===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata22.html,v
retrieving revision 1.70
retrieving revision 1.71
diff -c -r1.70 -r1.71
*** www/errata22.html	2014/03/31 03:12:47	1.70
--- www/errata22.html	2014/03/31 03:36:54	1.71
***************
*** 74,84 ****
  
  <hr>
  
- <a name="all"></a>
- <h3><font color="#e00000">All architectures</font></h3>
  <ul>
  <li><a name="ipsec"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font><br>
  If IPSEC communication is attempted by starting photurisd(8) (which is
  disabled by default), a system crash may be evoked from remote if
  an attacker uses some classes of invalid packets.
--- 74,82 ----
  
  <hr>
  
  <ul>
  <li><a name="ipsec"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font> &nbsp; <i>All architectures</i><br>
  If IPSEC communication is attempted by starting photurisd(8) (which is
  disabled by default), a system crash may be evoked from remote if
  an attacker uses some classes of invalid packets.
***************
*** 86,92 ****
  A source code patch exists which remedies this problem.</a>
  <p>
  <li><a name="xterm-xaw"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font><br>
  As stated in CERT advisory VB-98.04, there are buffer
  overrun problems in <strong>xterm</strong> related to the input-Method,
  preeditType, and *Keymap resources. Additional buffer overruns exist in
--- 84,90 ----
  A source code patch exists which remedies this problem.</a>
  <p>
  <li><a name="xterm-xaw"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font> &nbsp; <i>All architectures</i><br>
  As stated in CERT advisory VB-98.04, there are buffer
  overrun problems in <strong>xterm</strong> related to the input-Method,
  preeditType, and *Keymap resources. Additional buffer overruns exist in
***************
*** 101,107 ****
  We provide a version of this patch file specifically for the OpenBSD 2.2 tree</a>.
  <p>
  <li><a name="rmjob"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font><br>
  An exploitable buffer mismanagement exists in a subroutine used by
  lprm and lpd.  The problem is exploitable by users on a particular
  machine if there is an entry in <strong>/etc/printcap</strong> which
--- 99,105 ----
  We provide a version of this patch file specifically for the OpenBSD 2.2 tree</a>.
  <p>
  <li><a name="rmjob"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font> &nbsp; <i>All architectures</i><br>
  An exploitable buffer mismanagement exists in a subroutine used by
  lprm and lpd.  The problem is exploitable by users on a particular
  machine if there is an entry in <strong>/etc/printcap</strong> which
***************
*** 110,130 ****
  A patch is available which corrects this behaviour</a>.
  <p>
  <li><a name="uucpd"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font><br>
  A DNS-based vulnerability exists when uucpd is used.  By default uucpd
  is not enabled in the OpenBSD releases, but some sites may have enabled it.
  <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/uucpd.patch">
  A patch is available which corrects this behaviour</a>.
  <p>
  <li><a name="named"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font><br>
  A vulnerability exists when (and only when) /etc/named.conf has the
  <strong>fake-iquery</strong> option enabled.
  <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/named.patch">
  A patch is available which corrects this behaviour</a>.
  <p>
  <li><a name="ping"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font><br>
  A vulnerability exists in ping(8); if the -R option is used to record
  routes, an attacker can spoof a reply packet that will overflow inside
  ping.  Preliminary investigation makes it look the worst attack
--- 108,128 ----
  A patch is available which corrects this behaviour</a>.
  <p>
  <li><a name="uucpd"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font> &nbsp; <i>All architectures</i><br>
  A DNS-based vulnerability exists when uucpd is used.  By default uucpd
  is not enabled in the OpenBSD releases, but some sites may have enabled it.
  <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/uucpd.patch">
  A patch is available which corrects this behaviour</a>.
  <p>
  <li><a name="named"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font> &nbsp; <i>All architectures</i><br>
  A vulnerability exists when (and only when) /etc/named.conf has the
  <strong>fake-iquery</strong> option enabled.
  <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/named.patch">
  A patch is available which corrects this behaviour</a>.
  <p>
  <li><a name="ping"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font> &nbsp; <i>All architectures</i><br>
  A vulnerability exists in ping(8); if the -R option is used to record
  routes, an attacker can spoof a reply packet that will overflow inside
  ping.  Preliminary investigation makes it look the worst attack
