===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata34.html,v
retrieving revision 1.90
retrieving revision 1.91
diff -c -r1.90 -r1.91
*** www/errata34.html 2019/05/27 22:55:19 1.90
--- www/errata34.html 2019/05/28 16:32:42 1.91
***************
*** 83,288 ****
! -
! 035: SECURITY FIX: December 13, 2004
All architectures
! On systems running
! isakmpd(8)
! it is possible for a local user to cause kernel memory corruption
! and system panic by setting
! ipsec(4)
! credentials on a socket.
!
!
! A source code patch exists which remedies this problem.
!
-
! 034: RELIABILITY FIX: November 10, 2004
All architectures
! Due to a bug in
! lynx(1)
! it is possible for pages such as
! this
! to cause
! lynx(1)
! to exhaust memory and then crash when parsing such pages.
!
!
A source code patch exists which remedies this problem.
!
-
! 033: RELIABILITY FIX: November 10, 2004
All architectures
! pppd(8)
! contains a bug that allows an attacker to crash his own connection, but it cannot
! be used to deny service to other users.
!
!
A source code patch exists which remedies this problem.
!
-
! 032: RELIABILITY FIX: November 10, 2004
All architectures
! BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in
! cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and
! thus slow DNS queries.
!
A source code patch exists which remedies this problem.
!
-
! 031: SECURITY FIX: September 20, 2004
All architectures
! Eilko Bos reported that radius authentication, as implemented by
! login_radius(8),
! was not checking the shared secret used for replies sent by the radius server.
! This could allow an attacker to spoof a reply granting access to the
! attacker. Note that OpenBSD does not ship with radius authentication enabled.
!
A source code patch exists which remedies this problem.
!
-
! 030: SECURITY FIX: September 16, 2004
! All architectures
! Chris Evans reported several flaws (stack and integer overflows) in the
! Xpm
! library code that parses image files
! (CAN-2004-0687,
! CAN-2004-0688).
! Some of these would be exploitable when parsing malicious image files in
! an application that handles XPM images, if they could escape ProPolice.
!
A source code patch exists which remedies this problem.
!
-
! 029: SECURITY FIX: September 10, 2004
All architectures
! httpd(8)
! 's mod_rewrite module can be made to write one zero byte in an arbitrary memory
! position outside of a char array, causing a DoS or possibly buffer overflows.
! This would require enabling dbm for mod_rewrite and making use of a malicious
! dbm file.
!
A source code patch exists which remedies this problem.
!
-
! 028: RELIABILITY FIX: August 26, 2004
All architectures
! As
! reported
! by Vafa Izadinia
! bridge(4)
! with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
!
A source code patch exists which remedies this problem.
!
-
! 027: RELIABILITY FIX: August 25, 2004
All architectures
! Improved verification of ICMP errors in order to minimize the impact of ICMP attacks
! against TCP.
! http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html
!
!
A source code patch exists which remedies this problem.
!
-
! 026: RELIABILITY FIX: Jul 25, 2004
All architectures
! Under a certain network load the kernel can run out of stack space. This was
! encountered in an environment using CARP on a VLAN interface. This issue initially
! manifested itself as a FPU related crash on boot up.
!
A source code patch exists which remedies this problem.
!
-
! 025: SECURITY FIX: June 12, 2004
All architectures
! Multiple vulnerabilities have been found in
! httpd(8)
! / mod_ssl.
! CAN-2003-0020,
! CAN-2003-0987,
! CAN-2004-0488,
! CAN-2004-0492.
!
A source code patch exists which remedies this problem.
!
-
! 024: SECURITY FIX: June 10, 2004
All architectures
! As
! disclosed
! by Thomas Walpuski
! isakmpd(8)
! is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec
! tunnels at will.
!
A source code patch exists which remedies this problem.
!
-
! 023: SECURITY FIX: June 9, 2004
All architectures
! Multiple remote vulnerabilities have been found in the
! cvs(1)
! server that allow an attacker to crash the server or possibly execute arbitrary
! code with the same privileges as the CVS server program.
!
A source code patch exists which remedies this problem.
!
