************************************************************************* PLEASE, PLEASE, PLEASE READ THIS FILE BEFORE CALLING BSDI AND SAYING `I CAN'T FTP THIS PATCH'. IF YOU CANNOT DOWNLOAD A PARTICULAR PATCH OR FILE VIA FTP IT'S PROBABLY BECAUSE YOU HAVEN'T AUTHENTICATED YOURSELF VIA THE patches@BSDI.COM SERVER YET AND THE PATCH YOU'RE TRYING TO DOWNLOAD IS AN ENHANCEMENT RATHER THAN A BUG-FIX. READ THE INFORMATION BELOW! Sorry for shouting. Jeff Polk ************************************************************************* NOTICE: This server provides access to the official patches for BSD/OS. All patches are Copyright 1995 Berkeley Software Design, Inc., all rights reserved. Other copyrights may apply to some patches. Access to some of these patches is restricted to BSDI customers with valid update or support contracts. If you are reading this after obtaining it from the patches@BSDI.COM mail-back server, you have already been authenticated. You can request any of these files directly through the email server. If you wish to access the protected files via ftp, you must first obtain a group-id/password pair from the patches@BSDI.COM mail-back server and then enter the appropriate `site group' and `site gpass' commands before requesting the files from the ftp server. See the help message from the patches@BSDI.COM mail-back server for more information. Send an empty message to the address patches@BSDI.COM and the server will respond with the help message. This directory contains patches for BSD/OS. The patch naming scheme consists of: A letter indicating what part of the system the patch is concerned with. The most common letters will be `K' indicating a kernel patch or `U' indicating a patch for a utility. Three digits indicating the release number (e.g., 210 for the 2.1 release). A dash. Three digits indicating the patch number. The patch named K210-001 would be the first kernel patch for the 2.1 release. The .asc files in the signatures directory are PGP signatures signed with the official BSDI public key. You can obtain the key from below, and/or from the http://www.bsdi.com home page (at the very end of the page). If you require a verbal confirmation of the signature, please call the main BSDI number at 719-593-9445. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.7 mQCNAzDPaBUAAAEEANPg5nHVZ8VOw1ql9fywJ4eMWKjXB1W5UH7NMsQ1DMaguoHZ zyzGUnQYGbXGpBEPSe6j96QAwch26HNCWD6Tifsgp8tm4a/i3pjwXUXL46+mzjNr kqZsXfdh7NfYCznNdpNnNILbg8dq23FBphQ+9JTwySZWjvFWS/3I/85VaiVLAAUR tC5CZXJrZWxleSBTb2Z0d2FyZSBEZXNpZ24sIEluYy4gPGJzZGlAQlNESS5DT00+ iQCVAwUQMOGpof3I/85VaiVLAQE3FgQAsb1Mcr+9cxJNw71lny1SnvBsq/DfSKtf gTmLkvH+/LB10o2iXnpZf+J92a7HZST505gcc05/hOvr1vqKWzkC6xRlo4WMmDlS 2ulHTR+zcyqN+BI8/dBV9FLRgjZkVMkN3ulnIUyQIACggf2SfvdrPuYLoIXz9jKb vEVpO4Y8HZ6JAJUDBRAwz26o9rE/T01R3ocBAbu7A/9Xa4WE3EcjILLHt06M7uSE LfZCZF5z50eeI2lOucf6ddvZ4/xkkpKQF+RTSoqcx7bWy0bOaQ9dG1vIQw88nxRE 9+v2i0zAKBVwk0lv3ABJQVfP4g44owHg67WFjPdvNc/LhJZXzApT+ryKeYluVoQq FXjOSO1Gh83sfUkZmOMz0w== =gkiP -----END PGP PUBLIC KEY BLOCK----- Please contact support@BSDI.COM if you have any questions regarding the patches in this directory. =================================================================== PATCH: K210-001 SUMMARY: This patch fixes two separate problems. The first is a bug introduced in 2.1. When switching from variable length record to fixed length records the system would panic with a divide by zero trap. The second change allows the kernel to recognize non-compliant Sony DDS1 (DAT) drives. md5 checksum: 3f8af9cb23c12fce5d4ad9cecfdf5537 K210-001 =================================================================== PATCH: K210-002 SUMMARY: Add support for the 2940U. Also add support for on board controllers with a PCI device id of 0x5578. md5 checksum: a71041d15f73c4b17b8944e098ea7a19 K210-002 =================================================================== PATCH: K210-003 SUMMARY: Some systems have DMA contention problems between SCSI host bus adapters and the floppy disk controller. This change allows the floppy controller to retry many more times when a DMA under run occurs. This problem is not new, but changes in other parts of the system caused it to show up more often. Install is where this problem is most often seen. md5 checksum: 9b2754cc9b1ca4b5c8efa12edc67e445 K210-003 =================================================================== PATCH: K210-004 SUMMARY: This patch fixes corrupted IP packets when bpf (tcpdump) is enabled on PPP/SLIP connections. This patch also addresses a problem with back to back framing characters on PPP connections. Although the connection worked fine, it would report a very high number of input errors. md5 checksum: d987756903b6a104dc45a07e774d1a0e K210-004 =================================================================== PATCH: K210-005 SUMMARY: This patch fixes several problems with DMA buffer underruns (program not keeping up with soundcard), including a page fault panic in certain conditions. md5 checksum: 563ad9261b73b22e398cc423aa6de4ad K210-005 =================================================================== PATCH: K210-006 SUMMARY: PPP was initialized with a cmap of 0xfffffff (28 bits) instead