www/errata.html - diff

Return to errata.html CVS log

Up to [local] / www

Diff for /www/errata.html between version 1.570 and 1.571

-version 1.570, 2006/10/13 15:57:25
+version 1.571, 2006/10/31 22:56:12
 Line 1
 Line 1
 Line 1
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <html>
  <head>
- <title>OpenBSD 3.9 errata</title>
+ <title>OpenBSD 4.0 errata</title>
  <link rev=made href="mailto:www@openbsd.org">
  <meta name="resource-type" content="document">
  <meta name="description" content="the OpenBSD CD errata page">
 Line 15
 Line 15
 Line 15
  <a href="index.html"><img alt="[OpenBSD]" height="30" width="141" src="images/smalltitle.gif" border="0"></a>
  <h2><font color="#0000e0">
- This is the OpenBSD 3.9 release errata &amp; patch list:
+ This is the OpenBSD 4.0 release errata &amp; patch list:
  </font></h2>
 Line 41
 Line 41
 Line 41
  <a href="errata35.html">3.5</a>,
  <a href="errata36.html">3.6</a>,
  <a href="errata37.html">3.7</a>,
- <a href="errata38.html">3.8</a>.
+ <a href="errata38.html">3.8</a>,
+ <a href="errata39.html">3.9</a>.
  <br>
  <hr>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9.tar.gz">
+ <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0.tar.gz">
  You can also fetch a tar.gz file containing all the following patches</a>.
  This file is updated once a day.
-Line 74
+Line 75
 Line 74
 Line 75
  <a name="vax"></a>
  <ul>
- <li><a name="ssh"></a>
- <font color="#009000"><strong>015: SECURITY FIX: October 12, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
- by Tavis Ormandy) that would cause
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>
- to spin until the login grace time expired.
- An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
- that could be exploited to perform a pre-authentication denial of service.
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924">CVE-2006-4924</a>,
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051">CVE-2006-5051</a>
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/015_ssh.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="systrace"></a>
- <font color="#009000"><strong>014: SECURITY FIX: October 7, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- Fix for an integer overflow in
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=systrace&amp;sektion=4">systrace(4)</a>'s
- STRIOCREPLACE support, found by
- Chris Evans. This could be exploited for DoS, limited kmem reads or local
- privilege escalation.
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/014_systrace.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="openssl2"></a>
- <font color="#009000"><strong>013: SECURITY FIX: October 7, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
- structures an error condition is mishandled, possibly resulting in an infinite
- loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
- pointer may be dereferenced in the SSL version 2 client code. In addition, many
- applications using OpenSSL do not perform any validation of the lengths of
- public keys being used.
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937">CVE-2006-2937</a>,
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738">CVE-2006-3738</a>,
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343">CVE-2006-4343</a>,
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940">CVE-2006-2940</a>
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/013_openssl2.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="httpd2"></a>
- <font color="#009000"><strong>012: SECURITY FIX: October 7, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=httpd&amp;sektion=8">httpd(8)</a>
- does not sanitize the Expect header from an HTTP request when it is
- reflected back in an error message, which might allow cross-site scripting (XSS)
- style attacks.
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918">CVE-2006-3918</a>
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/012_httpd2.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="openssl"></a>
- <font color="#009000"><strong>011: SECURITY FIX: September 8, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
- an attacker to construct an invalid signature which OpenSSL would accept as a
- valid PKCS#1 v1.5 signature.
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339">CVE-2006-4339</a>
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/011_openssl.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="bind"></a>
- <font color="#009000"><strong>010: SECURITY FIX: September 8, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- Two Denial of Service issues have been found with BIND.
- An attacker who can perform recursive lookups on a DNS server and is able
- to send a sufficiently large number of recursive queries, or is able to
- get the DNS server to return more than one SIG(covered) RRsets can stop
- the functionality of the DNS service.
- An attacker querying an authoritative DNS server serving a RFC 2535
- DNSSEC zone may be able to crash the DNS server.
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4095">CVE-2006-4095</a>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4096">CVE-2006-4096</a>
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/010_bind.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="sppp"></a>
