===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/60.html,v
retrieving revision 1.21
retrieving revision 1.22
diff -c -r1.21 -r1.22
*** www/60.html 2016/07/22 20:33:22 1.21
--- www/60.html 2016/07/22 21:24:11 1.22
***************
*** 120,126 ****
- W^X is now strictly enforced by default;
a program can only violate it if the executable is marked with
! PT_OPENBSD_WXNEEDED and its is located on a filesystem
mounted with the wxallowed
mount(8) option.
- The setjmp(3)
--- 120,126 ----
- W^X is now strictly enforced by default;
a program can only violate it if the executable is marked with
! PT_OPENBSD_WXNEEDED and it is located on a filesystem
mounted with the wxallowed
mount(8) option.
- The setjmp(3)
***************
*** 129,136 ****
- sigreturn(2)
can now only be used by the kernel-provided signal trampoline,
with a cookie to detect attempts to reuse it.
!
- To deter code reuse exploits, in rc(8),
! re-link libc.so on startup, placing the objects in a random order.
- In the getpwnam(3)
family of functions, stop opening the shadow database by default.
- Allow tcpdump(8)
--- 129,136 ----
- sigreturn(2)
can now only be used by the kernel-provided signal trampoline,
with a cookie to detect attempts to reuse it.
!
- To deter code reuse exploits, rc(8)
! re-links libc.so on startup, placing the objects in a random order.
- In the getpwnam(3)
family of functions, stop opening the shadow database by default.
- Allow tcpdump(8)
***************
*** 326,332 ****
ensures that only GENERALIZEDTIME formats are accepted for
OCSP, as per RFC 6960.
! - The following CVEs had been fixed:
- CVE-2016-2105—EVP_EncodeUpdate overflow.
- CVE-2016-2106—EVP_EncryptUpdate overflow.
--- 326,332 ----
ensures that only GENERALIZEDTIME formats are accepted for
OCSP, as per RFC 6960.
! - The following CVEs have been fixed:
- CVE-2016-2105—EVP_EncodeUpdate overflow.
- CVE-2016-2106—EVP_EncryptUpdate overflow.