version 1.71, 2017/03/28 06:41:18 |
version 1.72, 2017/06/26 17:18:57 |
|
|
<font color="#009000"><strong>033: SECURITY FIX: April 28, 2005</strong></font> |
<font color="#009000"><strong>033: SECURITY FIX: April 28, 2005</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Fix a buffer overflow, memory leaks, and NULL pointer dereference in |
Fix a buffer overflow, memory leaks, and NULL pointer dereference in |
<a href="http://man.openbsd.org/OpenBSD-3.5/cvs.1">cvs(1)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/cvs.1">cvs(1)</a> |
. None of these issues are known to be exploitable. |
. None of these issues are known to be exploitable. |
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753">CAN-2005-0753</a> |
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753">CAN-2005-0753</a> |
. |
. |
|
|
<font color="#009000"><strong>032: RELIABILITY FIX: April 4, 2005</strong></font> |
<font color="#009000"><strong>032: RELIABILITY FIX: April 4, 2005</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Handle an edge condition in |
Handle an edge condition in |
<a href="http://man.openbsd.org/OpenBSD-3.5/tcp.4">tcp(4)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/tcp.4">tcp(4)</a> |
timestamps. |
timestamps. |
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/032_tcp2.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/032_tcp2.patch"> |
|
|
<font color="#009000"><strong>031: SECURITY FIX: March 30, 2005</strong></font> |
<font color="#009000"><strong>031: SECURITY FIX: March 30, 2005</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Due to buffer overflows in |
Due to buffer overflows in |
<a href="http://man.openbsd.org/OpenBSD-3.5/telnet.1">telnet(1)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/telnet.1">telnet(1)</a> |
, a malicious server or man-in-the-middle attack could allow execution of |
, a malicious server or man-in-the-middle attack could allow execution of |
arbitrary code with the privileges of the user invoking |
arbitrary code with the privileges of the user invoking |
<a href="http://man.openbsd.org/OpenBSD-3.5/telnet.1">telnet(1)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/telnet.1">telnet(1)</a> |
. |
. |
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/031_telnet.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/031_telnet.patch"> |
|
|
<font color="#009000"><strong>030: RELIABILITY FIX: March 30, 2005</strong></font> |
<font color="#009000"><strong>030: RELIABILITY FIX: March 30, 2005</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Bugs in the |
Bugs in the |
<a href="http://man.openbsd.org/OpenBSD-3.5/tcp.4">tcp(4)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/tcp.4">tcp(4)</a> |
stack can lead to memory exhaustion or processing of TCP segments with |
stack can lead to memory exhaustion or processing of TCP segments with |
invalid SACK options and cause a system crash. |
invalid SACK options and cause a system crash. |
<br> |
<br> |
|
|
<font color="#009000"><strong>029: SECURITY FIX: March 16, 2005</strong></font> |
<font color="#009000"><strong>029: SECURITY FIX: March 16, 2005</strong></font> |
<i>amd64 only</i><br> |
<i>amd64 only</i><br> |
More stringent checking should be done in the |
More stringent checking should be done in the |
<a href="http://man.openbsd.org/OpenBSD-3.5/copy.9">copy(9)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/copy.9">copy(9)</a> |
functions to prevent their misuse. |
functions to prevent their misuse. |
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/amd64/029_copy.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/amd64/029_copy.patch"> |
|
|
<font color="#009000"><strong>028: SECURITY FIX: February 28, 2005</strong></font> |
<font color="#009000"><strong>028: SECURITY FIX: February 28, 2005</strong></font> |
<i>i386 only</i><br> |
<i>i386 only</i><br> |
More stringent checking should be done in the |
More stringent checking should be done in the |
<a href="http://man.openbsd.org/OpenBSD-3.5/copy.9">copy(9)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/copy.9">copy(9)</a> |
functions to prevent their misuse. |
functions to prevent their misuse. |
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/i386/028_locore.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/i386/028_locore.patch"> |
|
|
<font color="#009000"><strong>027: RELIABILITY FIX: January 11, 2005</strong></font> |
<font color="#009000"><strong>027: RELIABILITY FIX: January 11, 2005</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A bug in the |
A bug in the |
