0 through 1.10.1, allows remote attackers to guess sensitive values such as IP fragmentation IDs by observing a sequence of previously generated values. NOTE: this issue can be leveraged for attacks such as injection into TCP packets and OS fingerprinting. | ||||
| = 2.6, = 2.7, = 2.8, = 2.9, = 3.0, = 3.1, = 3.2, = 3.3, = 3.4, = 3.5, = 3.6, = 3.7, = 3.8, = 3.9, = 4.0, = 4.1, = 4.2 | — | 6.8 MEDIUM | ||
A certain pseudo-random number generator (PRNG) algorithm that uses XOR and 3-bit random hops (aka "Algorithm X3"), as used in OpenBSD 2.8 through 4.2, allows remote attackers to guess sensitive values such as DNS transaction IDs by observing a sequence of previously generated values. NOTE: this issue can be leveraged for attacks such as DNS cache poisoning against OpenBSD's modification of BIND. | ||||
| = 4.1, = 4.2 | — | 7.8 HIGH | ||
The tcp_respond function in netinet/tcp_subr.c in OpenBSD 4.1 and 4.2 allows attackers to cause a denial of service (panic) via crafted TCP packets. NOTE: some of these details are obtained from third party information. | ||||
| = 4.2 | — | 7.8 HIGH | ||
The ip6_check_rh0hdr function in netinet6/ip6_input.c in OpenBSD 4.2 allows attackers to cause a denial of service (panic) via malformed IPv6 routing headers. | ||||
| = 4.1 | — | 4.3 MEDIUM | ||
Cross-site scripting (XSS) vulnerability in cgi-bin/bgplg in the web interface for the BGPD daemon in OpenBSD 4.1 allows remote attackers to inject arbitrary web script or HTML via the cmd parameter. | ||||
| = 4.2 | — | 4.9 MEDIUM | ||
OpenBSD 4.2 allows local users to cause a denial of service (kernel panic) by calling the SIOCGIFRTLABEL IOCTL on an interface that does not have a route label, which triggers a NULL pointer dereference when the return value from the rtlabel_id2name function is not checked. | ||||
| = 4.1, = 4.2, = 4.0 | — | 7.2 HIGH | ||
Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2, and some other dhcpd implementations based on ISC dhcp-2, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU. | ||||
| all versions | — | 6.2 MEDIUM | ||
Multiple race conditions in the (1) Sudo monitor mode and (2) Sysjail policies in Systrace on NetBSD and OpenBSD allow local users to defeat system call interposition, and consequently bypass access control policy and auditing. | ||||
| = 3.9, = 4.0 | — | 7.8 HIGH | ||
The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. | ||||
| = 3.9, = 4.0 | — | 3.8 LOW | ||
Integer overflow in the FontFileInitTable function in X.Org libXfont before 20070403 allows remote authenticated users to execute arbitrary code via a long first line in the fonts.dir file, which results in a heap overflow. | ||||
| = 3.9, = 4.0 | — | 8.5 HIGH | ||
Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow. | ||||
| = 3.9, = 4.0 | — | 10 HIGH | ||
Buffer overflow in kern/uipc_mbuf2.c in OpenBSD 3.9 and 4.0 allows remote attackers to execute arbitrary code via fragmented IPv6 packets due to "incorrect mbuf handling for ICMP6 packets." NOTE: this was originally reported as a denial of service. | ||||
| <= 4.0 | — | 5 MEDIUM | ||
OpenBSD before 20070116 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via certain IPv6 ICMP (aka ICMP6) echo request packets. | ||||
| = 3.9, = 4.0 | — | 6 MEDIUM | ||
Unspecified vulnerability in sys/dev/pci/vga_pci.c in the VGA graphics driver for wscons in OpenBSD 3.9 and 4.0, when the kernel is compiled with the PCIAGP option and a non-AGP device is being used, allows local users to gain privileges via unspecified vectors, possibly related to agp_ioctl NULL pointer reference. | ||||
| all versions | — | 6.6 MEDIUM | ||
OpenBSD and NetBSD permit usermode code to kill the display server and write to the X.Org /dev/xf86 device, which allows local users with root privileges to reduce securelevel by replacing the System Management Mode (SMM) handler via a write to an SMRAM address within /dev/xf86 (aka the video card memory-mapped I/O range), and then launching the new handler via a System Management Interrupt (SMI), as demonstrated by a write to Programmed I/O port 0xB2. | ||||
