The patches below are available in CVS via the
! OPENBSD_3_5patch branch.
For more detailed information on how to install patches to OpenBSD, please
***************
*** 55,227 ****
All architectures
!
! 016: RELIABILITY FIX: March 17,
! 2004
! A missing check for a NULL-pointer dereference has been found in
! ssl(3).
! A remote attacker can use the bug to cause an OpenSSL application to crash;
! this may lead to a denial of service.
!
!
! A source code patch exists which remedies this problem.
!
!
! 015: RELIABILITY FIX: March 17,
! 2004
! Defects in the payload validation and processing functions of
! isakmpd(8)
! have been discovered. An attacker could send malformed ISAKMP messages and
! cause isakmpd to crash or to loop endlessly. This patch fixes these problems
! and removes some memory leaks.
!
!
! A source code patch exists which remedies this problem.
!
!
! 014: SECURITY FIX: March 13,
! 2004
! Due to a bug in the parsing of Allow/Deny rules for
! httpd(8)'s
! access module, using IP addresses without a netmask on big endian 64-bit
! platforms causes the rules to fail to match. This only affects sparc64.
!
!
! A source code patch exists which remedies the problem.
!
!
! 013: RELIABILITY FIX: March 8,
! 2004
! OpenBSD's TCP/IP stack did not impose limits on how many out-of-order
! TCP segments are queued in the system. An attacker could
! send out-of-order TCP segments and trick the system into using all
! available memory buffers.
!
!
! A source code patch exists which remedies the problem.
!
!
! 012: RELIABILITY FIX: February 14,
! 2004
! Several buffer overflows exist in the code parsing
! font.aliases files in XFree86. Thanks to ProPolice, these cannot be
! exploited to gain privileges, but they can cause the X server to abort.
!
!
! A source code patch exists which remedies the problem.
!
!
! 011: SECURITY FIX: February 8, 2004
! An IPv6 MTU handling problem exists that could be used by an attacker
! to cause a denial of service attack against hosts with reachable IPv6
! TCP ports.
!
!
! A source code patch exists which remedies the problem.
!
!
! 010: SECURITY FIX: February 5, 2004
! A reference counting bug exists in the
! shmat(2)
! system call that could be used by an attacker to write to kernel memory
! under certain circumstances.
!
!
! A source code patch exists which remedies the problem.
!
!
! 009: SECURITY FIX: January 13, 2004
! Several message handling flaws in
! isakmpd(8)
! have been reported by Thomas Walpuski. These allow an attacker to delete arbitrary SAs. The patch also
! includes a reliability fix for a filedescriptor leak that causes problems when a crypto card is
! installed.
!
!
! A source code patch exists which remedies these problems.
!
! 005: RELIABILITY FIX: November 4, 2003
! It is possible for a local user to cause a system panic by executing a specially crafted binary with an invalid header.
!
!
! A source code patch exists which remedies the problem.
!
!
! 004: RELIABILITY FIX: November 1, 2003
! A user with write permission to httpd.conf or a .htaccess
! file can crash
! httpd(8)
! or potentially run arbitrary code as the user www (although it
! is believed that ProPolice will prevent code execution).
!
!
! A source code patch exists which remedies the problem.
!
! 002: SECURITY FIX: November 1, 2003
! The use of certain ASN.1 encodings or malformed public keys may allow an
! attacker to mount a denial of service attack against applications linked with
! ssl(3).
! This does not affect OpenSSH.
!
! A source code patch exists which remedies the problem.
!
!
! 001: DOCUMENTATION FIX: November 1, 2003
! The CD insert documentation has an incorrect example for package installation.
! Where it is written:
! The extra / at the end is important. We do not make
! patch files available for things printed on paper.
!
i386
!
! 006: SECURITY FIX: November 17, 2003
! It may be possible for a local user to overrun the stack in
! compat_ibcs2(8).
! ProPolice catches this, turning a potential privilege escalation into a denial
! of service. iBCS2 emulation does not need to be enabled via
! sysctl(8)
! for this to happen.
!
!
! A source code patch exists which remedies the problem.
!