<a href="http://man.openbsd.org/OpenBSD-3.5/tcp.4">tcp(4)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/tcp.4">tcp(4)</a> |
stack allows an invalid argument to be used in calculating the TCP |
stack allows an invalid argument to be used in calculating the TCP |
retransmit timeout. By sending packets with specific values in the TCP |
retransmit timeout. By sending packets with specific values in the TCP |
timestamp option, an attacker can cause a system panic. |
timestamp option, an attacker can cause a system panic. |
|
|
<li id="httpd3"> |
<li id="httpd3"> |
<font color="#009000"><strong>026: SECURITY FIX: January 12, 2005</strong></font> |
<font color="#009000"><strong>026: SECURITY FIX: January 12, 2005</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
<a href="http://man.openbsd.org/OpenBSD-3.5/httpd.8">httpd(8)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/httpd.8">httpd(8)</a> |
's mod_include module fails to properly validate the length of |
's mod_include module fails to properly validate the length of |
user supplied tag strings prior to copying them to a local buffer, |
user supplied tag strings prior to copying them to a local buffer, |
causing a buffer overflow. |
causing a buffer overflow. |
|
|
<font color="#009000"><strong>025: RELIABILITY FIX: January 6, 2005</strong></font> |
<font color="#009000"><strong>025: RELIABILITY FIX: January 6, 2005</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
The |
The |
<a href="http://man.openbsd.org/OpenBSD-3.5/getcwd.3">getcwd(3)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/getcwd.3">getcwd(3)</a> |
library function contains a memory management error, which causes failure |
library function contains a memory management error, which causes failure |
to retrieve the current working directory if the path is very long. |
to retrieve the current working directory if the path is very long. |
<br> |
<br> |
|
|
<font color="#009000"><strong>024: SECURITY FIX: December 14, 2004</strong></font> |
<font color="#009000"><strong>024: SECURITY FIX: December 14, 2004</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
On systems running |
On systems running |
<a href="http://man.openbsd.org/OpenBSD-3.5/isakmpd.8">isakmpd(8)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/isakmpd.8">isakmpd(8)</a> |
it is possible for a local user to cause kernel memory corruption |
it is possible for a local user to cause kernel memory corruption |
and system panic by setting |
and system panic by setting |
<a href="http://man.openbsd.org/OpenBSD-3.5/ipsec.4">ipsec(4)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/ipsec.4">ipsec(4)</a> |
credentials on a socket. |
credentials on a socket. |
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/024_pfkey.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/024_pfkey.patch"> |
|
|
<font color="#009000"><strong>023: RELIABILITY FIX: November 10, 2004</strong></font> |
<font color="#009000"><strong>023: RELIABILITY FIX: November 10, 2004</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Due to a bug in |
Due to a bug in |
<a href="http://man.openbsd.org/OpenBSD-3.5/lynx.1">lynx(1)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/lynx.1">lynx(1)</a> |
it is possible for pages such as |
it is possible for pages such as |
<a href="http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html">this</a> |
<a href="http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html">this</a> |
to cause |
to cause |
<a href="http://man.openbsd.org/OpenBSD-3.5/lynx.1">lynx(1)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/lynx.1">lynx(1)</a> |
to exhaust memory and then crash when parsing such pages. |
to exhaust memory and then crash when parsing such pages. |
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/023_lynx.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/023_lynx.patch"> |
|
|
<li id="pppd"> |
<li id="pppd"> |
<font color="#009000"><strong>022: RELIABILITY FIX: November 10, 2004</strong></font> |
<font color="#009000"><strong>022: RELIABILITY FIX: November 10, 2004</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
<a href="http://man.openbsd.org/OpenBSD-3.5/pppd.8">pppd(8)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/pppd.8">pppd(8)</a> |
contains a bug that allows an attacker to crash his own connection, but it cannot |
contains a bug that allows an attacker to crash his own connection, but it cannot |
be used to deny service to other users. |
be used to deny service to other users. |
<br> |
<br> |
|
|
<font color="#009000"><strong>020: SECURITY FIX: September 20, 2004</strong></font> |