of 0xffffffff (32 bits). This could cause PPP to send non-escaped control characters (0x1f, 0x1e, 0x1d, 0x1d) during LCP negotitation, which the other side may choose to ignore, there by causing that LCP packet to be corrupted. Several messages about invalid packets are now only printed when IFF_DEBUG is turned on on the ppp or sl interface. These messages were almost always printed at the start, and perhaps at the end of a session as traiing garbage from the login sequence was fed to PPP/SLIP. These messages were not the sign of anything wrong happening, but they were annoying none the less. md5 checksum: 912b5f7c371dab31977ec775e987eff9 K210-006 =================================================================== PATCH: K210-007 SUMMARY: This patch allows some IDE controllers which do not comply with the ATA-2 spec to be recognized. One of the tests used to determine if a controller is present involved writing a data pattern to a register which should not read that pattern back, this test has been removed. To install a system with one of these controllers use the boot floppy image from: ftp://ftp.bsdi.com/bsdi/support/misc/boot1.wdc_broken.image. There is no need to install this patch unless you have an IDE controller that is not being recognized at boot time. md5 checksum: 850a4858aa78d6e2ff624372364948ad K210-007 =================================================================== PATCH: K210-008 SUMMARY: This patch fixes page fault panics during operations on revoked vnodes, most commonly seen during fchmod() system calls on busy systems with many modems. A fix to the pseudo-tty driver to properly handle revoked vnodes is also included. md5 checksum: fec10046849034176ccfdbd7b4dbf377 K210-008 =================================================================== PATCH: K210-009 SUMMARY: This patch fixes a page fault panic when the master side of a pty is opened, the slave side of the same pty has never been opened, ttyp0 has never been opened, and an ioctl is issued against the master. Ttyp0 can also be corrupted in some cases instead of the system suffering a page fault. This problem can occur when starting the Xylogics rtelnet program from rc.local. md5 checksum: 8d0b041a7b74624334a09b7aa12f4587 K210-009 =================================================================== PATCH: K210-010 SUMMARY: This patch fixes a crash that can occur when a program attempts to read out of band data from a socket that has become disconnected. The problem is indicated if `netstat -m' on a crash dump shows various occurrences of . NOTE: some customers received a preliminary version of this patch called K210-mbuf. This patch supercedes that patch. If you have installed that patch, the original versions of the patched files must be re-installed before installing this patch; do this with the commands: mv kern/uipc_usrreq.c.orig kern/uipc_usrreq.c mv net/raw_usrreq.c.orig net/raw_usrreq.c mv netinet/raw_ip.c.orig netinet/raw_ip.c mv netinet/tcp_usrreq.c.orig netinet/tcp_usrreq.c mv netinet/udp_usrreq.c.orig netinet/udp_usrreq.c This patch also fixes two TCP problems. It was possible for newer TCP options to be sent to a host that did not support them if the remote host sent no TCP options when opening the connection. It was also possible for a connection to hang if the window was retracted and then a packet was lost. md5 checksum: 369de1affd867f13a75a1b0c9f531f43 K210-010 =================================================================== PATCH: K210-011 SUMMARY: This patch adds support for several more PCI bus Adaptec controllers. It is also possible to force the driver to attach a unknown Adaptec PCI type by setting the low order bit in the flags field. The following Adaptec PCI ids are recognized: 0x5078, /* AIC-7850 Single-chip PCI 2 Fast SCSI */ 0x5578, /* Do not know, may not exist */ 0x7078, /* AIC-7870 Single-chip PCI 2 Fast SCSI */ 0x7178, /* AHA-2940 PCI 2 Fast SCSI AHA-2940W PCI 2 Fast and Wide Single-ended SCSI */ 0x7478, /* AHA-2944W PCI 2 Fast and Wide Differential SCSI */ 0x8078, /* AIC-7880 Single-chip PCI 2 Ultra SCSI */ 0x8178, /* AHA-2940{,W} using AIC-7870D Single-chip PCI 2 Fast SCSI */ md5 checksum: 1f53601ef7c628714d0d04566f9fad4e K210-011 =================================================================== PATCH: K210-012 SUMMARY: In BSD/OS 2.1, raw reads into shared memory destroy sharing. This patch changes the way that the kernel treats user memory in raw reads so that sharing will be preserved. md5 checksum: 7ebbbd312273acf5c96ccb1e61fe1f49 K210-012 =================================================================== PATCH: K210-013 SUMMARY: This patch fixes two bugs in mlock() that can crash a 2.1 system. It was possible to panic the system by attempting to lock enough memory using mlock() such that it required the allocation of a page table page. This patch prevents the crash by forcing mlock() to allocate the necessary page table pages. If a process used mlock() to lock memory that was mapped copy-on-write, then attempted a fork() call, the system was unable to find locked pages in the underlying VM object and panicked. This patch makes the system pursue locked pages beyond the topmost