| all versions | — | 4.4 MEDIUM | ||
Integer overflow in banner/banner.c in FreeBSD, NetBSD, and OpenBSD might allow local users to modify memory via a long banner. NOTE: CVE and multiple third parties dispute this issue. Since banner is not setuid, an exploit would not cross privilege boundaries in normal operations. This issue is not a vulnerability | ||||
| = 3.9, = 4.0 | — | 7.2 HIGH | ||
The _dl_unsetenv function in loader.c in the ELF ld.so in OpenBSD 3.9 and 4.0 does not properly remove duplicate environment variables, which allows local users to pass dangerous variables such as LD_PRELOAD to loading processes, which might be leveraged to gain privileges. | ||||
| = 4.0 | — | 4.9 MEDIUM | ||
The kernel in FreeBSD 6.1 and OpenBSD 4.0 allows local users to cause a denial of service via unspecified vectors involving certain ioctl requests to /dev/crypto. | ||||
| = 3.8, = 3.9 | — | 4.6 MEDIUM | ||
Integer overflow in the systrace_preprepl function (STRIOCREPLACE) in systrace in OpenBSD 3.9 and NetBSD 3 allows local users to cause a denial of service (crash), gain privileges, or read arbitrary kernel memory via large numeric arguments to the systrace ioctl. | ||||
| = 3.8, = 3.9 | — | 5 MEDIUM | ||
isakmpd in OpenBSD 3.8, 3.9, and possibly earlier versions, creates Security Associations (SA) with a replay window of size 0 when isakmpd acts as a responder during SA negotiation, which allows remote attackers to replay IPSec packets and bypass the replay protection. | ||||
| = 3.8, = 3.9 | — | 4.9 MEDIUM | ||
OpenBSD 3.8, 3.9, and possibly earlier versions allows context-dependent attackers to cause a denial of service (kernel panic) by allocating more semaphores than the default. | ||||
| = 3.8, = 3.9 | — | 10 HIGH | ||
Buffer overflow in the sppp driver in FreeBSD 4.11 through 6.1, NetBSD 2.0 through 4.0 beta before 20060823, and OpenBSD 3.8 and 3.9 before 20060902 allows remote attackers to cause a denial of service (panic), obtain sensitive information, and possibly execute arbitrary code via crafted Link Control Protocol (LCP) packets with an option length that exceeds the overall length, which triggers the overflow in (1) pppoe and (2) ippp. NOTE: this issue was originally incorrectly reported for the ppp driver. | ||||
| = 3.7, = 3.8 | — | 4.6 MEDIUM | ||
The dupfdopen function in sys/kern/kern_descrip.c in OpenBSD 3.7 and 3.8 allows local users to re-open arbitrary files by using setuid programs to access file descriptors using /dev/fd/. | ||||
| <= 3.8 | — | 4.3 MEDIUM | ||
The securelevels implementation in FreeBSD 7.0 and earlier, OpenBSD up to 3.8, DragonFly up to 1.2, and Linux up to 2.6.15 allows root users to bypass immutable settings for files by mounting another filesystem that masks the immutable files while the system is running. | ||||
| = 3.0, = 3.1, = 3.2, = 3.3, = 3.4, = 3.5, = 3.6 | — | 5 MEDIUM | ||
Multiple TCP implementations with Protection Against Wrapped Sequence Numbers (PAWS) with the timestamps option enabled allow remote attackers to cause a denial of service (connection loss) via a spoofed packet with a large timer value, which causes the host to discard later packets because they appear to be too old. | ||||
| = 3.6, = 3.5 | — | 5 MEDIUM | ||
The copy functions in locore.s such as copyout in OpenBSD 3.5 and 3.6, and possibly other BSD based operating systems, may allow attackers to exceed certain address boundaries and modify kernel memory. | ||||
| = 3.6, = 3.5 | — | 5 MEDIUM | ||
Multiple vulnerabilities in the SACK functionality in (1) tcp_input.c and (2) tcp_usrreq.c OpenBSD 3.5 and 3.6 allow remote attackers to cause a denial of service (memory exhaustion or system crash). | ||||
| = 2.8, = 3.1, = 3.3, = 2.9, = 2.1, = 2.2, = 2.0, = 2.7, = 3.2, = 2.6, = 3.4, = 3.5, = 3.6, = 2.4, = 2.3, = 2.5, = 3.0 | — | 5 MEDIUM | ||
