=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/errata.html,v retrieving revision 1.585 retrieving revision 1.586 diff -c -r1.585 -r1.586 *** www/errata.html 2007/02/06 16:29:50 1.585 --- www/errata.html 2007/03/06 01:58:04 1.586 *************** *** 15,21 ****

! This is the OpenBSD 4.0 release errata & patch list:

--- 15,21 ----

! This is the OpenBSD 4.1 release errata & patch list:

*************** *** 42,48 **** 3.6, 3.7, 3.8, ! 3.9.

--- 42,49 ---- 3.6, 3.7, 3.8, ! 3.9, ! 4.0.

*************** *** 51,57 **** This file is updated once a day.

The patches below are available in CVS via the ! OPENBSD_4_0 patch branch.

For more detailed information on how to install patches to OpenBSD, please --- 52,58 ---- This file is updated once a day.

The patches below are available in CVS via the ! OPENBSD_4_1 patch branch.

For more detailed information on how to install patches to OpenBSD, please *************** *** 67,72 **** --- 68,74 ---- + *************** *** 80,199 ****

- 009: INTEROPERABILITY FIX: February 4, 2007 All architectures
- A US daylight saving time rules change takes effect in 2007. -
- - A source code patch exists which syncs the timezone data files with tzdata2007a.
-
- -
- 008: RELIABILITY FIX: January 16, 2007 All architectures
- Under some circumstances, processing an ICMP6 echo request would cause - the kernel to enter an infinite loop. -
- - A source code patch exists which remedies this problem.
-
- -
- 007: SECURITY FIX: January 3, 2007 - i386 only
- Insufficient validation in - vga(4) - may allow an attacker to gain root privileges if the kernel is compiled with - option PCIAGP - and the actual device is not an AGP device. - The PCIAGP option is present by default on i386 - kernels only. -
- - A source code patch exists which remedies this problem.
-
- -
- 006: FTP DISTRIBUTION ERROR: December 4, 2006 All architectures
- The src.tar.gz and ports.tar.gz archives - released on FTP were created incorrectly, a week after the 4.0 release. The - archives on the CD sets are correct; this only affects people who downloaded - them from a mirror. -
- The archives have been corrected. The correct MD5 of - - ports.tar.gz is eff352b4382a7fb7ffce1e8b37e9eb56, and for - - src.tar.gz it is b8d7a0dc6f3d27a5377a23d69c40688e. -
-
- -
- 005: SECURITY FIX: November 19, 2006 All architectures
- The ELF - ld.so(1) - fails to properly sanitize the environment. There is a potential localhost security - problem in cases we have not found yet. This patch applies to all ELF-based - systems (m68k, m88k, and vax are a.out-based systems). -
- - A source code patch exists which remedies this problem.
-
- -
- 004: RELIABILITY FIX: November 7, 2006 All architectures
- Due to a bug in the - arc(4) - RAID driver the driver will not properly synchronize the cache to the logical volumes - upon system shut down. The result being that the mounted file systems within the logical - volumes will not be properly marked as being clean and fsck will be run for the subsequent - boot up. -
- - A source code patch exists which remedies this problem.
-
- -
- 003: SECURITY FIX: November 4, 2006 All architectures
- Fix for an integer overflow in - systrace(4)'s - STRIOCREPLACE support, found by - Chris Evans. This could be exploited for DoS, limited kmem reads or local - privilege escalation. -
- - A source code patch exists which remedies this problem.
-
- -
- 002: SECURITY FIX: November 4, 2006 All architectures
- Several problems have been found in OpenSSL. While parsing certain invalid ASN.1 - structures an error condition is mishandled, possibly resulting in an infinite - loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL - pointer may be dereferenced in the SSL version 2 client code. In addition, many - applications using OpenSSL do not perform any validation of the lengths of - public keys being used. - CVE-2006-2937, - CVE-2006-3738, - CVE-2006-4343, - CVE-2006-2940 -
- - - A source code patch exists which remedies this problem.
-
- -
- 001: SECURITY FIX: November 4, 2006 All architectures
- httpd(8) - does not sanitize the Expect header from an HTTP request when it is - reflected back in an error message, which might allow cross-site scripting (XSS) - style attacks. - CVE-2006-3918 - -
- - A source code patch exists which remedies this problem.
-

--- 82,87 ---- *************** *** 221,233 **** 3.6, 3.7, 3.8, ! 3.9.

www@openbsd.org !
$OpenBSD: errata.html,v 1.585 2007/02/06 16:29:50 millert Exp $ --- 109,122 ---- 3.6, 3.7, 3.8, ! 3.9, ! 4.0.

www@openbsd.org !
$OpenBSD: errata.html,v 1.586 2007/03/06 01:58:04 deraadt Exp $