object where modified copies of pages reside, and avoids the crash. md5 checksum: 366995368a71566cf842eabcab383061 K210-013 =================================================================== PATCH: K210-014 SUMMARY: On very large (typically RAID based) file systems, the amount of free space as returned to user code from the statfs() system call is incorrect due to an internal overflow. (The file system itself is okay.) Typically the `df' program shows a negative `capacity'. md5 checksum: fd45ab91d53e95a4b3393ea68fc26b9f K210-014 =================================================================== PATCH: K210-015 SUMMARY: Jumbo patch to 3COM driver, fixes primarily targeted at 59x series cards (including the defective 595s). Also includes performance fixes to allow cards with small buffers to drop fewer packets in systems with IDE disks. *** Note: This patch was reissued about a day after its first release due to some beta PCMCIA code (all ifdefed out) being included by mistake. Both versions of the patch compile into idential binary code, there is no reason to reapply it if the earlier version was applied. md5 checksum: 3663c470aa470a244d5af70aa8d5e58c K210-015 =================================================================== PATCH: K210-016 SUMMARY: The slip modem control routine was missing from the line switch table. This prevented slip from noticing loss of carrier when a session was dropped. The symptoms of this problem are that ppp(8) continues to run on slip sessions, even though the modem has hung up. md5 checksum: f80a0999e671e119c7dee59058c5136b K210-016 =================================================================== PATCH: K210-017 SUMMARY: This patch fixes a problem where under heavy load the kernel could occassionally panic with "timeout table full". It also provides the following changes which were missing from the object version of K210-011. This patch adds support for several more PCI bus Adaptec controllers. It is also possible to force the driver to attach a unknown Adaptec PCI type by setting the low order bit in the flags field. The following Adaptec PCI ids are recognized: 0x5078, /* AIC-7850 Single-chip PCI 2 Fast SCSI */ 0x5578, /* Do not know, may not exist */ 0x7078, /* AIC-7870 Single-chip PCI 2 Fast SCSI */ 0x7178, /* AHA-2940 PCI 2 Fast SCSI AHA-2940W PCI 2 Fast and Wide Single-ended SCSI */ 0x7478, /* AHA-2944W PCI 2 Fast and Wide Differential SCSI */ 0x8078, /* AIC-7880 Single-chip PCI 2 Ultra SCSI */ 0x8178, /* AHA-2940{,W} using AIC-7870D Single-chip PCI 2 Fast SCSI */ md5 checksum: be01d53cfa77a009089670267101ce22 K210-017 =================================================================== PATCH: K210-018 SUMMARY: This patch supercedes the informal patch K210-rtsock. In addition to the leftover pointer to a freed block, this patch fixes incorrect handling of the gateway route. In some cases an incorrect route was returned by rtrequest() which actually used a block of memory which had been freed. This resulted in a system crash. One symptom of the bugs fixed by this patch is that the value which caused the crash is sometimes equal to 0xc0001. md5 checksum: a23c5691c4a587a87b1ce678d576f432 K210-018 =================================================================== PATCH: K210-019 SUMMARY: This patch adds several TCP performance enhancements. o PCB hashing o Optimized delayed ACK processing o Optimized TIME-WAIT state processing o Initial congestion window fixes o Eliminate sending small packets when more data is waiting to be copied from the application, but don't delay them unnecessarily when there isn't. This patch also includes a new kernel config option, INET_SERVER. Turning on this option will cause the PCB hashing code to use a much larger hash table. Typically this would be useful on busy WEB servers. md5 checksum: 9527c357be5a70f718236073a66fad94 K210-019 =================================================================== PATCH: K210-020 SUMMARY: Fixes certain kernel page fault panics which may occur when mounting and unmounting filesystems. md5 checksum: f219909d9f9617e7f40d1b9460315bb1 K210-020 =================================================================== PATCH: K210-021 SUMMARY: This patch adds two networking features that can help defeat and detect some types of denial of service attacks. The first feature is a limit on the number of fragmented IP packets in the IP reassembly queue. The default limit is 200 and can be changed with the sysctl(8) variable "net.inet.ip.maxfragpackets". To change the limit of the number of packets on the IP reassembly queue add a command like the following to the end of /etc/netstart. This example would reduce the limit on outstanding fragments to 100: sysctl -w net.inet.ip.maxfragpackets=100 The second feature is an optional test to insure that packets are received on the expected interface. This feature looks up the route back to the source of received IP packets. If there is no route to the source available, or the packet did not arrive on the expected interface the packet is discarded. The expected interface is the one that would be used to send a packet back to the reported source of the packet. IP source address