Qualys Labs has identified several security issues related to the ability to trick programs responsible for BSD's password checking mechanisms (similar to PAM). The trick is to pass the username "-schallenge" or "-schallenge:passwd", which is then interpreted not as a username, but as an option. After that, the system accepts any password. Vulnerable, i.e. eventually allow unauthorized access, services smtpd, ldapd, radiusd. The sshd service can't be exploited because sshd then notices that the "-schallenge" user doesn't really exist. The su program crashes when trying to exploit it head-on, because it also tries to find out the uid of a non-existent user.
Various vulnerabilities were also made public in xlock, in authorization via S/Key and Yubikey, as well as in su, not related to specifying the "-schallenge" user. A vulnerability in xlock allows a normal user to elevate privileges to the auth group. It is possible to elevate privileges from the auth group to the root user through the incorrect operation of the S/Key and Yubikey authorization mechanisms, but this does not work in the default OpenBSD configuration, since authorization via S/Key and Yubikey is disabled. Finally, a vulnerability in su allows a user to increase limits on system resources, such as the number of open file descriptors.
At the moment, the vulnerabilities have been eliminated, security updates are available through the standard syspatch(8) mechanism.
Source: linux.org.ru