A race condition between the ptrace(2) and execve(2) system calls allowed
an attacker to modify the memory contents of suid/sgid processes which
could lead to compromise of the super-user account.

Apply by doing:
        cd /usr/src
        patch -p0 < 020_ptrace.patch
And then rebuild your kernel.

Index: sys/kern/kern_exec.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.48.2.1
diff -u -r1.48.2.1 kern_exec.c
--- sys/kern/kern_exec.c	2001/06/16 02:30:46	1.48.2.1
+++ sys/kern/kern_exec.c	2002/02/20 08:46:05
@@ -256,6 +256,12 @@
 	int saved_sugid;
 
 	/*
+	 * Cheap solution to complicated problems.
+	 * Mark this process as "leave me alone, I'm execing".
+	 */
+	p->p_flag |= P_INEXEC;
+
+	/*
 	 * figure out the maximum size of an exec header, if necessary.
 	 * XXX should be able to keep LKM code from modifying exec switch
 	 * when we're still using it, but...
@@ -635,6 +641,7 @@
 	if (KTRPOINT(p, KTR_EMUL))
 		ktremul(p, p->p_emul->e_name);
 #endif
+	p->p_flag &= ~P_INEXEC;
 	return (0);
 
 bad:
@@ -657,7 +664,7 @@
 
 freehdr:
 	free(pack.ep_hdr, M_EXEC);
-	p->p_flag = (p->p_flag & ~(P_SUGID|P_SUGIDEXEC)) | saved_sugid;
+	p->p_flag = (p->p_flag & ~(P_SUGID|P_SUGIDEXEC|P_INEXEC)) | saved_sugid;
 	return (error);
 
 exec_abort:
@@ -690,6 +697,7 @@
 	exit1(p, -1);
 
 	/* NOTREACHED */
+	p->p_flag &= ~P_INEXEC;
 	return (0);
 }
 
Index: sys/kern/sys_process.c
===================================================================
RCS file: /cvs/src/sys/kern/sys_process.c,v
retrieving revision 1.10
diff -u -r1.10 sys_process.c
--- sys/kern/sys_process.c	2001/04/09 07:14:18	1.10
+++ sys/kern/sys_process.c	2002/02/20 08:46:05
@@ -109,6 +109,9 @@
 			return (ESRCH);
 	}
 
+	if ((t->p_flag & P_INEXEC) != 0)
+		return (EAGAIN);
+
 	/* Make sure we can operate on it. */
 	switch (SCARG(uap, req)) {
 	case  PT_TRACE_ME:
Index: sys/miscfs/procfs/procfs_mem.c
===================================================================
RCS file: /cvs/src/sys/miscfs/procfs/procfs_mem.c,v
retrieving revision 1.10
diff -u -r1.10 procfs_mem.c
--- sys/miscfs/procfs/procfs_mem.c	2000/08/15 02:44:12	1.10
+++ sys/miscfs/procfs/procfs_mem.c	2002/02/20 08:46:05
@@ -281,6 +281,8 @@
  *	    of the entire system, and the system was not
  *	    compiled with permanently insecure mode turned
  *	    on.
+ *
+ *	(3) It's currently execing.
  */
 int
 procfs_checkioperm(p, t)
@@ -295,6 +297,9 @@
 
 	if ((t->p_pid == 1) && (securelevel > -1))
 		return (EPERM);
+
+	if (t->p_flag & P_INEXEC)
+		return (EAGAIN);
 
 	return (0);
 }
Index: sys/sys/proc.h
===================================================================
RCS file: /cvs/src/sys/sys/proc.h,v
retrieving revision 1.40
diff -u -r1.40 proc.h
--- sys/sys/proc.h	2001/04/02 21:43:12	1.40
+++ sys/sys/proc.h	2002/02/20 08:46:06
@@ -247,6 +247,7 @@
 
 #define	P_NOCLDWAIT	0x080000	/* Let pid 1 wait for my children */
 #define	P_NOZOMBIE	0x100000	/* Pid 1 waits for me instead of dad */
+#define P_INEXEC	0x200000	/* Process is doing an exec right now */
 
 /* Macro to compute the exit signal to be delivered. */
 #define P_EXITSIG(p) \