verification should not be used when concurrent alternate paths exist from the BSD/OS system where this feature is enabled, as this may cause valid packets to be discarded. For example, a small ISP that has one connection to a backbone network and one connection to each of it's clients could enable this feature. If the same ISP has two connections to a backbone network, or one connection to each of two backbone networks they should not enable this feature. IP source address verification is an valuable tool for protecting against some forms of IP-spoofing as described in CERT advisory CA 96.21, "TCP SYN Flooding and IP Spoofing Attacks". The full text of this advisory is available as ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding. If you are a service provider, using IP source verification will protect your customers against attacks from the Internet which appear to be coming from your customers' networks, and it will ensure that packets sent from your customers' networks have a source address on your customers' networks (preventing them from spoofing source addresses and/or attacking others). This feature is enabled via the "net.inet.ip.sourcecheck" sysctl(8) variable or by adding the "IPSOURCECHECK" option when building a kernel. For example, to enable IP source address verification, add the following command to the end of /etc/netstart: sysctl -w net.inet.ip.sourcecheck=1 The IP source address verification code will log a message when discarding a packet. To prevent a large number of these packets from using an excessive amount of disk space log messages are limited to one per IP address per time interval. The time interval defaults to five seconds and may be configured with the "net.inet.ip.sourcecheck_logint" sysctl(8) variable. A value of zero disables the time interval. This patch requires U210-025 which provides new copies of sysctl(8) and netstat(1) for configuration and monitoring of these new features. md5 checksum: c386e72f41d0e409d91b493631e364dd K210-021 =================================================================== PATCH: K210-022 SUMMARY: This patch adds a TCP SYN cache which reduces and/or eliminates the effects of SYN-type denial of service attacks such as those discussed in CERT advisory CA 96.21. When a large number of SYN packets arrive for the same TCP port, the old code would drop the excess SYN packets, assuming that they will be retransmitted and that the current 1/2 open connections will soon be completed and removed from the queue. However, due to one-way and/or long paths, or malicious intent, the queue can become clogged with 1/2 open connections that will never complete, preventing any valid connections from being established. With the SYN cache, when the accept queue overflows a minimal amount of state is stored in the SYN cache, and a SYN,ACK response is sent. If a valid ACK comes back, a complete connection is created. If there is no route or a TCP RST or ICMP Unreachable comes back, the entry is deleted. Otherwise, the entries will just time out. There are several new sysctl entries. Note that they should not be changed unless there is evidence that the default values are not adequate. o net.inet.tcp.syn_cache_limit This specifies the maximum number of entries that may be held into the SYN cache. o net.inet.tcp.syn_bucket_limit This specifies the maximum number of entries that may be held in any individual hash bucket of the SYN cache. o net.inet.tcp.syn_cache_interval This specifies in 0.5 second increments, how often the timeout routine for the SYN cache should be run. The default maximum cache size is 10255, with a hash table size of 293 and a maximum per bucket limit of 105 (10255 = 293*35, 105 = 3*35). If INET_SERVER is defined, the default maximum cache size is 34895, a hash table size of 997, and a per bucket limit of 105 (34895 = 997*35, 105 = 3*35). md5 checksum: 9ec62b5e9cc424b9b42089504256d926 K210-022 =================================================================== PATCH: K210-023 SUMMARY: Synchronize de driver with latest stable version from Matt Thomas. Includes support for the DE500-AA and fixes several bugs, one of which caused systems to hang or corrupt packets under heavy network load. This version of the driver does NOT add support for the Znyx 346 multiport card or the SMC9332BDT (the follow on to the EtherPower 10/100); the SMC9332BDT is recognized as an SMC 8432BA and does not operate. Note: This driver supports sharing interrupts on the PCI bus but an problem in 2.1 (unrelated to the de driver) causes a warning message to be generated at boot time when interrupts are shared. This message is benign as long as the drivers sharing the interrupt are written to share interrupts. md5 checksum: f9322e8e2cfba4a6862e59896f2ce3a3 K210-023 =================================================================== PATCH: K210-024 SUMMARY: This patch enhances the K210-021 and K210-022 patches. IP fragmentation: o Setting "sysctl -w net.inet.ip.maxfragpackets=0" will now cause all IP fragments to be dropped. o Setting "sysctl -w net.inet.ip.maxfragpackets=-1" will effectively remove the limit. o If maxfragpackets is reduced, the fragment queue