The TCP stack (tcp_input.c) in OpenBSD 3.5 and 3.6 allows remote attackers to cause a denial of service (system panic) via crafted values in the TCP timestamp option, which causes invalid arguments to be used when calculating the retransmit timeout. | ||||
| = 3.2, = 3.5, = 3.4 | — | 7.5 HIGH | ||
login_radius on OpenBSD 3.2, 3.5, and possibly other versions does not verify the shared secret in a response packet from a RADIUS server, which allows remote attackers to bypass authentication by spoofing server replies. | ||||
| = 3.3, = 3.4 | — | 7.5 HIGH | ||
OpenBSD 3.3 and 3.4 does not properly parse Accept and Deny rules without netmasks on big-endian 64-bit platforms such as SPARC64, which may allow remote attackers to bypass access restrictions. | ||||
| = 3.6, = 3.5, = 3.4 | — | 2.1 LOW | ||
Heap-based buffer overflow in isakmpd on OpenBSD 3.4 through 3.6 allows local users to cause a denial of service (panic) and corrupt memory via IPSEC credentials on a socket. | ||||
| = 3.4, = 3.5, = current | — | 7.1 HIGH | ||
Format string vulnerability in wrapper.c in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16 allows remote attackers with CVSROOT commit access to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a wrapper line. | ||||
| = 3.1, = 3.3, = 3.2, = 3.0, = 3.4 | — | 7.5 HIGH | ||
PF in certain OpenBSD versions, when stateful filtering is enabled, does not limit packets for a session to the original interface, which allows remote attackers to bypass intended packet filters via spoofed packets to other interfaces. | ||||
| = 3.1, = 3.3, = 3.2, = 3.0, = 3.4 | — | 5 MEDIUM | ||
OpenBSD 3.4 and NetBSD 1.6 and 1.6.1 allow remote attackers to cause a denial of service (crash) by sending an IPv6 packet with a small MTU to a listening port and then issuing a TCP connect to that port. | ||||
| = 3.3, = 3.4 | — | 5 MEDIUM | ||
The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. | ||||
| = 3.3, = 3.4 | — | 5 MEDIUM | ||
OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. | ||||
| = 3.3, = 3.4 | 7.5 HIGH | 5 MEDIUM | ||
The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. | ||||
| = 3.5, = 3.4 | — | 7.5 HIGH | ||
Multiple stack-based buffer overflows in (1) xpmParseColors in parse.c, (2) ParseAndPutPixels in create.c, and (3) ParsePixels in parse.c for libXpm before 6.8.1 allow remote attackers to execute arbitrary code via a malformed XPM image file. | ||||
| = 3.5, = 3.4 | — | 7.5 HIGH | ||
Multiple integer overflows in (1) the xpmParseColors function in parse.c, (2) XpmCreateImageFromXpmImage, (3) CreateXImage, (4) ParsePixels, and (5) ParseAndPutPixels for libXpm before 6.8.1 may allow remote attackers to execute arbitrary code via a malformed XPM image file. | ||||
| = 3.3, = 3.2, = 3.5, = 3.4 | — | 5 MEDIUM | ||
The bridge functionality in OpenBSD 3.4 and 3.5, when running a gateway configured as a bridging firewall with the link2 option for IPSec enabled, allows remote attackers to cause a denial of service (crash) via an ICMP echo (ping) packet. | ||||
| = 3.5, all versions, = 3.4 | — | 10 HIGH | ||
Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied. | ||||
| = 3.5, all versions, = 3.4 | — | 10 HIGH | ||
serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data. | ||||
| = 3.5, all versions, = 3.4 | — | 5 MEDIUM | ||
Integer overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space. | ||||
| = 3.5, all versions, = 3.4 | — | 10 HIGH | ||
Double free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code. | ||||
| = 3.5, all versions, = 3.4 | — | 10 HIGH | ||
CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution. | ||||
| = 3.5, = 3.4 | — | 4.6 MEDIUM | ||
Multiple integer overflows in (1) procfs_cmdline.c, (2) procfs_fpregs.c, (3) procfs_linux.c, (4) procfs_regs.c, (5) procfs_status.c, and (6) procfs_subr.c in procfs for OpenBSD 3.5 and earlier allow local users to read sensitive kernel memory and possibly perform other unauthorized activities. | ||||
