===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata34.html,v
retrieving revision 1.90
retrieving revision 1.91
diff -u -r1.90 -r1.91
--- www/errata34.html 2019/05/27 22:55:19 1.90
+++ www/errata34.html 2019/05/28 16:32:42 1.91
@@ -83,206 +83,210 @@
--
-035: SECURITY FIX: December 13, 2004
+
+
-
+001: DOCUMENTATION FIX: November 1, 2003
All architectures
-On systems running
-isakmpd(8)
-it is possible for a local user to cause kernel memory corruption
-and system panic by setting
-ipsec(4)
-credentials on a socket.
-
-
-A source code patch exists which remedies this problem.
+The CD insert documentation has an incorrect example for package installation.
+Where it is written:
+
+# pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386
+It should instead read:
+
+# pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386/
+The extra / at the end is important. We do not make
+patch files available for things printed on paper.
-
-
-034: RELIABILITY FIX: November 10, 2004
+
+
-
+002: SECURITY FIX: November 1, 2003
All architectures
-Due to a bug in
-lynx(1)
-it is possible for pages such as
-this
-to cause
-lynx(1)
-to exhaust memory and then crash when parsing such pages.
-
-
+The use of certain ASN.1 encodings or malformed public keys may allow an
+attacker to mount a denial of service attack against applications linked with
+ssl(3).
+This does not affect OpenSSH.
+
A source code patch exists which remedies this problem.
-
-
-033: RELIABILITY FIX: November 10, 2004
+
+
-
+003: RELIABILITY FIX: November 1, 2003
All architectures
-pppd(8)
-contains a bug that allows an attacker to crash his own connection, but it cannot
-be used to deny service to other users.
-
-
+It is possible for a local user to cause a system panic by flooding it with spoofed ARP
+requests.
+
A source code patch exists which remedies this problem.
-
-
-032: RELIABILITY FIX: November 10, 2004
+
+
-
+004: RELIABILITY FIX: November 1, 2003
All architectures
-BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in
-cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and
-thus slow DNS queries.
+A user with write permission to httpd.conf
or a .htaccess
+file can crash
+httpd(8)
+or potentially run arbitrary code as the user www
(although it
+is believed that ProPolice will prevent code execution).
-
+
A source code patch exists which remedies this problem.
-
-
-031: SECURITY FIX: September 20, 2004
+
+
-
+005: RELIABILITY FIX: November 4, 2003
All architectures
-Eilko Bos reported that radius authentication, as implemented by
-login_radius(8),
-was not checking the shared secret used for replies sent by the radius server.
-This could allow an attacker to spoof a reply granting access to the
-attacker. Note that OpenBSD does not ship with radius authentication enabled.
+It is possible for a local user to cause a system panic by executing a specially crafted binary with an invalid header.
-
+
A source code patch exists which remedies this problem.
-
-
-030: SECURITY FIX: September 16, 2004
- All architectures
-Chris Evans reported several flaws (stack and integer overflows) in the
-Xpm
-library code that parses image files
-(CAN-2004-0687,
-CAN-2004-0688).
-Some of these would be exploitable when parsing malicious image files in
-an application that handles XPM images, if they could escape ProPolice.
+
+ -
+006: SECURITY FIX: November 17, 2003
+ i386 only
+It may be possible for a local user to overrun the stack in
+compat_ibcs2(8).
+ProPolice catches this, turning a potential privilege escalation into a denial
+of service. iBCS2 emulation does not need to be enabled via
+sysctl(8)
+for this to happen.
-
+
A source code patch exists which remedies this problem.
-
-
-029: SECURITY FIX: September 10, 2004
+
+
-
+007: RELIABILITY FIX: November 20, 2003
All architectures
-httpd(8)
-'s mod_rewrite module can be made to write one zero byte in an arbitrary memory
-position outside of a char array, causing a DoS or possibly buffer overflows.
-This would require enabling dbm for mod_rewrite and making use of a malicious
-dbm file.
+It is possible for a local user to cause a crash via
+sysctl(3) with certain arguments.
-
+
A source code patch exists which remedies this problem.
-
-
-028: RELIABILITY FIX: August 26, 2004
+
-
+008: RELIABILITY FIX: November 20, 2003
All architectures
-As
-reported
-by Vafa Izadinia
-bridge(4)
-with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
+An improper bounds check makes it possible for a local user to cause a crash
+by passing the
+semctl(2) and
+semop(2) functions
+certain arguments.
-
+
A source code patch exists which remedies this problem.
-
-
-027: RELIABILITY FIX: August 25, 2004
+
+
-
+009: SECURITY FIX: January 13, 2004
All architectures
-Improved verification of ICMP errors in order to minimize the impact of ICMP attacks
-against TCP.