will now be trimmed back to the new, lower limit, rather than waiting for fragments to time out. TCP SYN caching: o Receiving an ICMP Unreachable or a RST for a cached connection will now remove that cached entry. o We no longer send out the Timestamps or Scale option if we receive a SYN without any TCP options, and the MAXSEG value is now filled in correctly (it was byte swapped). o When turning around the TCP packet for the SYN,ACK, make sure we have space for the TCP options, and if not, make some space. md5 checksum: d7dfc8b6c528ab18f4a10aa572eda1b8 K210-024 =================================================================== PATCH: K210-025 SUMMARY: This patch solves a problem that can cause a panic due to a page fault on systems that uses PPP with TCP header compression, have installed patch K210-021, and have enabled IP source route checking. When TCP header compression is used on a PPP interface, a value was not initialized when receiving a ACK-only packet. The K210-021 patch added code that trips over this bug when when IP source route checking is enabled. To see if IP source route checking is enabled, (after U210-025 has been applied) use: /usr/sbin/sysctl net.inet.ip.sourcecheck Although the problem as it relates to IP source route checking has been identified, there may be other places in the kernel that could also trip over the unitialized receive interface pointer. md5 checksum: 17f6e4e608f9f0942d4575d67ab26838 K210-025 =================================================================== PATCH: K210-026 SUMMARY: Change the Specialix multiport card driver's interrupt handler to clear interrupts before acknowledging them. This should prevent "lost intr" messages. Also declare some volatiles which were not. md5 checksum: 7f6303c3d2ccba70b995806335684836 K210-026 =================================================================== PATCH: K210-027 SUMMARY: Changes in Apache 1.2b are exercising a problem in the kernel where sockets can get stuck in the FIN-WAIT-2 state, if the final FIN never arrives from the other side. This patch ensures that when a process closes a socket that is in FIN-WAIT-2 state, a timer will be set. If the final FIN never arrives, the timer will expire and the socket will be removed. md5 checksum: 49df19100ebf60aebd27a27305b6ef8e K210-027 =================================================================== PATCH: U210-001 SUMMARY: This patch fixes a configuration problem in the BSD/OS 2.1 release of the elm programs. They were configured to do dot-locking, and dot-locking is not permitted in BSD/OS for security reasons. The symptom is that elm will repeatedly attempt to acquire a lock, but will eventually fail and refuse to run. md5 checksum: a963a94347703f3a5e55797bd055b6a3 U210-001 =================================================================== PATCH: U210-002 SUMMARY: This patch fixes a bug in the BSD/OS 2.1 release of the inn programs. A fix that we made between the 2.0 and 2.1 releases introduced a bug that caused innd to incorrectly parse dates. The symptom is that inn programs fail with "437 Bad "Date" header" in the /var/log/news/news file, or that Pnews will fail with "441 Can't parse "Date" header" messages. md5 checksum: 4a1a6808caa28cb0986a977cb08cb6f9 U210-002 =================================================================== PATCH: U210-003 SUMMARY: This patch fixes several problems with the configuration system: Selection between 10mb and 100mb on DEC based ethernet cards is no longer inverted. One can now select TP on SMC Ultra (we) ethernet cards. The config_dns program did not allow configuration of a primary DNS server. md5 checksum: 5452c5a0f99fb3449b985852c152e433 U210-003 =================================================================== PATCH: U210-004 SUMMARY: This patch fixes a bug which prevented setting the block size for drives operating in fixed length mode. md5 checksum: 2c3924ea2c19d231c4b4641bc650df42 U210-004 =================================================================== PATCH: U210-005 SUMMARY: This patch fixes two problems in the BSD/OS 2.1 release of the sendmail program. First, when sendmail cannot find any other place to store rejected email, it attempts to put it in /usr/tmp, when, on BSD/OS it should use /var/tmp. The symptom is messages of the form: sendmail[308]: Losing qfGAA00303: savemail panic sendmail[308]: GAA00303: SYSERR(root): savemail: cannot save rejected email anywhere: No such file or directory in the sendmail log file. The second problem is a security problem, and these changes follow the official sendmail 8.7.4 patch. md5 checksum: b8a6f8fa388407ff27b8b862a7e9f53c U210-005 =================================================================== PATCH: D210-006 SUMMARY: THIS PATCH IS FOR THE KERBEROS PACKAGE FROM THE DOMESTIC FLOPPY. IT CONTAINS DES CODE AND MAY NOT BE LEGALLY EXPORTED FROM THE UNITED STATES WITHOUT A SPECIFIC LICENSE. YOU DO NOT NEED THIS PATCH IF YOU ARE NOT RUNNING KERBEROS. This patch addresses CERT(sm) Advisory CA-96.03, February 21, 1996, "Vulnerability in Kerberos 4 Key Server." Kerberos 4 makes use of some random numbers that are predictable enough to allow some kerberos keys to be