| <= 3.4 | — | 5 MEDIUM | ||
Multiple memory leaks in isakmpd in OpenBSD 3.4 and earlier allow remote attackers to cause a denial of service (memory exhaustion) via certain ISAKMP packets, as demonstrated by the Striker ISAKMP Protocol Test Suite. | ||||
| <= 3.4 | — | 5 MEDIUM | ||
isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a delete payload containing a large number of SPIs, which triggers an out-of-bounds read error, as demonstrated by the Striker ISAKMP Protocol Test Suite. | ||||
| <= 3.4 | — | 10 HIGH | ||
isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service via an ISAKMP packet with a malformed Cert Request payload, which causes an integer underflow that is used in a malloc operation that is not properly handled, as demonstrated by the Striker ISAKMP Protocol Test Suite. | ||||
| <= 3.4 | — | 5 MEDIUM | ||
isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a malformed IPSEC SA payload, as demonstrated by the Striker ISAKMP Protocol Test Suite. | ||||
| <= 3.4 | — | 5 MEDIUM | ||
isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (infinite loop) via an ISAKMP packet with a zero-length payload, as demonstrated by the Striker ISAKMP Protocol Test Suite. | ||||
| = 3.3, = 3.4 | — | 5 MEDIUM | ||
FreeBSD 5.1 and earlier, and Mac OS X before 10.3.4, allows remote attackers to cause a denial of service (resource exhaustion of memory buffers and system crash) via a large number of out-of-sequence TCP packets, which prevents the operating system from creating new connections. | ||||
| <= 2.6 | — | 4.6 MEDIUM | ||
The shmat system call in the System V Shared Memory interface for FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and earlier, does not properly decrement a shared memory segment's reference count when the vm_map_find function fails, which could allow local users to gain read or write access to a portion of kernel memory and gain privileges. | ||||
| = 3.3, = 3.4 | — | 7.2 HIGH | ||
Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. | ||||
| = 3.3, = 3.4 | — | 10 HIGH | ||
Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. | ||||
| = 3.3, = 3.4 | — | 10 HIGH | ||
Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. | ||||
| = 3.5, = current, = 3.4 | — | 7.5 HIGH | ||
mod_digest_apple for Apache 1.3.31 and 1.3.32 on Mac OS X Server does not properly verify the nonce of a client response, which allows remote attackers to replay credentials. | ||||
| = 2.8, = 3.1, = 2.9, = 2.1, = 2.2, = 2.0, = 2.7, = 3.2, = 2.4, = 2.3, = 3.0, = 2.5, = 2.6 | — | 3.3 LOW | ||
chpass in OpenBSD 2.0 through 3.2 allows local users to read portions of arbitrary files via a hard link attack on a temporary file used to store user database information. | ||||
| = 3.3, = 3.4 | — | 4.6 MEDIUM | ||
OpenBSD kernel 3.3 and 3.4 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code in 3.4 via a program with an invalid header that is not properly handled by (1) ibcs2_exec.c in the iBCS2 emulation (compat_ibcs2) or (2) exec_elf.c, which leads to a stack-based buffer overflow. | ||||
| = 3.3, = 3.2, = 3.4 | — | 5 MEDIUM | ||
The arplookup function in FreeBSD 5.1 and earlier, Mac OS X before 10.2.8, and possibly other BSD-based systems, allows remote attackers on a local subnet to cause a denial of service (resource starvation and panic) via a flood of spoofed ARP requests. | ||||
| = 3.2 | — | 5 MEDIUM | ||
The DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data. | ||||
| = 3.3, = 3.2 | — | 7.5 HIGH | ||
A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences. | ||||
| = 2.8, = 2.2, = 3.1, = 3.3, = 2.0, = 2.1, = 2.9, = 2.7, = 2.3, = 3.2, = 2.4, = 2.5, = 3.0, = 2.6, >= 2.0, <= 3.3 | 9.8 CRITICAL | 10 HIGH | ||
Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO. | ||||
| = 3.1, = 3.0 | — | 7.2 HIGH | ||
Integer signedness error in select() on OpenBSD 3.1 and earlier allows local users to overwrite arbitrary kernel memory via a negative value for the size parameter, which satisfies the boundary check as a signed integer, but is later used as an unsigned integer during a data copying operation. | ||||