<font color="#009000"><strong>020: SECURITY FIX: September 20, 2004</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Eilko Bos reported that radius authentication, as implemented by |
Eilko Bos reported that radius authentication, as implemented by |
<a href="http://man.openbsd.org/OpenBSD-3.5/login_radius.8">login_radius(8)</a>, |
<a href="https://man.openbsd.org/OpenBSD-3.5/login_radius.8">login_radius(8)</a>, |
was not checking the shared secret used for replies sent by the radius server. |
was not checking the shared secret used for replies sent by the radius server. |
This could allow an attacker to spoof a reply granting access to the |
This could allow an attacker to spoof a reply granting access to the |
attacker. Note that OpenBSD does not ship with radius authentication enabled. |
attacker. Note that OpenBSD does not ship with radius authentication enabled. |
|
|
<li id="httpd2"> |
<li id="httpd2"> |
<font color="#009000"><strong>018: SECURITY FIX: September 10, 2004</strong></font> |
<font color="#009000"><strong>018: SECURITY FIX: September 10, 2004</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
<a href="http://man.openbsd.org/OpenBSD-3.5/httpd.8">httpd(8)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/httpd.8">httpd(8)</a> |
's mod_rewrite module can be made to write one zero byte in an arbitrary memory |
's mod_rewrite module can be made to write one zero byte in an arbitrary memory |
position outside of a char array, causing a DoS or possibly buffer overflows. |
position outside of a char array, causing a DoS or possibly buffer overflows. |
This would require enabling dbm for mod_rewrite and making use of a malicious |
This would require enabling dbm for mod_rewrite and making use of a malicious |
|
|
As |
As |
<a href="http://marc.info/?l=bugtraq&m=109345131508824&w=2">reported</a> |
<a href="http://marc.info/?l=bugtraq&m=109345131508824&w=2">reported</a> |
by Vafa Izadinia |
by Vafa Izadinia |
<a href="http://man.openbsd.org/OpenBSD-3.5/bridge.4">bridge(4)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/bridge.4">bridge(4)</a> |
with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge. |
with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge. |
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/016_bridge.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/016_bridge.patch"> |
|
|
<font color="#009000"><strong>013: SECURITY FIX: June 12, 2004</strong></font> |
<font color="#009000"><strong>013: SECURITY FIX: June 12, 2004</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Multiple vulnerabilities have been found in |
Multiple vulnerabilities have been found in |
<a href="http://man.openbsd.org/OpenBSD-3.5/httpd.8">httpd(8)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/httpd.8">httpd(8)</a> |
/ mod_ssl. |
/ mod_ssl. |
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020</a>, |
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020</a>, |
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987">CAN-2003-0987</a>, |
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987">CAN-2003-0987</a>, |
|
|
As |
As |
<a href="http://seclists.org/lists/fulldisclosure/2004/Jun/0191.html">disclosed</a> |
<a href="http://seclists.org/lists/fulldisclosure/2004/Jun/0191.html">disclosed</a> |
by Thomas Walpuski |
by Thomas Walpuski |
<a href="http://man.openbsd.org/OpenBSD-3.5/isakmpd.8">isakmpd(8)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/isakmpd.8">isakmpd(8)</a> |
is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec |
is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec |
tunnels at will. |
tunnels at will. |
<br> |
<br> |
|
|
<font color="#009000"><strong>011: SECURITY FIX: June 9, 2004</strong></font> |
<font color="#009000"><strong>011: SECURITY FIX: June 9, 2004</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Multiple remote vulnerabilities have been found in the |
Multiple remote vulnerabilities have been found in the |
<a href="http://man.openbsd.org/OpenBSD-3.5/cvs.1">cvs(1)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/cvs.1">cvs(1)</a> |
server that allow an attacker to crash the server or possibly execute arbitrary |
server that allow an attacker to crash the server or possibly execute arbitrary |
code with the same privileges as the CVS server program. |
code with the same privileges as the CVS server program. |
<br> |
<br> |
|
|
<font color="#00900"><strong>009: SECURITY FIX: May 30, 2004</strong></font> |
<font color="#00900"><strong>009: SECURITY FIX: May 30, 2004</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A flaw in the Kerberos V |
