=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/errata34.html,v retrieving revision 1.90 retrieving revision 1.91 diff -c -r1.90 -r1.91 *** www/errata34.html 2019/05/27 22:55:19 1.90 --- www/errata34.html 2019/05/28 16:32:42 1.91 *************** *** 83,288 ****

! 035: SECURITY FIX: December 13, 2004 All architectures
! On systems running ! isakmpd(8) ! it is possible for a local user to cause kernel memory corruption ! and system panic by setting ! ipsec(4) ! credentials on a socket. !
! ! A source code patch exists which remedies this problem.
!
! 034: RELIABILITY FIX: November 10, 2004 All architectures
! Due to a bug in ! lynx(1) ! it is possible for pages such as ! this ! to cause ! lynx(1) ! to exhaust memory and then crash when parsing such pages. !
! A source code patch exists which remedies this problem.
!
! 033: RELIABILITY FIX: November 10, 2004 All architectures
! pppd(8) ! contains a bug that allows an attacker to crash his own connection, but it cannot ! be used to deny service to other users. !
! A source code patch exists which remedies this problem.
!
! 032: RELIABILITY FIX: November 10, 2004 All architectures
! BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in ! cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and ! thus slow DNS queries.
! A source code patch exists which remedies this problem.
!
! 031: SECURITY FIX: September 20, 2004 All architectures
! Eilko Bos reported that radius authentication, as implemented by ! login_radius(8), ! was not checking the shared secret used for replies sent by the radius server. ! This could allow an attacker to spoof a reply granting access to the ! attacker. Note that OpenBSD does not ship with radius authentication enabled.
! A source code patch exists which remedies this problem.
!
! 030: SECURITY FIX: September 16, 2004 ! All architectures
! Chris Evans reported several flaws (stack and integer overflows) in the ! Xpm ! library code that parses image files ! (CAN-2004-0687, ! CAN-2004-0688). ! Some of these would be exploitable when parsing malicious image files in ! an application that handles XPM images, if they could escape ProPolice.
! A source code patch exists which remedies this problem.
!
! 029: SECURITY FIX: September 10, 2004 All architectures
! httpd(8) ! 's mod_rewrite module can be made to write one zero byte in an arbitrary memory ! position outside of a char array, causing a DoS or possibly buffer overflows. ! This would require enabling dbm for mod_rewrite and making use of a malicious ! dbm file.
! A source code patch exists which remedies this problem.
!
! 028: RELIABILITY FIX: August 26, 2004 All architectures
! As ! reported ! by Vafa Izadinia ! bridge(4) ! with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
! A source code patch exists which remedies this problem.
!
! 027: RELIABILITY FIX: August 25, 2004 All architectures
! Improved verification of ICMP errors in order to minimize the impact of ICMP attacks ! against TCP.
! http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html !
! A source code patch exists which remedies this problem.
!
! 026: RELIABILITY FIX: Jul 25, 2004 All architectures
! Under a certain network load the kernel can run out of stack space. This was ! encountered in an environment using CARP on a VLAN interface. This issue initially ! manifested itself as a FPU related crash on boot up.
! A source code patch exists which remedies this problem.
!
! 025: SECURITY FIX: June 12, 2004 All architectures
! Multiple vulnerabilities have been found in ! httpd(8) ! / mod_ssl. ! CAN-2003-0020, ! CAN-2003-0987, ! CAN-2004-0488, ! CAN-2004-0492.
! A source code patch exists which remedies this problem.
!
! 024: SECURITY FIX: June 10, 2004 All architectures
! As ! disclosed ! by Thomas Walpuski ! isakmpd(8) ! is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec ! tunnels at will.
! A source code patch exists which remedies this problem.
!
! 023: SECURITY FIX: June 9, 2004 All architectures
! Multiple remote vulnerabilities have been found in the ! cvs(1) ! server that allow an attacker to crash the server or possibly execute arbitrary ! code with the same privileges as the CVS server program.
! A source code patch exists which remedies this problem.
!