-
! 022: SECURITY FIX: May 30, 2004
All architectures
! A flaw in the Kerberos V
! kdc(8)
! server could result in the administrator of a Kerberos realm having
! the ability to impersonate any principal in any other realm which
! has established a cross-realm trust with their realm. The flaw is due to
! inadequate checking of the "transited" field in a Kerberos request. For
! more details see
! Heimdal's announcement.
!
A source code patch exists which remedies this problem.
!
-
! 021: SECURITY FIX: May 20, 2004
All architectures
! A heap overflow in the
! cvs(1)
! server has been discovered that can be exploited by clients sending
! malformed requests, enabling these clients to run arbitrary code
! with the same privileges as the CVS server program.
!
A source code patch exists which remedies this problem.
!
-
! 020: SECURITY FIX: May 13, 2004
All architectures
! Check for integer overflow in procfs. Use of procfs is not recommended.
!
A source code patch exists which remedies this problem.
!
-
! 019: RELIABILITY FIX: May 6, 2004
All architectures
! Reply to in-window SYN with a rate-limited ACK.
!
A source code patch exists which remedies this problem.
-
018: RELIABILITY FIX: May 5, 2004
All architectures
--- 83,292 ----
!
! -
! 001: DOCUMENTATION FIX: November 1, 2003
All architectures
! The CD insert documentation has an incorrect example for package installation.
! Where it is written:
!
! # pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386
! It should instead read:
!
! # pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386/
! The extra / at the end is important. We do not make
! patch files available for things printed on paper.
!
!
-
! 002: SECURITY FIX: November 1, 2003
All architectures
! The use of certain ASN.1 encodings or malformed public keys may allow an
! attacker to mount a denial of service attack against applications linked with
! ssl(3).
! This does not affect OpenSSH.
!
A source code patch exists which remedies this problem.
!
!
-
! 003: RELIABILITY FIX: November 1, 2003
All architectures
! It is possible for a local user to cause a system panic by flooding it with spoofed ARP
! requests.
!
A source code patch exists which remedies this problem.
!
!
-
! 004: RELIABILITY FIX: November 1, 2003
All architectures
! A user with write permission to httpd.conf
or a .htaccess
! file can crash
! httpd(8)
! or potentially run arbitrary code as the user www
(although it
! is believed that ProPolice will prevent code execution).
!
A source code patch exists which remedies this problem.
!
!
-
! 005: RELIABILITY FIX: November 4, 2003
All architectures
! It is possible for a local user to cause a system panic by executing a specially crafted binary with an invalid header.
!
A source code patch exists which remedies this problem.
!
!
-
! 006: SECURITY FIX: November 17, 2003
! i386 only
! It may be possible for a local user to overrun the stack in
! compat_ibcs2(8).
! ProPolice catches this, turning a potential privilege escalation into a denial
! of service. iBCS2 emulation does not need to be enabled via
! sysctl(8)
! for this to happen.
!
A source code patch exists which remedies this problem.
!
!
-
! 007: RELIABILITY FIX: November 20, 2003
All architectures
! It is possible for a local user to cause a crash via
! sysctl(3) with certain arguments.
!
A source code patch exists which remedies this problem.
!
-
! 008: RELIABILITY FIX: November 20, 2003
All architectures
! An improper bounds check makes it possible for a local user to cause a crash
! by passing the
! semctl(2) and
! semop(2) functions
! certain arguments.
!
A source code patch exists which remedies this problem.
!
!
-
! 009: SECURITY FIX: January 13, 2004
All architectures
! Several message handling flaws in
! isakmpd(8)
! have been reported by Thomas Walpuski. These allow an attacker to delete arbitrary SAs. The patch also
! includes a reliability fix for a filedescriptor leak that causes problems when a crypto card is
! installed.
!
A source code patch exists which remedies this problem.
!
!
-
! 010: SECURITY FIX: February 5, 2004
All architectures
! A reference counting bug exists in the
! shmat(2)
! system call that could be used by an attacker to write to kernel memory
! under certain circumstances.
!
A source code patch exists which remedies this problem.
!
!