- <font color="#009000"><strong>009: SECURITY FIX: September 2, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- Due to the failure to correctly validate LCP configuration option lengths,
- it is possible for an attacker to send LCP packets via an
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sppp&amp;sektion=4">sppp(4)</a>
- connection causing the kernel to panic.
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4304">CVE-2006-4304</a>
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/009_sppp.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="isakmpd"></a>
- <font color="#009000"><strong>008: SECURITY FIX: August 25, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- A problem in
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&amp;sektion=8">isakmpd(8)</a>
- caused IPsec to run partly without replay protection. If
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&amp;sektion=8">isakmpd(8)</a>
- was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
- An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
- replay counter.
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/008_isakmpd.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="sem"></a>
- <font color="#009000"><strong>007: SECURITY FIX: August 25, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- It is possible to cause the kernel to panic when more than the default number of
- sempahores have been allocated.
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/007_sem.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="dhcpd"></a>
- <font color="#009000"><strong>006: SECURITY FIX: August 25, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- Due to an off-by-one error in
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhcpd&amp;sektion=8">dhcpd(8)</a>,
- it is possible to cause
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhcpd&amp;sektion=8">dhcpd(8)</a>
- to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3122">CVE-2006-3122</a>
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/006_dhcpd.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="sendmail3"></a>
- <font color="#009000"><strong>005: SECURITY FIX: August 25, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- A potential denial of service problem has been found in sendmail. A message
- with really long header lines could trigger a use-after-free bug causing
- sendmail to crash.
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/005_sendmail3.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="httpd"></a>
- <font color="#009000"><strong>004: SECURITY FIX: July 30, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=httpd&amp;sektion=8">httpd(8)</a>'s
- mod_rewrite has a potentially exploitable off-by-one buffer overflow.
- The buffer overflow may result in a vulnerability which, in combination
- with certain types of Rewrite rules in the web server configuration files,
- could be triggered remotely. The default install is not affected by the
- buffer overflow. CVE-2006-3747
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/004_httpd.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="sendmail2"></a>
- <font color="#009000"><strong>003: SECURITY FIX: June 15, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- A potential denial of service problem has been found in sendmail. A malformed MIME
- message could trigger excessive recursion which will lead to stack exhaustion.
- This denial of service attack only affects delivery of mail from the queue and
- delivery of a malformed message. Other incoming mail is still accepted and
- delivered. However, mail messages in the queue may not be reattempted if a
- malformed MIME message exists.
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/003_sendmail2.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="xorg"></a>
- <font color="#009000"><strong>002: SECURITY FIX: May 2, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- A security vulnerability has been found in the X.Org server --
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1526">CVE-2006-1526</a>.
- Clients authorized to connect to the X server are able to crash it and to execute
- malicious code within the X server.
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/002_xorg.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
- <li><a name="sendmail"></a>
- <font color="#009000"><strong>001: SECURITY FIX: March 25, 2006</strong></font> &nbsp; <i>All architectures</i><br>
- A race condition has been reported to exist in the handling by sendmail of
- asynchronous signals. A remote attacker may be able to execute arbitrary code with the
- privileges of the user running sendmail, typically root. This is the second revision of
- this patch.
- <br>
- <a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patch">
- A source code patch exists which remedies this problem</a>.<br>
- <p>
  </ul>
  <br>
-Line 288
+Line 101
 Line 288
 Line 101
  <a href="errata35.html">3.5</a>,
  <a href="errata36.html">3.6</a>,
  <a href="errata37.html">3.7</a>,
- <a href="errata38.html">3.8</a>.
+ <a href="errata39.html">3.9</a>,
+ <a href="errata39.html">3.9</a>.
  <br>
  <hr>