File: [local] / www / errata.html (download) (as text)
Revision 1.581, Sun Dec 10 21:45:25 2006 UTC (17 years, 5 months ago) by pvalchev
Branch: MAIN
Changes since 1.580: +10 -7 lines
update last errata entry to include src.tar.gz too.
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenBSD 4.0 errata</title>
<link rev=made href="mailto:www@openbsd.org">
<meta name="resource-type" content="document">
<meta name="description" content="the OpenBSD CD errata page">
<meta name="keywords" content="openbsd,cd,errata">
<meta name="distribution" content="global">
<meta name="copyright" content="This document copyright 1997-2004 by OpenBSD.">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#ffffff" text="#000000" link="#23238E">
<a href="index.html"><img alt="[OpenBSD]" height="30" width="141" src="images/smalltitle.gif" border="0"></a>
<h2><font color="#0000e0">
This is the OpenBSD 4.0 release errata & patch list:
</font></h2>
<hr>
<a href=stable.html>For OpenBSD patch branch information, please refer here.</a><br>
<a href=pkg-stable.html>For important packages updates, please refer here.</a><br>
<br>
For errata on a certain release, click below:<br>
<a href="errata21.html">2.1</a>,
<a href="errata22.html">2.2</a>,
<a href="errata23.html">2.3</a>,
<a href="errata24.html">2.4</a>,
<a href="errata25.html">2.5</a>,
<a href="errata26.html">2.6</a>,
<a href="errata27.html">2.7</a>,
<a href="errata28.html">2.8</a>,
<a href="errata29.html">2.9</a>,
<a href="errata30.html">3.0</a>,
<a href="errata31.html">3.1</a>,
<a href="errata32.html">3.2</a>,
<a href="errata33.html">3.3</a>,
<a href="errata34.html">3.4</a>,
<a href="errata35.html">3.5</a>,
<a href="errata36.html">3.6</a>,
<a href="errata37.html">3.7</a>,
<a href="errata38.html">3.8</a>,
<a href="errata39.html">3.9</a>.
<br>
<hr>
<a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0.tar.gz">
You can also fetch a tar.gz file containing all the following patches</a>.
This file is updated once a day.
<p> The patches below are available in CVS via the
<code>OPENBSD_4_0</code> <a href="stable.html">patch branch</a>.
<p>
For more detailed information on how to install patches to OpenBSD, please
consult the <a href="./faq/faq10.html#Patches">OpenBSD FAQ</a>.
<hr>
<!-- Temporarily put anchors for all archs here. Remove later. -->
<a name="all"></a>
<a name="alpha"></a>
<a name="amd64"></a>
<a name="cats"></a>
<a name="hp300"></a>
<a name="hppa"></a>
<a name="i386"></a>
<a name="mac68k"></a>
<a name="macppc"></a>
<a name="mvme68k"></a>
<a name="mvme88k"></a>
<a name="sparc"></a>
<a name="sparc64"></a>
<a name="vax"></a>
<ul>
<li><a name="ports-tar"></a>
<font color="#009000"><strong>006: FTP DISTRIBUTION ERROR: December 4, 2006</strong></font> <i>All architectures</i><br>
The <strong>src.tar.gz</strong> and <strong>ports.tar.gz</strong> archives
released on FTP were created incorrectly, a week after the 4.0 release. The
archives on the CD sets are correct; this only affects people who downloaded
them from a <a href="ftp.html">mirror</a>.
<br>
The archives have been corrected. The correct MD5 of
<a href="ftp://ftp.openbsd.org/pub/OpenBSD/4.0/ports.tar.gz">
ports.tar.gz</a> is eff352b4382a7fb7ffce1e8b37e9eb56, and for
<a href="ftp://ftp.openbsd.org/pub/OpenBSD/4.0/src.tar.gz">
src.tar.gz</a> it is b8d7a0dc6f3d27a5377a23d69c40688e.