+Several message handling flaws in
+isakmpd(8)
+have been reported by Thomas Walpuski. These allow an attacker to delete arbitrary SAs. The patch also
+includes a reliability fix for a filedescriptor leak that causes problems when a crypto card is
+installed.
-http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html
-
-
+
A source code patch exists which remedies this problem.
-
-
-026: RELIABILITY FIX: Jul 25, 2004
+
+
-
+010: SECURITY FIX: February 5, 2004
All architectures
-Under a certain network load the kernel can run out of stack space. This was
-encountered in an environment using CARP on a VLAN interface. This issue initially
-manifested itself as a FPU related crash on boot up.
+A reference counting bug exists in the
+shmat(2)
+system call that could be used by an attacker to write to kernel memory
+under certain circumstances.
-
+
A source code patch exists which remedies this problem.
-
-
-025: SECURITY FIX: June 12, 2004
+
+
-
+011: SECURITY FIX: February 8, 2004
All architectures
-Multiple vulnerabilities have been found in
-httpd(8)
-/ mod_ssl.
-CAN-2003-0020,
-CAN-2003-0987,
-CAN-2004-0488,
-CAN-2004-0492.
+An IPv6 MTU handling problem exists that could be used by an attacker
+to cause a denial of service attack against hosts with reachable IPv6
+TCP ports.
-
+
A source code patch exists which remedies this problem.
-
-
-024: SECURITY FIX: June 10, 2004
+
+
-
+012: RELIABILITY FIX: February 14, 2004
All architectures
-As
-disclosed
-by Thomas Walpuski
-isakmpd(8)
-is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec
-tunnels at will.
+Several buffer overflows exist in the code parsing
+font.aliases files in XFree86. Thanks to ProPolice, these cannot be
+exploited to gain privileges, but they can cause the X server to abort.
-
+
A source code patch exists which remedies this problem.
-
-
-023: SECURITY FIX: June 9, 2004
+
+
-
+013: RELIABILITY FIX: March 8, 2004
All architectures
-Multiple remote vulnerabilities have been found in the
-cvs(1)
-server that allow an attacker to crash the server or possibly execute arbitrary
-code with the same privileges as the CVS server program.
+OpenBSD's TCP/IP stack did not impose limits on how many out-of-order
+TCP segments are queued in the system. An attacker could
+send out-of-order TCP segments and trick the system into using all
+available memory buffers.
-
+
A source code patch exists which remedies this problem.
-
-
-022: SECURITY FIX: May 30, 2004
+
+
-
+014: SECURITY FIX: March 13, 2004
All architectures
-A flaw in the Kerberos V
-kdc(8)
-server could result in the administrator of a Kerberos realm having
-the ability to impersonate any principal in any other realm which
-has established a cross-realm trust with their realm. The flaw is due to
-inadequate checking of the "transited" field in a Kerberos request. For
-more details see
-Heimdal's announcement.
+Due to a bug in the parsing of Allow/Deny rules for
+httpd(8)'s
+access module, using IP addresses without a netmask on big endian 64-bit
+platforms causes the rules to fail to match. This only affects sparc64.
-
+
A source code patch exists which remedies this problem.
-
-
-021: SECURITY FIX: May 20, 2004
+
+
-
+015: RELIABILITY FIX: March 17, 2004
All architectures
-A heap overflow in the
-cvs(1)
-server has been discovered that can be exploited by clients sending
-malformed requests, enabling these clients to run arbitrary code
-with the same privileges as the CVS server program.
+Defects in the payload validation and processing functions of
+isakmpd(8)
+have been discovered. An attacker could send malformed ISAKMP messages and
+cause isakmpd to crash or to loop endlessly. This patch fixes these problems
+and removes some memory leaks.
-
+
A source code patch exists which remedies this problem.
-
-
-020: SECURITY FIX: May 13, 2004
+
+
-
+016: RELIABILITY FIX: March 17, 2004
All architectures
-Check for integer overflow in procfs. Use of procfs is not recommended.
+A missing check for a NULL-pointer dereference has been found in
+ssl(3).
+A remote attacker can use the bug to cause an OpenSSL application to crash;
+this may lead to a denial of service.
-
+
A source code patch exists which remedies this problem.
-
-
-019: RELIABILITY FIX: May 6, 2004
+
+
-
+017: SECURITY FIX: May 5, 2004
All architectures
-Reply to in-window SYN with a rate-limited ACK.
+Pathname validation problems have been found in
+cvs(1),
+allowing malicious clients to create files outside the repository, allowing
+malicious servers to overwrite files outside the local CVS tree on
+the client and allowing clients to check out files outside the CVS
+repository.
-
+
A source code patch exists which remedies this problem.