cracked. The fix involves using a better random number generator primed with secret key. The enclosed program "/sbin/fix_kdb_keys" will re-calculate some critical keys in the kerberos database that were chosen randomly with the old random number generator. This program must be run on the kerberos server machine; kill the running "kerberos" daemon, run fix_kdb_keys and then start the new kerberos daemon. If you have used "kstash" to store your kerberos master key, the -n option of fix_kdb_keys may be used to read it from disk. NOTE that ANY OUTSTANDING TICKET GRANTING TICKETS WILL IMMEDIATELY BECOME INVALID. Users will need to run "kinit" to get new tickets or log out and back in. Run fix_kdb_keys when it will not disrupt your user community or at a pre-announced time. md5 checksum: 70f9ee252201f678d319dbaab2304096 D210-006 =================================================================== PATCH: U210-007 SUMMARY: This patch fixes two problems in the BSD/OS 2.1 release of the pcnfsd program. They relate to system security, and should be installed immediately. md5 checksum: 7de0fb2254759b22e1d806e233014aeb U210-007 =================================================================== PATCH: U210-008 SUMMARY: This patch fixes a problem with cron in which the PATH environment variable was not set correctly. This patch also strengthens the checks on authentication modules (/usr/libexec/login_*) and the /etc/login.conf files. These must now be regular files, owned by root, and not group or world writable. md5 checksum: 1a56a9ef427b2db4fb84bd20f0dd3638 U210-008 =================================================================== PATCH: U210-009 SUMMARY: The 2.1 release was shipped without the support files needed to create 2.0-compatible binaries. This patch adds a compatible shlib.map.2.0 file for 2.0 libraries, in 2.1 format, and restores the 2.0 stub libraries. md5 checksum: 033abd8365753c868e11c5409832c99d U210-009 =================================================================== PATCH: U210-010 SUMMARY: This patch fixes a configuration problem in the BSD/OS 2.1 release of the elm programs. The Configuration script provided with elm does not correctly handle hostnames in mixed-case. The symptom is that elm will always send email from .bsdi.com, instead of from the current system. md5 checksum: 68edeeaaafb187bea4dfea7d1ccda56d U210-010 =================================================================== PATCH: U210-011 SUMMARY: This patch fixes a problem in the BSD/OS 2.1 release of the /etc/security script. The symptom is that the nightly security email will contain erroneous lists of device additions and deletions. md5 checksum: 9bbd32f1284be84163b2cfad75bf9bc6 U210-011 =================================================================== PATCH: U210-012 SUMMARY: This patch fixes a problem in the BSD/OS 2.1 release of the bsdi-man CGI. The changes were due to slight differences in the new Apache httpd. md5 checksum: 2fec18d94658918031c300e999615d59 U210-012 =================================================================== PATCH: U210-013 SUMMARY: This patch fixes a problem in the BSD/OS 2.1 release of the ftpd program. The symptom is that the -i and -o options don't log transfers to /var/log/xferlog, even though the -A option is also specified. md5 checksum: 2c125f4c4da14b9bf2d145cb816113bf U210-013 =================================================================== PATCH: U210-014 SUMMARY: This patch fixes a problem in the BSD/OS 2.1 release of the ping program. The symptom is that output redirected from ping to a file won't appear if the -c option is specified. md5 checksum: 1757be3caf30bcc1a797a9501e739815 U210-014 =================================================================== PATCH: U210-015 SUMMARY: This patch fixes some shell syntax problems in the BSD/OS 2.1 port of metamails shownonascii program. The symptom is errors when attempting to display non-ascii text via metamail. md5 checksum: e4148a872adaca7deca2e3acbda8ce56 U210-015 =================================================================== PATCH: D210-016 SUMMARY: THIS PATCH IS FOR THE KERBEROS PACKAGE FROM THE DOMESTIC FLOPPY. IT CONTAINS DES CODE AND MAY NOT BE LEGALLY EXPORTED FROM THE UNITED STATES WITHOUT A SPECIFIC LICENSE. YOU DO NOT NEED THIS PATCH IF YOU ARE NOT RUNNING KERBEROS. This patch fixes a long standing minor security problem with kerberos authentication. The problem did not allow external or arbitrary users unauthorized access to the system and hence this is considered a minor security patch. BSDI does, however, recommend that all sites using KerberosIV install this patch. If you require sources for this patch, please contact . The source version of this patch will be made more widely available in the future. md5 checksum: 5da8c716b14111084d4ac2d507822955 D210-016 =================================================================== PATCH: U210-017 SUMMARY: This patch address the security issues as discussed in CERT(sm) Advisory CA-96.12 Vulnerability in suidperl for BSD/OS 2.1. md5 checksum: 6224ff121b16bd8f990345b5e1f388df U210-017 =================================================================== PATCH: D210-018 