| = 2.8, = 3.1, = 2.9, = 2.1, = 2.2, = 2.4, = 2.5, = 2.6, = 2.7, = 2.3, = 3.2, = 2.0, = 3.0 | — | 7.2 HIGH | ||
Buffer overflow in the lprm command in the lprold lpr package on SuSE 7.1 through 7.3, OpenBSD 3.2 and earlier, and possibly other operating systems, allows local users to gain root privileges via long command line arguments such as (1) request ID or (2) user name. | ||||
| = 2.8, = 3.1, = 2.1, = 2.9, = 2.2, = 2.3, = 2.4, = 3.2, = 2.0, = 3.0, = 2.5, = 2.6, = 2.7 | — | 7.5 HIGH | ||
Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391. | ||||
| = 3.1, = 3.2 | — | 5 MEDIUM | ||
ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack." | ||||
| = 3.1, = 2.9, = 3.2, = 3.0 | — | 2.1 LOW | ||
syslogd on OpenBSD 2.9 through 3.2 does not change the source IP address of syslog packets when the machine's IP addressed is changed without rebooting, e.g. via ifconfig, which can cause incorrect information to be sent to the syslog server. | ||||
| = 3.1 | — | 5.1 MEDIUM | ||
isakmpd/message.c in isakmpd in FreeBSD before isakmpd-20020403_1, and in OpenBSD 3.1, allows remote attackers to cause a denial of service (crash) by sending Internet Key Exchange (IKE) payloads out of sequence. | ||||
| = 3.1, = 3.0 | — | 4.9 MEDIUM | ||
OpenBSD before 3.2 allows local users to cause a denial of service (kernel crash) via a call to getrlimit(2) with invalid arguments, possibly due to an integer signedness error. | ||||
| = 2.8, = 3.1, = 2.9, = 2.1, = 2.2, = 2.0, = 2.7, = 2.4, = 3.0, = 2.5, = 2.6, = 2.3 | — | 6.8 MEDIUM | ||
The setitimer(2) system call in OpenBSD 2.0 through 3.1 does not properly check certain arguments, which allows local users to write to kernel memory and possibly gain root privileges, possibly via an integer signedness error. | ||||
| = 2.8, = 2.7, = 2.0, = 2.9, = 2.1, = 2.2, = 2.6, = 2.4, = 2.5, = 2.3, = 3.0 | — | 3.7 LOW | ||
Race condition in exec in OpenBSD 4.0 and earlier, NetBSD 1.5.2 and earlier, and FreeBSD 4.4 and earlier allows local users to gain privileges by attaching a debugger to a process before the kernel has determined that the process is setuid or setgid. | ||||
| = 2.8, = 3.1, = 2.1, = 2.0, = 2.2, = 2.7, = 2.9, = 2.3, = 2.4, = 2.5, = 2.6, = 3.0 | 5.5 MEDIUM | 2.1 LOW | ||
tip on multiple BSD-based operating systems allows local users to cause a denial of service (execution prevention) by using flock() to lock the /var/log/acculog file. | ||||
| = 3.0 | — | 5 MEDIUM | ||
Directory traversal vulnerabilities in multiple FTP clients on UNIX systems allow remote malicious FTP servers to create or overwrite files as the client user via filenames containing /absolute/path or .. (dot dot) sequences. | ||||
| = 3.1, = 3.2, = 3.0 | — | 5 MEDIUM | ||
BIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference. | ||||
| = 3.1, = 3.2, = 3.0 | — | 5 MEDIUM | ||
BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size. | ||||
| = 3.1, = 3.2, = 3.0 | — | 7.5 HIGH | ||
Buffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR). | ||||
| = 3.1, = 2.9, = 3.0 | — | 7.2 HIGH | ||
OpenBSD 2.9 through 3.1 allows local users to cause a denial of service (resource exhaustion) and gain root privileges by filling the kernel's file descriptor table and closing file descriptors 0, 1, or 2 before executing a privileged process, which is not properly handled when OpenBSD fails to open an alternate descriptor. | ||||
| = 3.1 | — | 7.5 HIGH | ||
sshd in OpenSSH 3.2.2, when using YP with netgroups and under certain conditions, may allow users to successfully authenticate and log in with another user's password. | ||||
| = 3.0 | — | 5 MEDIUM | ||
PF in OpenBSD 3.0 with the return-rst rule sets the TTL to 128 in the RST packet, which allows remote attackers to determine if a port is being filtered because the TTL is different than the default TTL. | ||||