+
-
018: RELIABILITY FIX: May 5, 2004
All architectures
@@ -293,191 +297,225 @@
A source code patch exists which remedies this problem.
-
-
-017: SECURITY FIX: May 5, 2004
+
+
-
+019: RELIABILITY FIX: May 6, 2004
All architectures
-Pathname validation problems have been found in
-cvs(1),
-allowing malicious clients to create files outside the repository, allowing
-malicious servers to overwrite files outside the local CVS tree on
-the client and allowing clients to check out files outside the CVS
-repository.
+Reply to in-window SYN with a rate-limited ACK.
-
+
A source code patch exists which remedies this problem.
-
-
-016: RELIABILITY FIX: March 17, 2004
+
+
-
+020: SECURITY FIX: May 13, 2004
All architectures
-A missing check for a NULL-pointer dereference has been found in
-ssl(3).
-A remote attacker can use the bug to cause an OpenSSL application to crash;
-this may lead to a denial of service.
+Check for integer overflow in procfs. Use of procfs is not recommended.
-
+
A source code patch exists which remedies this problem.
-
-
-015: RELIABILITY FIX: March 17, 2004
+
+
-
+021: SECURITY FIX: May 20, 2004
All architectures
-Defects in the payload validation and processing functions of
-isakmpd(8)
-have been discovered. An attacker could send malformed ISAKMP messages and
-cause isakmpd to crash or to loop endlessly. This patch fixes these problems
-and removes some memory leaks.
+A heap overflow in the
+cvs(1)
+server has been discovered that can be exploited by clients sending
+malformed requests, enabling these clients to run arbitrary code
+with the same privileges as the CVS server program.
-
+
A source code patch exists which remedies this problem.
-
-
-014: SECURITY FIX: March 13, 2004
+
+
-
+022: SECURITY FIX: May 30, 2004
All architectures
-Due to a bug in the parsing of Allow/Deny rules for
-httpd(8)'s
-access module, using IP addresses without a netmask on big endian 64-bit
-platforms causes the rules to fail to match. This only affects sparc64.
+A flaw in the Kerberos V
+kdc(8)
+server could result in the administrator of a Kerberos realm having
+the ability to impersonate any principal in any other realm which
+has established a cross-realm trust with their realm. The flaw is due to
+inadequate checking of the "transited" field in a Kerberos request. For
+more details see
+Heimdal's announcement.
-
+
A source code patch exists which remedies this problem.
-
-
-013: RELIABILITY FIX: March 8, 2004
+
+
-
+023: SECURITY FIX: June 9, 2004
All architectures
-OpenBSD's TCP/IP stack did not impose limits on how many out-of-order
-TCP segments are queued in the system. An attacker could
-send out-of-order TCP segments and trick the system into using all
-available memory buffers.
+Multiple remote vulnerabilities have been found in the
+cvs(1)
+server that allow an attacker to crash the server or possibly execute arbitrary
+code with the same privileges as the CVS server program.
-
+
A source code patch exists which remedies this problem.
-
-
-012: RELIABILITY FIX: February 14, 2004
+
+
-
+024: SECURITY FIX: June 10, 2004
All architectures
-Several buffer overflows exist in the code parsing
-font.aliases files in XFree86. Thanks to ProPolice, these cannot be
-exploited to gain privileges, but they can cause the X server to abort.
+As
+disclosed
+by Thomas Walpuski
+isakmpd(8)
+is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec
+tunnels at will.
-
+
A source code patch exists which remedies this problem.
-
-
-011: SECURITY FIX: February 8, 2004
+
+
-
+025: SECURITY FIX: June 12, 2004
All architectures
-An IPv6 MTU handling problem exists that could be used by an attacker
-to cause a denial of service attack against hosts with reachable IPv6
-TCP ports.
+Multiple vulnerabilities have been found in
+httpd(8)
+/ mod_ssl.
+CAN-2003-0020,
+CAN-2003-0987,
+CAN-2004-0488,
+CAN-2004-0492.
-
+
A source code patch exists which remedies this problem.
-
-
-010: SECURITY FIX: February 5, 2004
+
+
-
+026: RELIABILITY FIX: Jul 25, 2004
All architectures
-A reference counting bug exists in the
-shmat(2)
-system call that could be used by an attacker to write to kernel memory
-under certain circumstances.
+Under a certain network load the kernel can run out of stack space. This was
+encountered in an environment using CARP on a VLAN interface. This issue initially
+manifested itself as a FPU related crash on boot up.
-
+
A source code patch exists which remedies this problem.