***************
*** 133,139 ****
  A patch is available which corrects this behaviour</a>.
  <p>
  <li><a name="sourceroute"></a>
! <strong><font color="#009000">SECURITY FIX</font></strong><br>
  If the sysctl variable <strong>net.inet.ip.forwarding</strong> is
  enabled (value 1), but the variable <strong>net.inet.ip.sourceroute</strong>
  is disabled (value 0), the kernel will block source routed packets from
--- 131,137 ----
  A patch is available which corrects this behaviour</a>.
  <p>
  <li><a name="sourceroute"></a>
! <strong><font color="#009000">SECURITY FIX</font></strong> &nbsp; <i>All architectures</i><br>
  If the sysctl variable <strong>net.inet.ip.forwarding</strong> is
  enabled (value 1), but the variable <strong>net.inet.ip.sourceroute</strong>
  is disabled (value 0), the kernel will block source routed packets from
***************
*** 145,151 ****
  A kernel patch is provided</a>.
  <p>
  <li><a name="ruserok"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font><br>
  A combination localhost+remote host security problem exists if a
  local user running a setuid binary causes a non-existent root .rhosts
  file to be created via a symbolic link with a specific kind of corefile,
--- 143,149 ----
  A kernel patch is provided</a>.
  <p>
  <li><a name="ruserok"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font> &nbsp; <i>All architectures</i><br>
  A combination localhost+remote host security problem exists if a
  local user running a setuid binary causes a non-existent root .rhosts
  file to be created via a symbolic link with a specific kind of corefile,
***************
*** 177,183 ****
  ssh 1.2.21 and previous (the ssh people have been alerted).
  <p>
  <li><a name="mmap"></a>
! <strong><font color="#009000">SECURITY FIX</font></strong><br>
  A bug in the vm system permits a file descriptor opened read-only on a
  device, to later on be mmap(2)'d read-write, and then modified.  This
  does not result in a security hole by itself, but it does violate the
--- 175,181 ----
  ssh 1.2.21 and previous (the ssh people have been alerted).
  <p>
  <li><a name="mmap"></a>
! <strong><font color="#009000">SECURITY FIX</font></strong> &nbsp; <i>All architectures</i><br>
  A bug in the vm system permits a file descriptor opened read-only on a
  device, to later on be mmap(2)'d read-write, and then modified.  This
  does not result in a security hole by itself, but it does violate the
***************
*** 188,194 ****
  A kernel patch is available which corrects this behaviour (this is
  revision 3 of this patch)</a>.
  <p>
! <li><font color="#009000"><strong>BUILD PROCESS FIX</strong></font><br>
  Building an object tree from a read-only source tree (such as off a CDROM)
  may fail under certain circumstances (e.g. when creating a symlink on sparc
  whose target name is exactly 33 characters).  As a workaround you have to
--- 186,192 ----
  A kernel patch is available which corrects this behaviour (this is
  revision 3 of this patch)</a>.
  <p>
! <li><font color="#009000"><strong>BUILD PROCESS FIX</strong></font> &nbsp; <i>All architectures</i><br>
  Building an object tree from a read-only source tree (such as off a CDROM)
  may fail under certain circumstances (e.g. when creating a symlink on sparc
  whose target name is exactly 33 characters).  As a workaround you have to
***************
*** 198,211 ****
  A replacement source file exists</a>.
  <p>
  <li><a name="mountd"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font><br>
  If a line in /etc/exports which contains hostnames results in an empty
  list because none of the supplied hostnames is known, mountd(8) will
  accidentally export the filesystem to the world.
  <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/mountd.patch">
  A patch is available which corrects this behaviour</a>.
  <p>
! <li><font color="#009000"><strong>RELIABILITY FIX</strong></font><br>
  Setting the MSG_EOR flag on a tcp packet in the send(2) family of
  system calls could cause a kernel panic.
  <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/send.patch">
--- 196,209 ----
  A replacement source file exists</a>.
  <p>
  <li><a name="mountd"></a>
! <font color="#009000"><strong>SECURITY FIX</strong></font> &nbsp; <i>All architectures</i><br>
  If a line in /etc/exports which contains hostnames results in an empty
  list because none of the supplied hostnames is known, mountd(8) will
  accidentally export the filesystem to the world.
  <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/mountd.patch">
  A patch is available which corrects this behaviour</a>.
  <p>
! <li><font color="#009000"><strong>RELIABILITY FIX</strong></font> &nbsp; <i>All architectures</i><br>
  Setting the MSG_EOR flag on a tcp packet in the send(2) family of
  system calls could cause a kernel panic.
  <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/send.patch">