| = 2.7, = 2.6 | — | 7.5 HIGH | ||
KAME-derived implementations of IPsec on NetBSD 1.5.2, FreeBSD 4.5, and other operating systems, does not properly consult the Security Policy Database (SPD), which could cause a Security Gateway (SG) that does not use Encapsulating Security Payload (ESP) to forward forged IPv4 packets. | ||||
| = 3.1 | 9.8 CRITICAL | 10 HIGH | ||
Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. | ||||
| = 2.7 | — | 7.2 HIGH | ||
Format string vulnerability in startprinting() function of printjob.c in BSD-based lpr lpd package may allow local users to gain privileges via an improper syslog call that uses format strings from the checkremote() call. | ||||
| all versions | — | 2.1 LOW | ||
ktrace in BSD-based operating systems allows the owner of a process with special privileges to trace the process after its privileges have been lowered, which may allow the owner to obtain sensitive information that the process obtained while it was running with the extra privileges. | ||||
| = 2.1, = 2.2, = 2.0, = 2.3 | — | 7.2 HIGH | ||
FreeBSD 4.5 and earlier, and possibly other BSD-based operating systems, allows local users to write to or read from restricted files by closing the file descriptors 0 (standard input), 1 (standard output), or 2 (standard error), which may then be reused by a called setuid process that intended to perform I/O on normal files. | ||||
| = 3.0 | — | 7.5 HIGH | ||
Vulnerability in OpenBSD 3.0, when using YP with netgroups in the password database, causes (1) rexec or (2) rsh to run another user's shell, or (3) atrun to change to a different user's directory, possibly due to memory allocation failures or an incorrect call to auth_approval(). | ||||
| = 2.9, = 3.0 | — | 7.2 HIGH | ||
mail in OpenBSD 2.9 and 3.0 processes a tilde (~) escape character in a message even when it is not in interactive mode, which could allow local users to gain root privileges via calls to mail in cron. | ||||
| all versions | — | 5 MEDIUM | ||
The TCP implementation in various BSD operating systems (tcp_input.c) does not properly block connections to broadcast addresses, which could allow remote attackers to bypass intended filters via packets with a unicast link layer address and an IP broadcast address. | ||||
| = 2.9, = 3.0 | 5.5 MEDIUM | 2.1 LOW | ||
The uipc system calls (uipc_syscalls.c) in OpenBSD 2.9 and 3.0 provide user mode return instead of versus rval kernel mode values to the fdrelease function, which allows local users to cause a denial of service and trigger a null dereference. | ||||
| = 2.9, = 3.0 | — | 4.6 MEDIUM | ||
vi.recover in OpenBSD before 3.1 allows local users to remove arbitrary zero-byte files such as device nodes. | ||||
| all versions | — | 7.5 HIGH | ||
Buffer overflow in BSD line printer daemon (in.lpd or lpd) in various BSD-based operating systems allows remote attackers to execute arbitrary code via an incomplete print job followed by a request to display the printer queue. | ||||
| <= 2.9 | — | 6.2 MEDIUM | ||
fts routines in FreeBSD 4.3 and earlier, NetBSD before 1.5.2, and OpenBSD 2.9 and earlier can be forced to change (chdir) into a different directory than intended when the directory above the current directory is moved, which could cause scripts to perform dangerous actions on the wrong directories. | ||||
| = 2.8, = 2.0, = 2.1, = 2.2, = 2.7, = 2.4, = 2.6, = 2.3, = 2.5 | — | 10 HIGH | ||
Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function. | ||||
| = 2.8, = 2.9 | — | 5 MEDIUM | ||
Multiple TCP implementations could allow remote attackers to cause a denial of service (bandwidth and CPU exhaustion) by setting the maximum segment size (MSS) to a very small number and requesting large amounts of data, which generates more packets with less TCP-level data that amplify network traffic and consume more server CPU to process. | ||||
| <= 2.8 | — | 2.1 LOW | ||