U210-018 SUMMARY: This patch addresses a security problem in the rdist program. If you have not installed the Kerberos package, install the U210-018 version of this patch. You do NOT need to install the D210-018 version unless you are running Kerberos. If you are running Kerberos, you should install the D210-018 version of the patch instead of the U210-018 version. Both versions of the patch install the same binary (/usr/bin/rdist), so installing the second version of the patch will over-write whichever was installed first. THE D210-018 VERSION OF THIS PATCH IS FOR THE KERBEROS PACKAGE FROM THE DOMESTIC FLOPPY. IT CONTAINS DES CODE AND MAY NOT BE LEGALLY EXPORTED FROM THE UNITED STATES WITHOUT A SPECIFIC LICENSE. md5 checksum: b2060ec4eb9b18ace4e76bcb9441353f D210-018 md5 checksum: 86005d8bbb67eb737120741bd254d26a U210-018 =================================================================== PATCH: U210-019 SUMMARY: This binary patch adds the Squid Internet object cache to BSD/OS 2.1 systems. Squid can act as both an HTTP proxy and an HTTP accelerator, providing significant improvements in HTTP performance as well as reducing unnecessary network traffic. Source code is available from: ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/squid-src.tar.gz md5 checksum: e845288889e56b109ffb37a5e33ee426 U210-019 md5 checksum: 0fc5968e44c2100d0a3f45dc2334f7b2 squid-src.tar.gz =================================================================== PATCH: U210-020 SUMMARY: This patch changes the ownership of the configuration files in /var/www/conf to be owned by root rather than www. In the original configuration (where the configuration files were owned by www) compromising the www user could allow unauthorized root access. md5 checksum: c934f2db8b8d727881d473f00b2fb4b1 U210-020 =================================================================== PATCH: U210-021 D210-021 SUMMARY: This patch fixes a vulnerability with rlogin. THE D210-021 VERSION OF THIS PATCH IS FOR THE KERBEROS PACKAGE FROM THE DOMESTIC FLOPPY. IT CONTAINS DES CODE AND MAY NOT BE LEGALLY EXPORTED FROM THE UNITED STATES WITHOUT A SPECIFIC LICENSE. md5 checksum: 8b9b66e463715e999a85298fd9a0720b U210-021 md5 checksum: c3e1249337942bf5656b99f5ddbd3267 D210-021 =================================================================== PATCH: U210-022 SUMMARY: A security vulnerability exists in bash 1.14.5 which was shipped with BSD/OS 2.1. This patch replaces that version with batch 1.14.7 md5 checksum: 1d6ea7a97e27f45967e762916e0e5aea U210-022 =================================================================== PATCH: U210-023 SUMMARY: A security vulnerability exists in the Xt library distributed with BSD/OS 2.1. This vulnerability can and has been exploited via setuid-root programs such as xterm. The enclosed replacements for the shared and un-shared Xt libraries fixes the problem md5 checksum: 15abd9a9c072097ec9be53398ceb7c70 U210-023 =================================================================== PATCH: U210-024 SUMMARY: This patch updates sendmail to the official 8.7.6 release which fixes some security problems from previous versions including those in the CA-96.20 CERT advisory and a recent Bugtraq posting. md5 checksum: baa7f3139d40c95f42f4f30725339314 U210-024 =================================================================== PATCH: U210-025 SUMMARY: This patch should be installed in conjunction with IP source address check and IP fragmentation queue limit patch (K210-021) and SYN flooding patch (K210-022). The /usr/sbin/netstat and /usr/sbin/sysctl binaries have been updated to monitor and configure the kernel security patches mentioned above. Both of these binaries can be run in conjunction with a kernel that does not have the above two patches installed. The only side-effect will be that the new /usr/sbin/netstat will display garbage for the new counters. The /usr/sbin/inetd binary has been updated to add the -u option which provides limited UDP source port checking. By default the new version of inetd will ignore requests to internal services which appear to come from internal services (to eliminate the loops which have been the source of some attacks). See the manual page inetd(8) for more information. md5 checksum: d2ee01238ab6040e9b7a1bd2c3bf1016 U210-025 =================================================================== PATCH: U210-026 SUMMARY: This patch fixes a potential security problem in the DNS lookup code where the library routine was too trusting of data returned from the remote server. md5 checksum: d87b9efdf24f73ddef868388ecdf25f0 U210-026 =================================================================== PATCH: U210-027 SUMMARY: This patch updates sendmail to the official 8.8.2 release which fixes some security problems from previous versions. md5 checksum: 6aa1980f928fdc0cf3e7ec4204e54e2c U210-027 =================================================================== PATCH: U210-028 SUMMARY: This patch fixes a buffer overflow problem in lpr which can allow local users to gain root access. This problem has received press recently via Bugtraq, and an exploitation script was recently posted to bsdi-users. md5 checksum: 