<br>
<p>
<li><a name="ldso"></a>
<font color="#009000"><strong>005: SECURITY FIX: November 19, 2006</strong></font> <i>All architectures</i><br>
The ELF
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ld.so&sektion=1">ld.so(1)</a>
fails to properly sanitize the environment. There is a potential localhost security
problem in cases we have not found yet. This patch applies to all ELF-based
systems (m68k, m88k, and vax are a.out-based systems).
<br>
<a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/005_ldso.patch">
A source code patch exists which remedies this problem</a>.<br>
<p>
<li><a name="arc"></a>
<font color="#009000"><strong>004: RELIABILITY FIX: November 7, 2006</strong></font> <i>All architectures</i><br>
Due to a bug in the
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=arc&sektion=4">arc(4)</a>
RAID driver the driver will not properly synchronize the cache to the logical volumes
upon system shut down. The result being that the mounted file systems within the logical
volumes will not be properly marked as being clean and fsck will be run for the subsequent
boot up.
<br>
<a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/004_arc.patch">
A source code patch exists which remedies this problem</a>.<br>
<p>
<li><a name="systrace"></a>
<font color="#009000"><strong>003: SECURITY FIX: November 4, 2006</strong></font> <i>All architectures</i><br>
Fix for an integer overflow in
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=systrace&sektion=4">systrace(4)</a>'s
STRIOCREPLACE support, found by
Chris Evans. This could be exploited for DoS, limited kmem reads or local
privilege escalation.
<br>
<a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/003_systrace.patch">
A source code patch exists which remedies this problem</a>.<br>
<p>
<li><a name="openssl2"></a>
<font color="#009000"><strong>002: SECURITY FIX: November 4, 2006</strong></font> <i>All architectures</i><br>
Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
structures an error condition is mishandled, possibly resulting in an infinite
loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
pointer may be dereferenced in the SSL version 2 client code. In addition, many
applications using OpenSSL do not perform any validation of the lengths of
public keys being used.
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937">CVE-2006-2937</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738">CVE-2006-3738</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343">CVE-2006-4343</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940">CVE-2006-2940</a>
<br>
<a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/002_openssl.patch">
A source code patch exists which remedies this problem</a>.<br>
<p>
<li><a name="httpd"></a>
<font color="#009000"><strong>001: SECURITY FIX: November 4, 2006</strong></font> <i>All architectures</i><br>
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=httpd&sektion=8">httpd(8)</a>
does not sanitize the Expect header from an HTTP request when it is
reflected back in an error message, which might allow cross-site scripting (XSS)
style attacks.
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918">CVE-2006-3918</a>
<br>
<a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/001_httpd.patch">
A source code patch exists which remedies this problem</a>.<br>
<p>
</ul>
<br>
<hr>
<a href=stable.html>For OpenBSD patch branch information, please refer here.</a><br>
<a href=pkg-stable.html>For important packages updates, please refer here.</a><br>
<br>
For errata on a certain release, click below:<br>
<a href="errata21.html">2.1</a>,
<a href="errata22.html">2.2</a>,
<a href="errata23.html">2.3</a>,
<a href="errata24.html">2.4</a>,
<a href="errata25.html">2.5</a>,
<a href="errata26.html">2.6</a>,
<a href="errata27.html">2.7</a>,
<a href="errata28.html">2.8</a>,
<a href="errata29.html">2.9</a>,
<a href="errata30.html">3.0</a>,
<a href="errata31.html">3.1</a>,
<a href="errata32.html">3.2</a>,
<a href="errata33.html">3.3</a>,
<a href="errata34.html">3.4</a>,
<a href="errata35.html">3.5</a>,
<a href="errata36.html">3.6</a>,
<a href="errata37.html">3.7</a>,
<a href="errata38.html">3.8</a>,
<a href="errata39.html">3.9</a>.
<br>
<hr>
<a href=index.html><img height=24 width=24 src=back.gif border=0 alt=OpenBSD></a>
<a href="mailto:www@openbsd.org">www@openbsd.org</a>
<br><small>$OpenBSD: errata.html,v 1.581 2006/12/10 21:45:25 pvalchev Exp $</small>
</body>
</html>
![[BACK]](/icons/back.gif){kind=icon}
Return to errata.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www