readline prior to 4.1, in OpenBSD 2.8 and earlier, creates history files with insecure permissions, which allows a local attacker to recover potentially sensitive information via readline history files. | ||||
| = 2.8, = 2.4, = 2.7, = 2.5, = 2.3, = 2.6 | — | 10 HIGH | ||
Buffer overflows in BSD-based FTP servers allows remote attackers to execute arbitrary commands via a long pattern string containing a {} sequence, as seen in (1) g_opendir, (2) g_lstat, (3) g_stat, and (4) the glob0 buffer as used in the glob functions glob2 and glob3. | ||||
| = 2.8 | — | 7.5 HIGH | ||
IPFilter 3.4.16 and earlier does not include sufficient session information in its cache, which allows remote attackers to bypass access restrictions by sending fragmented packets to a restricted port after sending unfragmented packets to an unrestricted port. | ||||
| = 2.8, = 2.9, = 2.7, = 2.6 | — | 1.2 LOW | ||
Race condition in OpenBSD VFS allows local users to cause a denial of service (kernel panic) by (1) creating a pipe in one thread and causing another thread to set one of the file descriptors to NULL via a close, or (2) calling dup2 on a file descriptor in one process, then setting the descriptor to NULL via a close in another process that is created via rfork. | ||||
| <= 2.8 | — | 10 HIGH | ||
Buffer overflow in IPSEC authentication mechanism for OpenBSD 2.8 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a malformed Authentication header (AH) IPv4 option. | ||||
| <= 2.8 | — | 7.2 HIGH | ||
The i386_set_ldt system call in NetBSD 1.5 and earlier, and OpenBSD 2.8 and earlier, when the USER_LDT kernel option is enabled, does not validate a call gate target, which allows local users to gain root privileges by creating a segment call gate in the Local Descriptor Table (LDT) with a target that specifies an arbitrary kernel address. | ||||
| = 2.4 | — | 5 MEDIUM | ||
IP fragment assembly in OpenBSD 2.4 allows a remote attacker to cause a denial of service by sending a large number of fragmented packets. | ||||
| = 2.4 | — | 2.1 LOW | ||
The i386 trace-trap handling in OpenBSD 2.4 with DDB enabled allows a local user to cause a denial of service. | ||||
| = 2.6 | — | 4.6 MEDIUM | ||
Vulnerability in OpenBSD 2.6 allows a local user to change interface media configurations. | ||||
| = 2.5 | — | 7.2 HIGH | ||
cron in OpenBSD 2.5 allows local users to gain root privileges via an argv[] that is not NULL terminated, which is passed to cron's fake popen function. | ||||
| = 2.8, = 2.7, = 2.4, = 2.6, = 2.5 | — | 10 HIGH | ||
One-byte buffer overflow in replydirname function in BSD-based ftpd allows remote attackers to gain root privileges. | ||||
| = 2.7, = 2.4, = 2.6, = 2.5, = 2.3 | — | 7.2 HIGH | ||
Format string vulnerabilities in eeprom program in OpenBSD, NetBSD, and possibly other operating systems allows local attackers to gain root privileges. | ||||
| = 2.7, = 2.4, = 2.6, = 2.5, = 2.3 | — | 7.2 HIGH | ||
Format string vulnerability in OpenBSD fstat program (and possibly other BSD-based operating systems) allows local users to gain root privileges via the PWD environmental variable. | ||||
| = 2.7, = 2.4, = 2.5, = 2.6, = 2.3 | — | 7.2 HIGH | ||
Format string vulnerability in pw_error function in BSD libutil library allows local users to gain root privileges via a malformed password in commands such as chpass or passwd. | ||||
| = 2.7 | — | 5 MEDIUM | ||
The IPSEC implementation in OpenBSD 2.7 does not properly handle empty AH/ESP packets, which allows remote attackers to cause a denial of service. | ||||
| = 2.1, = 2.2, = 2.0, = 2.4, = 2.6, = 2.5, = 2.3 | — | 5 MEDIUM | ||
OpenBSD 2.6 and earlier allows remote attackers to cause a denial of service by flooding the server with ARP requests. | ||||
| all versions | — | 7.2 HIGH | ||
Format string vulnerability in OpenBSD yp_passwd program (and possibly other BSD-based operating systems) allows attackers to gain root privileges a malformed name. | ||||
| all versions | — | 7.2 HIGH | ||