2afffb5ac46465a9aa51a7573c8ce639 U210-028 =================================================================== PATCH: U210-029 SUMMARY: This patch updates sendmail to the official 8.8.3 release which fixes some security problems from previous versions (mainly the "root shell by lying about argv[0] and sending a signal" bug found by Leshka Zakharoff and recently posted to the bsdi-users@BSDI.COM mailing list). md5 checksum: 91bf5fc0e88becf494f9b681c892cb53 U210-029 =================================================================== PATCH: U210-030 SUMMARY: This patch updates sendmail to the official 8.8.4 release which fixes some security problems from previous versions (including those detailed in the recent AUSCERT advisory and in the December US CERT advisory). md5 checksum: 9d125ea1705553c769cb3816ad69230c U210-030 =================================================================== PATCH: U210-031 SUMMARY: This patch updates cron(8) and crontab(1) to the BSD/OS 3.0 versions which fixes some security problems from previous versions (including those detailed in the recent AUSCERT advisory.) md5 checksum: 512b6929edb96ef46b90ce66f22ff659 U210-031 old md5 checksum: 5590213ab641ff1efe85b596e23f69e9 U210-031.bad =================================================================== PATCH: U210-032 SUMMARY: This patch fixes security problems in the BSD/OS 2.1 release of the /etc/daily.local and /etc/security scripts. PLEASE NOTE: As distributed in BSD/OS 2.1, the lines in the /etc/daily.local script that are being updated by this patch were commented out. For this reason, if this patch fails to apply correctly, it is important that you review the patch and apply the modifications by hand! PLEASE NOTE: This patch replaces the entire contents of both the /etc/security (and if present) the /usr/src/etc/security files. If you have local modifications to these files, you should review your original files (/etc/security.orig and /usr/src/etc/security.orig) after applying this patch and add your local modifications back into the new file. md5 checksum: a4683ee9aa8416bcb60c44a598bcfc48 U210-032 old md5 checksum: e13d491b6020b440985b7b0bc1331248 U210-032.bad =================================================================== PATCH: U210-033 SUMMARY: This patch fixes a security problem in the BSD/OS 2.1 release of the ftpd utility, as recently reported on the wu-ftpd mailing list. md5 checksum: 69f9a990aa60d53e6051a5c64539ae2c U210-033 old md5 checksum: 6c329115058388ea2ddb04f643c00370 U210-033 =================================================================== PATCH: U210-034 SUMMARY: This patch fixes a couple of security problems in support routines used by the BSD/OS 2.1 release version of the adduser and addgroup programs. Specifically, the new version ensures that the /etc/group file is not left writable by anyone other than root and it ensures that the temporary copy of the /etc/master.passwd file is never readable by anyone other than root (previously it could be read while adduser was rebuilding the database versions of the password file). This patch also fixes a problem in rmuser. In the old version, rmuser could occasionally remove more users than requested if they had the same UID as the user it was supposed to remove. md5 checksum: 8e2ff944f23b2bf132b7ac5bf97db94a U210-034 =================================================================== PATCH: U210-035 SUMMARY: This patch fixes some security problems the BSD/OS 2.1 version of the talk daemon, /usr/libexec/ntalkd. md5 checksum: ad84cc180e9e2bdb26c41f4ef6ebf81b U210-035 old md5 checksum: 7d2e6e3d424c6a1d9af4f78d3bea870b U210-035 =================================================================== PATCH: U210-036 SUMMARY: This patch updates sendmail to the official 8.8.5 release which fixes some security problems from previous versions. md5 checksum: 0137dbc93e7554468930852c28099c3b U210-036 =================================================================== PATCH: U210-037 (normal version) D210-037 (kerberos version) SUMMARY: This patch fixes a security hole that can allow unauthorized remote access. In addition to installing this patch, another way to protect your systems from this attack is to disallow IP source routed packets from entering your networks. If your gateway is a BSD/OS system, this can be done via: /sbin/sysctl -w net.inet.ip.forwsrcrt=0 Note that the kerberized versions of rsh and rlogind are not at risk to this attack. It is only the use of .rhosts for allowing access to the system that is at risk. Most sites should install the U210-037 version. Only sites who have installed the Kerberos package from the DOMESTIC floppy should install the D210-037 version of this patch. The tcpd source change is simply to remove the -DKILL_IP_OPTIONS option from the CLFLAGS definition in Makefile.defs. This change is not included in the source patches below. BSDI would like to thank Oliver Friedrichs and Secure Networks Inc., for identifying this problem and possible solutions to it. md5 checksum: aded511e67e025a21295e15fa5bd7690 U210-037 md5 checksum: 78594e78579f1e26f7023f690f1d3060 D210-037 ===================================================================