=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/60.html,v retrieving revision 1.21 retrieving revision 1.22 diff -c -r1.21 -r1.22 *** www/60.html 2016/07/22 20:33:22 1.21 --- www/60.html 2016/07/22 21:24:11 1.22 *************** *** 120,126 ****

W^X is now strictly enforced by default; a program can only violate it if the executable is marked with ! PT_OPENBSD_WXNEEDED and its is located on a filesystem mounted with the wxallowed mount(8) option.
The setjmp(3) --- 120,126 ----
- W^X is now strictly enforced by default; a program can only violate it if the executable is marked with ! PT_OPENBSD_WXNEEDED and it is located on a filesystem mounted with the wxallowed mount(8) option.
- The setjmp(3) *************** *** 129,136 ****
- sigreturn(2) can now only be used by the kernel-provided signal trampoline, with a cookie to detect attempts to reuse it. !
- To deter code reuse exploits, in rc(8), ! re-link libc.so on startup, placing the objects in a random order.
- In the getpwnam(3) family of functions, stop opening the shadow database by default.
- Allow tcpdump(8) --- 129,136 ----
- sigreturn(2) can now only be used by the kernel-provided signal trampoline, with a cookie to detect attempts to reuse it. !
- To deter code reuse exploits, rc(8) ! re-links libc.so on startup, placing the objects in a random order.
- In the getpwnam(3) family of functions, stop opening the shadow database by default.
- Allow tcpdump(8) *************** *** 326,332 **** ensures that only GENERALIZEDTIME formats are accepted for OCSP, as per RFC 6960.
!
The following CVEs had been fixed:
- CVE-2016-2105—EVP_EncodeUpdate overflow.
- CVE-2016-2106—EVP_EncryptUpdate overflow. --- 326,332 ---- ensures that only GENERALIZEDTIME formats are accepted for OCSP, as per RFC 6960.
!
The following CVEs have been fixed:
- CVE-2016-2105—EVP_EncodeUpdate overflow.
- CVE-2016-2106—EVP_EncryptUpdate overflow.