! 022: SECURITY FIX: May 30, 2004 All architectures
! A flaw in the Kerberos V ! kdc(8) ! server could result in the administrator of a Kerberos realm having ! the ability to impersonate any principal in any other realm which ! has established a cross-realm trust with their realm. The flaw is due to ! inadequate checking of the "transited" field in a Kerberos request. For ! more details see ! Heimdal's announcement.
! A source code patch exists which remedies this problem.
!
! 021: SECURITY FIX: May 20, 2004 All architectures
! A heap overflow in the ! cvs(1) ! server has been discovered that can be exploited by clients sending ! malformed requests, enabling these clients to run arbitrary code ! with the same privileges as the CVS server program.
! A source code patch exists which remedies this problem.
!
! 020: SECURITY FIX: May 13, 2004 All architectures
! Check for integer overflow in procfs. Use of procfs is not recommended.
! A source code patch exists which remedies this problem.
!
! 019: RELIABILITY FIX: May 6, 2004 All architectures
! Reply to in-window SYN with a rate-limited ACK.
! A source code patch exists which remedies this problem.
018: RELIABILITY FIX: May 5, 2004 All architectures
--- 83,292 ----
- ! 001: DOCUMENTATION FIX: November 1, 2003 All architectures
  ! The CD insert documentation has an incorrect example for package installation.
  ! Where it is written:
  ! ! # pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386
  ! It should instead read:
  ! ! # pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386/
  ! The extra / at the end is important. We do not make ! patch files available for things printed on paper.
  ! !
- ! 002: SECURITY FIX: November 1, 2003 All architectures
  ! The use of certain ASN.1 encodings or malformed public keys may allow an ! attacker to mount a denial of service attack against applications linked with ! ssl(3). ! This does not affect OpenSSH.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 003: RELIABILITY FIX: November 1, 2003 All architectures
  ! It is possible for a local user to cause a system panic by flooding it with spoofed ARP ! requests.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 004: RELIABILITY FIX: November 1, 2003 All architectures
  ! A user with write permission to httpd.conf or a .htaccess ! file can crash ! httpd(8) ! or potentially run arbitrary code as the user www (although it ! is believed that ProPolice will prevent code execution).
  ! A source code patch exists which remedies this problem.
  ! !
- ! 005: RELIABILITY FIX: November 4, 2003 All architectures
  ! It is possible for a local user to cause a system panic by executing a specially crafted binary with an invalid header.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 006: SECURITY FIX: November 17, 2003 ! i386 only
  ! It may be possible for a local user to overrun the stack in ! compat_ibcs2(8).
  ! ProPolice catches this, turning a potential privilege escalation into a denial ! of service. iBCS2 emulation does not need to be enabled via ! sysctl(8) ! for this to happen.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 007: RELIABILITY FIX: November 20, 2003 All architectures
  ! It is possible for a local user to cause a crash via ! sysctl(3) with certain arguments.
  ! A source code patch exists which remedies this problem.
  !