A flaw in the Kerberos V |
<a href="http://man.openbsd.org/OpenBSD-3.5/kdc">kdc(8)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/kdc">kdc(8)</a> |
server could result in the administrator of a Kerberos realm having |
server could result in the administrator of a Kerberos realm having |
the ability to impersonate any principal in any other realm which |
the ability to impersonate any principal in any other realm which |
has established a cross-realm trust with their realm. The flaw is due to |
has established a cross-realm trust with their realm. The flaw is due to |
|
|
<font color="#00900"><strong>008: SECURITY FIX: May 26, 2004</strong></font> |
<font color="#00900"><strong>008: SECURITY FIX: May 26, 2004</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
With the introduction of IPv6 code in |
With the introduction of IPv6 code in |
<a href="http://man.openbsd.org/OpenBSD-3.5/xdm.1">xdm(1)</a>, |
<a href="https://man.openbsd.org/OpenBSD-3.5/xdm.1">xdm(1)</a>, |
one test on the 'requestPort' resource was deleted by accident. This |
one test on the 'requestPort' resource was deleted by accident. This |
makes xdm create the chooser socket even if xdmcp is disabled in |
makes xdm create the chooser socket even if xdmcp is disabled in |
xdm-config, by setting requestPort to 0. See |
xdm-config, by setting requestPort to 0. See |
|
|
<font color="#009000"><strong>007: SECURITY FIX: May 20, 2004</strong></font> |
<font color="#009000"><strong>007: SECURITY FIX: May 20, 2004</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
A heap overflow in the |
A heap overflow in the |
<a href="http://man.openbsd.org/OpenBSD-3.5/cvs.1">cvs(1)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/cvs.1">cvs(1)</a> |
server has been discovered that can be exploited by clients sending |
server has been discovered that can be exploited by clients sending |
malformed requests, enabling these clients to run arbitrary code |
malformed requests, enabling these clients to run arbitrary code |
with the same privileges as the CVS server program. |
with the same privileges as the CVS server program. |
|
|
<font color="#009000"><strong>004: RELIABILITY FIX: May 5, 2004</strong></font> |
<font color="#009000"><strong>004: RELIABILITY FIX: May 5, 2004</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Restore the ability to negotiate tags/wide/sync with some SCSI controllers ( i.e. |
Restore the ability to negotiate tags/wide/sync with some SCSI controllers ( i.e. |
<a href="http://man.openbsd.org/OpenBSD-3.5/siop.4">siop(4)</a>, |
<a href="https://man.openbsd.org/OpenBSD-3.5/siop.4">siop(4)</a>, |
<a href="http://man.openbsd.org/OpenBSD-3.5/trm.4">trm(4)</a>, |
<a href="https://man.openbsd.org/OpenBSD-3.5/trm.4">trm(4)</a>, |
<a href="http://man.openbsd.org/OpenBSD-3.5/iha.4">iha(4)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/iha.4">iha(4)</a> |
). |
). |
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/004_scsi.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/004_scsi.patch"> |
|
|
<font color="#009000"><strong>003: RELIABILITY FIX: May 5, 2004</strong></font> |
<font color="#009000"><strong>003: RELIABILITY FIX: May 5, 2004</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Under load "recent model" |
Under load "recent model" |
<a href="http://man.openbsd.org/OpenBSD-3.5/gdt.4">gdt(4)</a> |
<a href="https://man.openbsd.org/OpenBSD-3.5/gdt.4">gdt(4)</a> |
controllers will lock up. |
controllers will lock up. |
<br> |
<br> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/003_gdt.patch"> |
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/003_gdt.patch"> |
|
|
<font color="#009000"><strong>002: SECURITY FIX: May 5, 2004</strong></font> |
<font color="#009000"><strong>002: SECURITY FIX: May 5, 2004</strong></font> |
<i>All architectures</i><br> |
<i>All architectures</i><br> |
Pathname validation problems have been found in |
Pathname validation problems have been found in |
<a href="http://man.openbsd.org/OpenBSD-3.5/cvs.1">cvs(1)</a>, |
<a href="https://man.openbsd.org/OpenBSD-3.5/cvs.1">cvs(1)</a>, |
allowing malicious clients to create files outside the repository, allowing |
allowing malicious clients to create files outside the repository, allowing |
malicious servers to overwrite files outside the local CVS tree on |
malicious servers to overwrite files outside the local CVS tree on |
the client and allowing clients to check out files outside the CVS |
the client and allowing clients to check out files outside the CVS |