===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata.html,v
retrieving revision 1.585
retrieving revision 1.586
diff -c -r1.585 -r1.586
*** www/errata.html 2007/02/06 16:29:50 1.585
--- www/errata.html 2007/03/06 01:58:04 1.586
***************
*** 15,21 ****
! This is the OpenBSD 4.0 release errata & patch list:
--- 15,21 ----
! This is the OpenBSD 4.1 release errata & patch list:
***************
*** 42,48 ****
3.6,
3.7,
3.8,
! 3.9.
--- 42,49 ----
3.6,
3.7,
3.8,
! 3.9,
! 4.0.
***************
*** 51,57 ****
This file is updated once a day.
The patches below are available in CVS via the
! OPENBSD_4_0
patch branch.
For more detailed information on how to install patches to OpenBSD, please
--- 52,58 ----
This file is updated once a day.
The patches below are available in CVS via the
! OPENBSD_4_1
patch branch.
For more detailed information on how to install patches to OpenBSD, please
***************
*** 67,72 ****
--- 68,74 ----
+
***************
*** 80,199 ****
- -
- 009: INTEROPERABILITY FIX: February 4, 2007 All architectures
- A US daylight saving time rules change takes effect in 2007.
-
-
- A source code patch exists which syncs the timezone data files with tzdata2007a.
-
-
-
-
- 008: RELIABILITY FIX: January 16, 2007 All architectures
- Under some circumstances, processing an ICMP6 echo request would cause
- the kernel to enter an infinite loop.
-
-
- A source code patch exists which remedies this problem.
-
-
-
-
- 007: SECURITY FIX: January 3, 2007
- i386 only
- Insufficient validation in
- vga(4)
- may allow an attacker to gain root privileges if the kernel is compiled with
- option PCIAGP
- and the actual device is not an AGP device.
- The PCIAGP option is present by default on i386
- kernels only.
-
-
- A source code patch exists which remedies this problem.
-
-
-
-
- 006: FTP DISTRIBUTION ERROR: December 4, 2006 All architectures
- The src.tar.gz and ports.tar.gz archives
- released on FTP were created incorrectly, a week after the 4.0 release. The
- archives on the CD sets are correct; this only affects people who downloaded
- them from a mirror.
-
- The archives have been corrected. The correct MD5 of
-
- ports.tar.gz is eff352b4382a7fb7ffce1e8b37e9eb56, and for
-
- src.tar.gz it is b8d7a0dc6f3d27a5377a23d69c40688e.
-
-
-
-
-
- 005: SECURITY FIX: November 19, 2006 All architectures
- The ELF
- ld.so(1)
- fails to properly sanitize the environment. There is a potential localhost security
- problem in cases we have not found yet. This patch applies to all ELF-based
- systems (m68k, m88k, and vax are a.out-based systems).
-
-
- A source code patch exists which remedies this problem.
-
-
-
-
- 004: RELIABILITY FIX: November 7, 2006 All architectures
- Due to a bug in the
- arc(4)
- RAID driver the driver will not properly synchronize the cache to the logical volumes
- upon system shut down. The result being that the mounted file systems within the logical
- volumes will not be properly marked as being clean and fsck will be run for the subsequent
- boot up.
-
-
- A source code patch exists which remedies this problem.
-
-
-
-
- 003: SECURITY FIX: November 4, 2006 All architectures
- Fix for an integer overflow in
- systrace(4)'s
- STRIOCREPLACE support, found by
- Chris Evans. This could be exploited for DoS, limited kmem reads or local
- privilege escalation.
-
-
- A source code patch exists which remedies this problem.
-
-
-
-
- 002: SECURITY FIX: November 4, 2006 All architectures
- Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
- structures an error condition is mishandled, possibly resulting in an infinite
- loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
- pointer may be dereferenced in the SSL version 2 client code. In addition, many
- applications using OpenSSL do not perform any validation of the lengths of
- public keys being used.
- CVE-2006-2937,
- CVE-2006-3738,
- CVE-2006-4343,
- CVE-2006-2940
-
-
-
- A source code patch exists which remedies this problem.
-
-
-
-
- 001: SECURITY FIX: November 4, 2006 All architectures
- httpd(8)
- does not sanitize the Expect header from an HTTP request when it is
- reflected back in an error message, which might allow cross-site scripting (XSS)
- style attacks.
- CVE-2006-3918
-
-
-
- A source code patch exists which remedies this problem.
-
--- 82,87 ----
***************
*** 221,233 ****
3.6,
3.7,
3.8,
! 3.9.
www@openbsd.org
!
$OpenBSD: errata.html,v 1.585 2007/02/06 16:29:50 millert Exp $