-
-
-009: SECURITY FIX: January 13, 2004
+
+
-
+027: RELIABILITY FIX: August 25, 2004
All architectures
-Several message handling flaws in
-isakmpd(8)
-have been reported by Thomas Walpuski. These allow an attacker to delete arbitrary SAs. The patch also
-includes a reliability fix for a filedescriptor leak that causes problems when a crypto card is
-installed.
+Improved verification of ICMP errors in order to minimize the impact of ICMP attacks
+against TCP.
-
+http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html
+
+
A source code patch exists which remedies this problem.
-
-
-008: RELIABILITY FIX: November 20, 2003
+
+
+
+
+
+
-
+035: SECURITY FIX: December 13, 2004
All architectures
-An improper bounds check makes it possible for a local user to cause a crash
-by passing the
-semctl(2) and
-semop(2) functions
-certain arguments.
+On systems running
+isakmpd(8)
+it is possible for a local user to cause kernel memory corruption
+and system panic by setting
+ipsec(4)
+credentials on a socket.
-
+
A source code patch exists which remedies this problem.
-
-
-007: RELIABILITY FIX: November 20, 2003
+
+
-
+034: RELIABILITY FIX: November 10, 2004
All architectures
-It is possible for a local user to cause a crash via
-sysctl(3) with certain arguments.
+Due to a bug in
+lynx(1)
+it is possible for pages such as
+this
+to cause
+lynx(1)
+to exhaust memory and then crash when parsing such pages.
-
+
A source code patch exists which remedies this problem.
-
-
-006: SECURITY FIX: November 17, 2003
- i386 only
-It may be possible for a local user to overrun the stack in
-compat_ibcs2(8).
-ProPolice catches this, turning a potential privilege escalation into a denial
-of service. iBCS2 emulation does not need to be enabled via
-sysctl(8)
-for this to happen.
+
+ -
+033: RELIABILITY FIX: November 10, 2004
+ All architectures
+pppd(8)
+contains a bug that allows an attacker to crash his own connection, but it cannot
+be used to deny service to other users.
-
+
A source code patch exists which remedies this problem.
-
-
-005: RELIABILITY FIX: November 4, 2003
+
+
-
+032: RELIABILITY FIX: November 10, 2004
All architectures
-It is possible for a local user to cause a system panic by executing a specially crafted binary with an invalid header.
+BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in
+cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and
+thus slow DNS queries.
-
+
A source code patch exists which remedies this problem.
-
-
-004: RELIABILITY FIX: November 1, 2003
+
+
-
+031: SECURITY FIX: September 20, 2004
All architectures
-A user with write permission to httpd.conf
or a .htaccess
-file can crash
-httpd(8)
-or potentially run arbitrary code as the user www
(although it
-is believed that ProPolice will prevent code execution).
+Eilko Bos reported that radius authentication, as implemented by
+login_radius(8),
+was not checking the shared secret used for replies sent by the radius server.
+This could allow an attacker to spoof a reply granting access to the
+attacker. Note that OpenBSD does not ship with radius authentication enabled.
-
+
A source code patch exists which remedies this problem.
-
-
-003: RELIABILITY FIX: November 1, 2003
+
+
-
+030: SECURITY FIX: September 16, 2004
All architectures
-It is possible for a local user to cause a system panic by flooding it with spoofed ARP
-requests.
-
+Chris Evans reported several flaws (stack and integer overflows) in the
+Xpm
+library code that parses image files
+(CAN-2004-0687,
+CAN-2004-0688).
+Some of these would be exploitable when parsing malicious image files in
+an application that handles XPM images, if they could escape ProPolice.
+
+
A source code patch exists which remedies this problem.
-
-
-002: SECURITY FIX: November 1, 2003
+
+
-
+029: SECURITY FIX: September 10, 2004
All architectures
-The use of certain ASN.1 encodings or malformed public keys may allow an
-attacker to mount a denial of service attack against applications linked with
-ssl(3).
-This does not affect OpenSSH.
-
+httpd(8)
+'s mod_rewrite module can be made to write one zero byte in an arbitrary memory
+position outside of a char array, causing a DoS or possibly buffer overflows.
+This would require enabling dbm for mod_rewrite and making use of a malicious
+dbm file.
+
+
A source code patch exists which remedies this problem.
-
-
-001: DOCUMENTATION FIX: November 1, 2003
+
+
-
+028: RELIABILITY FIX: August 26, 2004
All architectures
-The CD insert documentation has an incorrect example for package installation.
-Where it is written:
-
-# pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386
-It should instead read:
-
-# pkg_add https://ftp.openbsd.org/pub/OpenBSD/3.4/packages/i386/
-The extra / at the end is important. We do not make
-patch files available for things printed on paper.
+As
+reported
+by Vafa Izadinia
+bridge(4)
+with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
+
+
+A source code patch exists which remedies this problem.