- ! 008: RELIABILITY FIX: November 20, 2003 All architectures
  ! An improper bounds check makes it possible for a local user to cause a crash ! by passing the ! semctl(2) and ! semop(2) functions ! certain arguments.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 009: SECURITY FIX: January 13, 2004 All architectures
  ! Several message handling flaws in ! isakmpd(8) ! have been reported by Thomas Walpuski. These allow an attacker to delete arbitrary SAs. The patch also ! includes a reliability fix for a filedescriptor leak that causes problems when a crypto card is ! installed.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 010: SECURITY FIX: February 5, 2004 All architectures
  ! A reference counting bug exists in the ! shmat(2) ! system call that could be used by an attacker to write to kernel memory ! under certain circumstances.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 011: SECURITY FIX: February 8, 2004 All architectures
  ! An IPv6 MTU handling problem exists that could be used by an attacker ! to cause a denial of service attack against hosts with reachable IPv6 ! TCP ports.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 012: RELIABILITY FIX: February 14, 2004 All architectures
  ! Several buffer overflows exist in the code parsing ! font.aliases files in XFree86. Thanks to ProPolice, these cannot be ! exploited to gain privileges, but they can cause the X server to abort.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 013: RELIABILITY FIX: March 8, 2004 All architectures
  ! OpenBSD's TCP/IP stack did not impose limits on how many out-of-order ! TCP segments are queued in the system. An attacker could ! send out-of-order TCP segments and trick the system into using all ! available memory buffers.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 014: SECURITY FIX: March 13, 2004 All architectures
  ! Due to a bug in the parsing of Allow/Deny rules for ! httpd(8)'s ! access module, using IP addresses without a netmask on big endian 64-bit ! platforms causes the rules to fail to match. This only affects sparc64.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 015: RELIABILITY FIX: March 17, 2004 All architectures
  ! Defects in the payload validation and processing functions of ! isakmpd(8) ! have been discovered. An attacker could send malformed ISAKMP messages and ! cause isakmpd to crash or to loop endlessly. This patch fixes these problems ! and removes some memory leaks.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 016: RELIABILITY FIX: March 17, 2004 All architectures
  ! A missing check for a NULL-pointer dereference has been found in ! ssl(3). ! A remote attacker can use the bug to cause an OpenSSL application to crash; ! this may lead to a denial of service.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 017: SECURITY FIX: May 5, 2004 All architectures
  ! Pathname validation problems have been found in ! cvs(1), ! allowing malicious clients to create files outside the repository, allowing ! malicious servers to overwrite files outside the local CVS tree on ! the client and allowing clients to check out files outside the CVS ! repository.
  ! A source code patch exists which remedies this problem.
  +
- 018: RELIABILITY FIX: May 5, 2004 All architectures
  *************** *** 293,483 **** A source code patch exists which remedies this problem.
  !
- ! 017: SECURITY FIX: May 5, 2004 All architectures
  ! Pathname validation problems have been found in ! cvs(1), ! allowing malicious clients to create files outside the repository, allowing ! malicious servers to overwrite files outside the local CVS tree on ! the client and allowing clients to check out files outside the CVS ! repository.
  ! A source code patch exists which remedies this problem.
  !
- ! 016: RELIABILITY FIX: March 17, 2004 All architectures
  ! A missing check for a NULL-pointer dereference has been found in ! ssl(3). ! A remote attacker can use the bug to cause an OpenSSL application to crash; ! this may lead to a denial of service.
  ! A source code patch exists which remedies this problem.
  !
- ! 015: RELIABILITY FIX: March 17, 2004 All architectures
  ! Defects in the payload validation and processing functions of ! isakmpd(8) ! have been discovered. An attacker could send malformed ISAKMP messages and ! cause isakmpd to crash or to loop endlessly. This patch fixes these problems ! and removes some memory leaks.
  ! A source code patch exists which remedies this problem.
  !
- ! 014: SECURITY FIX: March 13, 2004 All architectures
  ! Due to a bug in the parsing of Allow/Deny rules for ! httpd(8)'s ! access module, using IP addresses without a netmask on big endian 64-bit ! platforms causes the rules to fail to match. This only affects sparc64.
  ! A source code patch exists which remedies this problem.
  !
- ! 013: RELIABILITY FIX: March 8, 2004 All architectures
  ! OpenBSD's TCP/IP stack did not impose limits on how many out-of-order ! TCP segments are queued in the system. An attacker could ! send out-of-order TCP segments and trick the system into using all ! available memory buffers.
  ! A source code patch exists which remedies this problem.
  !
- ! 012: RELIABILITY FIX: February 14, 2004 All architectures
  ! Several buffer overflows exist in the code parsing ! font.aliases files in XFree86. Thanks to ProPolice, these cannot be ! exploited to gain privileges, but they can cause the X server to abort.
  ! A source code patch exists which remedies this problem.
  !
- ! 011: SECURITY FIX: February 8, 2004 All architectures
  ! An IPv6 MTU handling problem exists that could be used by an attacker ! to cause a denial of service attack against hosts with reachable IPv6 ! TCP ports.