-
! 011: SECURITY FIX: February 8, 2004
All architectures
! An IPv6 MTU handling problem exists that could be used by an attacker
! to cause a denial of service attack against hosts with reachable IPv6
! TCP ports.
!
A source code patch exists which remedies this problem.
!
!
-
! 012: RELIABILITY FIX: February 14, 2004
All architectures
! Several buffer overflows exist in the code parsing
! font.aliases files in XFree86. Thanks to ProPolice, these cannot be
! exploited to gain privileges, but they can cause the X server to abort.
!
A source code patch exists which remedies this problem.
!
!
-
! 013: RELIABILITY FIX: March 8, 2004
All architectures
! OpenBSD's TCP/IP stack did not impose limits on how many out-of-order
! TCP segments are queued in the system. An attacker could
! send out-of-order TCP segments and trick the system into using all
! available memory buffers.
!
A source code patch exists which remedies this problem.
!
!
-
! 014: SECURITY FIX: March 13, 2004
All architectures
! Due to a bug in the parsing of Allow/Deny rules for
! httpd(8)'s
! access module, using IP addresses without a netmask on big endian 64-bit
! platforms causes the rules to fail to match. This only affects sparc64.
!
A source code patch exists which remedies this problem.
!
!
-
! 015: RELIABILITY FIX: March 17, 2004
All architectures
! Defects in the payload validation and processing functions of
! isakmpd(8)
! have been discovered. An attacker could send malformed ISAKMP messages and
! cause isakmpd to crash or to loop endlessly. This patch fixes these problems
! and removes some memory leaks.
!
A source code patch exists which remedies this problem.
!
!
-
! 016: RELIABILITY FIX: March 17, 2004
All architectures
! A missing check for a NULL-pointer dereference has been found in
! ssl(3).
! A remote attacker can use the bug to cause an OpenSSL application to crash;
! this may lead to a denial of service.
!
A source code patch exists which remedies this problem.
!
!
-
! 017: SECURITY FIX: May 5, 2004
All architectures
! Pathname validation problems have been found in
! cvs(1),
! allowing malicious clients to create files outside the repository, allowing
! malicious servers to overwrite files outside the local CVS tree on
! the client and allowing clients to check out files outside the CVS
! repository.
!
A source code patch exists which remedies this problem.
+
-
018: RELIABILITY FIX: May 5, 2004
All architectures
***************
*** 293,483 ****
A source code patch exists which remedies this problem.
!
-
! 017: SECURITY FIX: May 5, 2004
All architectures
! Pathname validation problems have been found in
! cvs(1),
! allowing malicious clients to create files outside the repository, allowing
! malicious servers to overwrite files outside the local CVS tree on
! the client and allowing clients to check out files outside the CVS
! repository.
!
A source code patch exists which remedies this problem.
!
-
! 016: RELIABILITY FIX: March 17, 2004
All architectures
! A missing check for a NULL-pointer dereference has been found in
! ssl(3).
! A remote attacker can use the bug to cause an OpenSSL application to crash;
! this may lead to a denial of service.
!
A source code patch exists which remedies this problem.
!
-
! 015: RELIABILITY FIX: March 17, 2004
All architectures
! Defects in the payload validation and processing functions of
! isakmpd(8)
! have been discovered. An attacker could send malformed ISAKMP messages and
! cause isakmpd to crash or to loop endlessly. This patch fixes these problems
! and removes some memory leaks.
!
A source code patch exists which remedies this problem.
!
-
! 014: SECURITY FIX: March 13, 2004
All architectures
! Due to a bug in the parsing of Allow/Deny rules for
! httpd(8)'s
! access module, using IP addresses without a netmask on big endian 64-bit
! platforms causes the rules to fail to match. This only affects sparc64.
!
A source code patch exists which remedies this problem.
!
-
! 013: RELIABILITY FIX: March 8, 2004
All architectures
! OpenBSD's TCP/IP stack did not impose limits on how many out-of-order
! TCP segments are queued in the system. An attacker could
! send out-of-order TCP segments and trick the system into using all
! available memory buffers.
!
A source code patch exists which remedies this problem.
!
