- 015: SECURITY FIX: October 12, 2006All architectures
- Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
- by Tavis Ormandy) that would cause
- sshd(8)
- to spin until the login grace time expired.
- An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
- that could be exploited to perform a pre-authentication denial of service.
- CVE-2006-4924,
- CVE-2006-5051
-
-
- A source code patch exists which remedies this problem.
-
-
-
- 014: SECURITY FIX: October 7, 2006All architectures
- Fix for an integer overflow in
- systrace(4)'s
- STRIOCREPLACE support, found by
- Chris Evans. This could be exploited for DoS, limited kmem reads or local
- privilege escalation.
-
-
- A source code patch exists which remedies this problem.
-
-
-
- 013: SECURITY FIX: October 7, 2006All architectures
- Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
- structures an error condition is mishandled, possibly resulting in an infinite
- loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
- pointer may be dereferenced in the SSL version 2 client code. In addition, many
- applications using OpenSSL do not perform any validation of the lengths of
- public keys being used.
- CVE-2006-2937,
- CVE-2006-3738,
- CVE-2006-4343,
- CVE-2006-2940
-
-
- A source code patch exists which remedies this problem.
-
-
-
- 012: SECURITY FIX: October 7, 2006All architectures
- httpd(8)
- does not sanitize the Expect header from an HTTP request when it is
- reflected back in an error message, which might allow cross-site scripting (XSS)
- style attacks.
- CVE-2006-3918
-
-
- A source code patch exists which remedies this problem.
-
-
-
- 011: SECURITY FIX: September 8, 2006All architectures
- Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
- an attacker to construct an invalid signature which OpenSSL would accept as a
- valid PKCS#1 v1.5 signature.
- CVE-2006-4339
-
-
- A source code patch exists which remedies this problem.
-
-
-
- 010: SECURITY FIX: September 8, 2006All architectures
- Two Denial of Service issues have been found with BIND.
- An attacker who can perform recursive lookups on a DNS server and is able
- to send a sufficiently large number of recursive queries, or is able to
- get the DNS server to return more than one SIG(covered) RRsets can stop
- the functionality of the DNS service.
- An attacker querying an authoritative DNS server serving a RFC 2535
- DNSSEC zone may be able to crash the DNS server.
- CVE-2006-4095
- CVE-2006-4096
-
-
- A source code patch exists which remedies this problem.
-
-
-
- 009: SECURITY FIX: September 2, 2006All architectures
- Due to the failure to correctly validate LCP configuration option lengths,
- it is possible for an attacker to send LCP packets via an
- sppp(4)
- connection causing the kernel to panic.
- CVE-2006-4304
-
-
- A source code patch exists which remedies this problem.
-
-
-
- 008: SECURITY FIX: August 25, 2006All architectures
- A problem in
- isakmpd(8)
- caused IPsec to run partly without replay protection. If
- isakmpd(8)
- was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
- An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
- replay counter.
-
-
- A source code patch exists which remedies this problem.
-
-
-
- 007: SECURITY FIX: August 25, 2006All architectures
- It is possible to cause the kernel to panic when more than the default number of
- sempahores have been allocated.
-
-
- A source code patch exists which remedies this problem.
-
- 005: SECURITY FIX: August 25, 2006All architectures
- A potential denial of service problem has been found in sendmail. A message
- with really long header lines could trigger a use-after-free bug causing
- sendmail to crash.
-
-
- A source code patch exists which remedies this problem.
-
-
-
- 004: SECURITY FIX: July 30, 2006All architectures
- httpd(8)'s
- mod_rewrite has a potentially exploitable off-by-one buffer overflow.
- The buffer overflow may result in a vulnerability which, in combination
- with certain types of Rewrite rules in the web server configuration files,
- could be triggered remotely. The default install is not affected by the
- buffer overflow. CVE-2006-3747
-
-
- A source code patch exists which remedies this problem.
-
-
-
- 003: SECURITY FIX: June 15, 2006All architectures
- A potential denial of service problem has been found in sendmail. A malformed MIME
- message could trigger excessive recursion which will lead to stack exhaustion.
- This denial of service attack only affects delivery of mail from the queue and
- delivery of a malformed message. Other incoming mail is still accepted and
- delivered. However, mail messages in the queue may not be reattempted if a
- malformed MIME message exists.
-
-
- A source code patch exists which remedies this problem.
-
-
-
- 002: SECURITY FIX: May 2, 2006All architectures
- A security vulnerability has been found in the X.Org server --
- CVE-2006-1526.
- Clients authorized to connect to the X server are able to crash it and to execute
- malicious code within the X server.
-
-
- A source code patch exists which remedies this problem.
-
-
-
- 001: SECURITY FIX: March 25, 2006All architectures
- A race condition has been reported to exist in the handling by sendmail of
- asynchronous signals. A remote attacker may be able to execute arbitrary code with the
- privileges of the user running sendmail, typically root. This is the second revision of
- this patch.
-
-
- A source code patch exists which remedies this problem.
-
![[OpenBSD]](images/smalltitle.gif){kind=small}
www@openbsd.org
!