  ! A source code patch exists which remedies this problem.
  !
- ! 010: SECURITY FIX: February 5, 2004 All architectures
  ! A reference counting bug exists in the ! shmat(2) ! system call that could be used by an attacker to write to kernel memory ! under certain circumstances.
  ! A source code patch exists which remedies this problem.
  !
- ! 009: SECURITY FIX: January 13, 2004 All architectures
  ! Several message handling flaws in ! isakmpd(8) ! have been reported by Thomas Walpuski. These allow an attacker to delete arbitrary SAs. The patch also ! includes a reliability fix for a filedescriptor leak that causes problems when a crypto card is ! installed.
  ! A source code patch exists which remedies this problem.
  !
- ! 008: RELIABILITY FIX: November 20, 2003 All architectures
  ! An improper bounds check makes it possible for a local user to cause a crash ! by passing the ! semctl(2) and ! semop(2) functions ! certain arguments.
  ! A source code patch exists which remedies this problem.
  !
- ! 007: RELIABILITY FIX: November 20, 2003 All architectures
  ! It is possible for a local user to cause a crash via ! sysctl(3) with certain arguments.
  ! A source code patch exists which remedies this problem.
  !
- ! 006: SECURITY FIX: November 17, 2003 ! i386 only
  ! It may be possible for a local user to overrun the stack in ! compat_ibcs2(8).
  ! ProPolice catches this, turning a potential privilege escalation into a denial ! of service. iBCS2 emulation does not need to be enabled via ! sysctl(8) ! for this to happen.
  ! A source code patch exists which remedies this problem.
  !
- ! 005: RELIABILITY FIX: November 4, 2003 All architectures
  ! It is possible for a local user to cause a system panic by executing a specially crafted binary with an invalid header.
  ! A source code patch exists which remedies this problem.
  !
- ! 004: RELIABILITY FIX: November 1, 2003 All architectures
  ! A user with write permission to httpd.conf or a .htaccess ! file can crash ! httpd(8) ! or potentially run arbitrary code as the user www (although it ! is believed that ProPolice will prevent code execution).
  ! A source code patch exists which remedies this problem.
  !
- ! 003: RELIABILITY FIX: November 1, 2003 All architectures
  ! It is possible for a local user to cause a system panic by flooding it with spoofed ARP ! requests.
  ! A source code patch exists which remedies this problem.
  !
- ! 002: SECURITY FIX: November 1, 2003 All architectures
  ! The use of certain ASN.1 encodings or malformed public keys may allow an ! attacker to mount a denial of service attack against applications linked with ! ssl(3). ! This does not affect OpenSSH.
  ! A source code patch exists which remedies this problem.
  !
- ! 001: DOCUMENTATION FIX: November 1, 2003 All architectures
  ! The CD insert documentation has an incorrect example for package installation.
  ! Where it is written:
  ! ! # pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386
  ! It should instead read:
  ! ! # pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386/
  ! The extra / at the end is important. We do not make ! patch files available for things printed on paper.
--- 297,521 ---- A source code patch exists which remedies this problem.
! !
! 019: RELIABILITY FIX: May 6, 2004 All architectures
! Reply to in-window SYN with a rate-limited ACK.
! A source code patch exists which remedies this problem.
! !
! 020: SECURITY FIX: May 13, 2004 All architectures
! Check for integer overflow in procfs. Use of procfs is not recommended.
! A source code patch exists which remedies this problem.
! !
! 021: SECURITY FIX: May 20, 2004 All architectures
! A heap overflow in the ! cvs(1) ! server has been discovered that can be exploited by clients sending ! malformed requests, enabling these clients to run arbitrary code ! with the same privileges as the CVS server program.
! A source code patch exists which remedies this problem.
! !