-
! 012: RELIABILITY FIX: February 14, 2004
All architectures
! Several buffer overflows exist in the code parsing
! font.aliases files in XFree86. Thanks to ProPolice, these cannot be
! exploited to gain privileges, but they can cause the X server to abort.
!
A source code patch exists which remedies this problem.
!
-
! 011: SECURITY FIX: February 8, 2004
All architectures
! An IPv6 MTU handling problem exists that could be used by an attacker
! to cause a denial of service attack against hosts with reachable IPv6
! TCP ports.
!
A source code patch exists which remedies this problem.
!
-
! 010: SECURITY FIX: February 5, 2004
All architectures
! A reference counting bug exists in the
! shmat(2)
! system call that could be used by an attacker to write to kernel memory
! under certain circumstances.
!
A source code patch exists which remedies this problem.
!
-
! 009: SECURITY FIX: January 13, 2004
All architectures
! Several message handling flaws in
! isakmpd(8)
! have been reported by Thomas Walpuski. These allow an attacker to delete arbitrary SAs. The patch also
! includes a reliability fix for a filedescriptor leak that causes problems when a crypto card is
! installed.
!
A source code patch exists which remedies this problem.
!
-
! 008: RELIABILITY FIX: November 20, 2003
All architectures
! An improper bounds check makes it possible for a local user to cause a crash
! by passing the
! semctl(2) and
! semop(2) functions
! certain arguments.
!
A source code patch exists which remedies this problem.
!
-
! 007: RELIABILITY FIX: November 20, 2003
All architectures
! It is possible for a local user to cause a crash via
! sysctl(3) with certain arguments.
!
A source code patch exists which remedies this problem.
!
-
! 006: SECURITY FIX: November 17, 2003
! i386 only
! It may be possible for a local user to overrun the stack in
! compat_ibcs2(8).
! ProPolice catches this, turning a potential privilege escalation into a denial
! of service. iBCS2 emulation does not need to be enabled via
! sysctl(8)
! for this to happen.
!
A source code patch exists which remedies this problem.
!
-
! 005: RELIABILITY FIX: November 4, 2003
All architectures
! It is possible for a local user to cause a system panic by executing a specially crafted binary with an invalid header.
!
A source code patch exists which remedies this problem.
!
-
! 004: RELIABILITY FIX: November 1, 2003
All architectures
! A user with write permission to httpd.conf
or a .htaccess
! file can crash
! httpd(8)
! or potentially run arbitrary code as the user www
(although it
! is believed that ProPolice will prevent code execution).
!
A source code patch exists which remedies this problem.
!
-
! 003: RELIABILITY FIX: November 1, 2003
All architectures
! It is possible for a local user to cause a system panic by flooding it with spoofed ARP
! requests.
!
A source code patch exists which remedies this problem.
!
-
! 002: SECURITY FIX: November 1, 2003
All architectures
! The use of certain ASN.1 encodings or malformed public keys may allow an
! attacker to mount a denial of service attack against applications linked with
! ssl(3).
! This does not affect OpenSSH.
!
A source code patch exists which remedies this problem.
!
-
! 001: DOCUMENTATION FIX: November 1, 2003
All architectures
! The CD insert documentation has an incorrect example for package installation.
! Where it is written:
!
! # pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386
! It should instead read:
!
! # pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386/
! The extra / at the end is important. We do not make
! patch files available for things printed on paper.
--- 297,521 ----
A source code patch exists which remedies this problem.
!
!
-
! 019: RELIABILITY FIX: May 6, 2004
All architectures
! Reply to in-window SYN with a rate-limited ACK.
!
A source code patch exists which remedies this problem.
!
!
-
! 020: SECURITY FIX: May 13, 2004
All architectures
! Check for integer overflow in procfs. Use of procfs is not recommended.
!
A source code patch exists which remedies this problem.
!
!
-
! 021: SECURITY FIX: May 20, 2004
All architectures
! A heap overflow in the
! cvs(1)
! server has been discovered that can be exploited by clients sending
! malformed requests, enabling these clients to run arbitrary code
! with the same privileges as the CVS server program.
!
A source code patch exists which remedies this problem.
!
!