Format string vulnerability in OpenBSD su program (and possibly other BSD-based operating systems) allows local attackers to gain root privileges via a malformed shell. | ||||
| = 2.7, = 2.4, = 2.6, = 2.5, = 2.3 | — | 4.6 MEDIUM | ||
Format string vulnerability in OpenBSD photurisd allows local users to execute arbitrary commands via a configuration file directory name that contains formatting characters. | ||||
| = 2.7, = 2.4, = 2.6, = 2.5, = 2.3 | — | 10 HIGH | ||
Format string vulnerability in talkd in OpenBSD and possibly other BSD-based OSes allows remote attackers to execute arbitrary commands via a user name that contains format characters. | ||||
| = 2.7, = 2.4, = 2.6, = 2.5 | — | 7.5 HIGH | ||
Buffer overflow in mopd (Maintenance Operations Protocol loader daemon) allows remote attackers to execute arbitrary commands via a long file name. | ||||
| = 2.7, = 2.4, = 2.6, = 2.5 | — | 7.5 HIGH | ||
mopd (Maintenance Operations Protocol loader daemon) does not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands. | ||||
| = 2.6 | — | 6.2 MEDIUM | ||
The BSD make program allows local users to modify files via a symlink attack when the -j option is being used. | ||||
| = 2.3, = 2.4 | — | 5 MEDIUM | ||
ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets. | ||||
| = 2.7, = 2.5, = 2.6 | — | 2.1 LOW | ||
FreeBSD, NetBSD, and OpenBSD allow an attacker to cause a denial of service by creating a large number of socket pairs using the socketpair function, setting a large buffer size via setsockopt, then writing large buffers. | ||||
| = 2.5 | — | 4.6 MEDIUM | ||
Buffer overflow in OpenBSD procfs and fdescfs file systems via uio_offset in the readdir() function. | ||||
| = 2.1, = 2.0, = 2.2, = 2.4, = 2.3, = 2.5 | — | 7.2 HIGH | ||
The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve. | ||||
| = 2.5 | — | 5 MEDIUM | ||
A kernel leak in the OpenBSD kernel allows IPsec packets to be sent unencrypted. | ||||
| = 2.5 | — | 3.6 LOW | ||
OpenBSD, BSDI, and other Unix operating systems allow users to set chflags and fchflags on character and block devices. | ||||
| = 2.4 | — | 5 MEDIUM | ||
Denial of service in "poll" in OpenBSD. | ||||
| all versions | — | 5 MEDIUM | ||
OpenBSD kernel crash through TSS handling, as caused by the crashme program. | ||||
| all versions | — | 2.1 LOW | ||
OpenBSD crash using nlink value in FFS and EXT2FS filesystems. | ||||
| all versions | — | 2.1 LOW | ||
Buffer overflow in OpenBSD ping. | ||||
| = 2.4 | — | 2.6 LOW | ||
Remote attackers can cause a system crash through ipintr() in ipq in OpenBSD. | ||||
| = 2.4 | — | 2.6 LOW | ||
A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service. | ||||
| = 2.4, = 2.3 | — | 10 HIGH | ||
Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via a malformed header type. | ||||
| = 2.2, = 2.4, = 2.3 | 7.5 HIGH | 5 MEDIUM | ||
IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash. | ||||
| = 2.3 | — | 7.2 HIGH | ||
The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage. | ||||
| = 2.1, = 2.2 | — | 4.6 MEDIUM | ||
Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames. | ||||
| = 2.2 | — | 10 HIGH | ||
FreeBSD mmap function allows users to modify append-only or immutable files. | ||||
| = 2.1, = 2.2, = 2.0 | — | 5 MEDIUM | ||
The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections. | ||||
| = 2.2 | — | 7.2 HIGH | ||
mmap function in BSD allows local attackers in the kmem group to modify memory through devices. | ||||
| = 2.1 | — | 5.1 MEDIUM | ||
File creation and deletion, and remote execution, in the BSD line printer daemon (lpd). | ||||
| = 2.1 | — | 2.1 LOW | ||
The asynchronous I/O facility in 4.4 BSD kernel does not check user credentials when setting the recipient of I/O notification, which allows local users to cause a denial of service by using certain ioctl and fcntl calls to cause the signal to be sent to an arbitrary process ID. | ||||
| all versions | — | 5 MEDIUM | ||
rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not. | ||||