! 022: SECURITY FIX: May 30, 2004 All architectures
! A flaw in the Kerberos V ! kdc(8) ! server could result in the administrator of a Kerberos realm having ! the ability to impersonate any principal in any other realm which ! has established a cross-realm trust with their realm. The flaw is due to ! inadequate checking of the "transited" field in a Kerberos request. For ! more details see ! Heimdal's announcement.
! A source code patch exists which remedies this problem.
! !
! 023: SECURITY FIX: June 9, 2004 All architectures
! Multiple remote vulnerabilities have been found in the ! cvs(1) ! server that allow an attacker to crash the server or possibly execute arbitrary ! code with the same privileges as the CVS server program.
! A source code patch exists which remedies this problem.
! !
! 024: SECURITY FIX: June 10, 2004 All architectures
! As ! disclosed ! by Thomas Walpuski ! isakmpd(8) ! is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec ! tunnels at will.
! A source code patch exists which remedies this problem.
! !
! 025: SECURITY FIX: June 12, 2004 All architectures
! Multiple vulnerabilities have been found in ! httpd(8) ! / mod_ssl. ! CAN-2003-0020, ! CAN-2003-0987, ! CAN-2004-0488, ! CAN-2004-0492.
! A source code patch exists which remedies this problem.
! !
! 026: RELIABILITY FIX: Jul 25, 2004 All architectures
! Under a certain network load the kernel can run out of stack space. This was ! encountered in an environment using CARP on a VLAN interface. This issue initially ! manifested itself as a FPU related crash on boot up.
! A source code patch exists which remedies this problem.
! !
! 027: RELIABILITY FIX: August 25, 2004 All architectures
! Improved verification of ICMP errors in order to minimize the impact of ICMP attacks ! against TCP.
! http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html !
! A source code patch exists which remedies this problem.
! ! ! ! ! !
! 035: SECURITY FIX: December 13, 2004 All architectures
! On systems running ! isakmpd(8) ! it is possible for a local user to cause kernel memory corruption ! and system panic by setting ! ipsec(4) ! credentials on a socket.
! A source code patch exists which remedies this problem.
! !
! 034: RELIABILITY FIX: November 10, 2004 All architectures
! Due to a bug in ! lynx(1) ! it is possible for pages such as ! this ! to cause ! lynx(1) ! to exhaust memory and then crash when parsing such pages.
! A source code patch exists which remedies this problem.
! !
! 033: RELIABILITY FIX: November 10, 2004 ! All architectures
! pppd(8) ! contains a bug that allows an attacker to crash his own connection, but it cannot ! be used to deny service to other users.
! A source code patch exists which remedies this problem.
! !
! 032: RELIABILITY FIX: November 10, 2004 All architectures
! BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in ! cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and ! thus slow DNS queries.
! A source code patch exists which remedies this problem.
! !
! 031: SECURITY FIX: September 20, 2004 All architectures
! Eilko Bos reported that radius authentication, as implemented by ! login_radius(8), ! was not checking the shared secret used for replies sent by the radius server. ! This could allow an attacker to spoof a reply granting access to the ! attacker. Note that OpenBSD does not ship with radius authentication enabled.
! A source code patch exists which remedies this problem.
! !
! 030: SECURITY FIX: September 16, 2004 All architectures
! Chris Evans reported several flaws (stack and integer overflows) in the ! Xpm ! library code that parses image files ! (CAN-2004-0687, ! CAN-2004-0688). ! Some of these would be exploitable when parsing malicious image files in ! an application that handles XPM images, if they could escape ProPolice. !
! A source code patch exists which remedies this problem.
! !
! 029: SECURITY FIX: September 10, 2004 All architectures
! httpd(8) ! 's mod_rewrite module can be made to write one zero byte in an arbitrary memory ! position outside of a char array, causing a DoS or possibly buffer overflows. ! This would require enabling dbm for mod_rewrite and making use of a malicious ! dbm file. !
! A source code patch exists which remedies this problem.
! !
! 028: RELIABILITY FIX: August 26, 2004 All architectures
! As ! reported ! by Vafa Izadinia ! bridge(4) ! with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge. !
! ! A source code patch exists which remedies this problem.