-
! 022: SECURITY FIX: May 30, 2004
All architectures
! A flaw in the Kerberos V
! kdc(8)
! server could result in the administrator of a Kerberos realm having
! the ability to impersonate any principal in any other realm which
! has established a cross-realm trust with their realm. The flaw is due to
! inadequate checking of the "transited" field in a Kerberos request. For
! more details see
! Heimdal's announcement.
!
A source code patch exists which remedies this problem.
!
!
-
! 023: SECURITY FIX: June 9, 2004
All architectures
! Multiple remote vulnerabilities have been found in the
! cvs(1)
! server that allow an attacker to crash the server or possibly execute arbitrary
! code with the same privileges as the CVS server program.
!
A source code patch exists which remedies this problem.
!
!
-
! 024: SECURITY FIX: June 10, 2004
All architectures
! As
! disclosed
! by Thomas Walpuski
! isakmpd(8)
! is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec
! tunnels at will.
!
A source code patch exists which remedies this problem.
!
!
-
! 025: SECURITY FIX: June 12, 2004
All architectures
! Multiple vulnerabilities have been found in
! httpd(8)
! / mod_ssl.
! CAN-2003-0020,
! CAN-2003-0987,
! CAN-2004-0488,
! CAN-2004-0492.
!
A source code patch exists which remedies this problem.
!
!
-
! 026: RELIABILITY FIX: Jul 25, 2004
All architectures
! Under a certain network load the kernel can run out of stack space. This was
! encountered in an environment using CARP on a VLAN interface. This issue initially
! manifested itself as a FPU related crash on boot up.
!
A source code patch exists which remedies this problem.
!
!
-
! 027: RELIABILITY FIX: August 25, 2004
All architectures
! Improved verification of ICMP errors in order to minimize the impact of ICMP attacks
! against TCP.
! http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html
!
!
A source code patch exists which remedies this problem.
!
!
!
!
!
!
-
! 035: SECURITY FIX: December 13, 2004
All architectures
! On systems running
! isakmpd(8)
! it is possible for a local user to cause kernel memory corruption
! and system panic by setting
! ipsec(4)
! credentials on a socket.
!
A source code patch exists which remedies this problem.
!
!
-
! 034: RELIABILITY FIX: November 10, 2004
All architectures
! Due to a bug in
! lynx(1)
! it is possible for pages such as
! this
! to cause
! lynx(1)
! to exhaust memory and then crash when parsing such pages.
!
A source code patch exists which remedies this problem.
!
!
-
! 033: RELIABILITY FIX: November 10, 2004
! All architectures
! pppd(8)
! contains a bug that allows an attacker to crash his own connection, but it cannot
! be used to deny service to other users.
!
A source code patch exists which remedies this problem.
!
!
-
! 032: RELIABILITY FIX: November 10, 2004
All architectures
! BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in
! cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and
! thus slow DNS queries.
!
A source code patch exists which remedies this problem.
!
!
-
! 031: SECURITY FIX: September 20, 2004
All architectures
! Eilko Bos reported that radius authentication, as implemented by
! login_radius(8),
! was not checking the shared secret used for replies sent by the radius server.
! This could allow an attacker to spoof a reply granting access to the
! attacker. Note that OpenBSD does not ship with radius authentication enabled.
!
A source code patch exists which remedies this problem.
!
!
-
! 030: SECURITY FIX: September 16, 2004
All architectures
! Chris Evans reported several flaws (stack and integer overflows) in the
! Xpm
! library code that parses image files
! (CAN-2004-0687,
! CAN-2004-0688).
! Some of these would be exploitable when parsing malicious image files in
! an application that handles XPM images, if they could escape ProPolice.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 029: SECURITY FIX: September 10, 2004
All architectures
! httpd(8)
! 's mod_rewrite module can be made to write one zero byte in an arbitrary memory
! position outside of a char array, causing a DoS or possibly buffer overflows.
! This would require enabling dbm for mod_rewrite and making use of a malicious
! dbm file.
!
!
A source code patch exists which remedies this problem.
!
!
-
! 028: RELIABILITY FIX: August 26, 2004
All architectures
! As
! reported
! by Vafa Izadinia
! bridge(4)
! with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
!
!
! A source code patch exists which remedies this problem.