On Wed, Dec 11, 2019 at 01:51:18PM -0500, T.J. Townsend wrote:
Errata patches for ld.so have been released for OpenBSD 6.5 and 6.6.
ld.so may fail to remove the LD_LIBRARY_PATH environment variable for
set-user-ID and set-group-ID executables in low memory conditions.
The security advisory connected with this bug indicates the patch was
published within 3 hours of reporting:
https://www.openwall.com/lists/oss-security/2019/12/11/9
OpenBSD doesn't have unit tests (or if they are, they're not in the main
source tree). How does the project ensure that such wonderfully quick
fixes don't introduce new bugs?
