===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata35.html,v
retrieving revision 1.60
retrieving revision 1.61
diff -c -r1.60 -r1.61
*** www/errata35.html 2016/02/20 14:18:42 1.60
--- www/errata35.html 2016/03/21 05:46:20 1.61
***************
*** 87,93 ****
033: SECURITY FIX: April 28, 2005
All architectures
Fix a buffer overflow, memory leaks, and NULL pointer dereference in
! cvs(1)
. None of these issues are known to be exploitable.
CAN-2005-0753
.
--- 87,93 ----
033: SECURITY FIX: April 28, 2005
All architectures
Fix a buffer overflow, memory leaks, and NULL pointer dereference in
! cvs(1)
. None of these issues are known to be exploitable.
CAN-2005-0753
.
***************
*** 100,106 ****
032: RELIABILITY FIX: April 4, 2005
All architectures
Handle an edge condition in
! tcp(4)
timestamps.
--- 100,106 ----
032: RELIABILITY FIX: April 4, 2005
All architectures
Handle an edge condition in
! tcp(4)
timestamps.
***************
*** 111,120 ****
031: SECURITY FIX: March 30, 2005
All architectures
Due to buffer overflows in
! telnet(1)
, a malicious server or man-in-the-middle attack could allow execution of
arbitrary code with the privileges of the user invoking
! telnet(1)
.
--- 111,120 ----
031: SECURITY FIX: March 30, 2005
All architectures
Due to buffer overflows in
! telnet(1)
, a malicious server or man-in-the-middle attack could allow execution of
arbitrary code with the privileges of the user invoking
! telnet(1)
.
***************
*** 125,131 ****
030: RELIABILITY FIX: March 30, 2005
All architectures
Bugs in the
! tcp(4)
stack can lead to memory exhaustion or processing of TCP segments with
invalid SACK options and cause a system crash.
--- 125,131 ----
030: RELIABILITY FIX: March 30, 2005
All architectures
Bugs in the
! tcp(4)
stack can lead to memory exhaustion or processing of TCP segments with
invalid SACK options and cause a system crash.
***************
*** 137,143 ****
029: SECURITY FIX: March 16, 2005
amd64 only
More stringent checking should be done in the
! copy(9)
functions to prevent their misuse.
--- 137,143 ----
029: SECURITY FIX: March 16, 2005
amd64 only
More stringent checking should be done in the
! copy(9)
functions to prevent their misuse.
***************
*** 148,154 ****
028: SECURITY FIX: February 28, 2005
i386 only
More stringent checking should be done in the
! copy(9)
functions to prevent their misuse.
--- 148,154 ----
028: SECURITY FIX: February 28, 2005
i386 only
More stringent checking should be done in the
! copy(9)
functions to prevent their misuse.
***************
*** 159,165 ****
027: RELIABILITY FIX: January 11, 2005
All architectures
A bug in the
! tcp(4)
stack allows an invalid argument to be used in calculating the TCP
retransmit timeout. By sending packets with specific values in the TCP
timestamp option, an attacker can cause a system panic.
--- 159,165 ----
027: RELIABILITY FIX: January 11, 2005
All architectures
A bug in the
! tcp(4)
stack allows an invalid argument to be used in calculating the TCP
retransmit timeout. By sending packets with specific values in the TCP
timestamp option, an attacker can cause a system panic.
***************
*** 171,177 ****
026: SECURITY FIX: January 12, 2005
All architectures
! httpd(8)
's mod_include module fails to properly validate the length of
user supplied tag strings prior to copying them to a local buffer,
causing a buffer overflow.
--- 171,177 ----
026: SECURITY FIX: January 12, 2005
All architectures
! httpd(8)
's mod_include module fails to properly validate the length of
user supplied tag strings prior to copying them to a local buffer,
causing a buffer overflow.
***************
*** 187,193 ****
025: RELIABILITY FIX: January 6, 2005
All architectures
The
! getcwd(3)
library function contains a memory management error, which causes failure
to retrieve the current working directory if the path is very long.
--- 187,193 ----
025: RELIABILITY FIX: January 6, 2005
All architectures
The
! getcwd(3)
library function contains a memory management error, which causes failure
to retrieve the current working directory if the path is very long.
***************
*** 199,208 ****
024: SECURITY FIX: December 14, 2004
All architectures
On systems running
! isakmpd(8)
it is possible for a local user to cause kernel memory corruption
and system panic by setting
! ipsec(4)
credentials on a socket.
--- 199,208 ----
024: SECURITY FIX: December 14, 2004
All architectures
On systems running
! isakmpd(8)
it is possible for a local user to cause kernel memory corruption
and system panic by setting
! ipsec(4)
credentials on a socket.
***************
*** 212,222 ****
023: RELIABILITY FIX: November 10, 2004
All architectures
Due to a bug in
! lynx(1)
it is possible for pages such as
this
to cause
! lynx(1)
to exhaust memory and then crash when parsing such pages.
--- 212,222 ----
023: RELIABILITY FIX: November 10, 2004
All architectures
Due to a bug in
! lynx(1)
it is possible for pages such as
this
to cause
! lynx(1)
to exhaust memory and then crash when parsing such pages.
***************
*** 225,231 ****
022: RELIABILITY FIX: November 10, 2004
All architectures
! pppd(8)
contains a bug that allows an attacker to crash his own connection, but it cannot
be used to deny service to other users.
--- 225,231 ----
022: RELIABILITY FIX: November 10, 2004
All architectures
! pppd(8)
contains a bug that allows an attacker to crash his own connection, but it cannot
be used to deny service to other users.
***************
*** 246,252 ****
020: SECURITY FIX: September 20, 2004
All architectures
Eilko Bos reported that radius authentication, as implemented by
! login_radius(8),
was not checking the shared secret used for replies sent by the radius server.
This could allow an attacker to spoof a reply granting access to the
attacker. Note that OpenBSD does not ship with radius authentication enabled.
--- 246,252 ----
020: SECURITY FIX: September 20, 2004
All architectures
Eilko Bos reported that radius authentication, as implemented by
! login_radius(8),
was not checking the shared secret used for replies sent by the radius server.
This could allow an attacker to spoof a reply granting access to the
attacker. Note that OpenBSD does not ship with radius authentication enabled.
***************
*** 271,277 ****
018: SECURITY FIX: September 10, 2004
All architectures
! httpd(8)
's mod_rewrite module can be made to write one zero byte in an arbitrary memory
position outside of a char array, causing a DoS or possibly buffer overflows.
This would require enabling dbm for mod_rewrite and making use of a malicious
--- 271,277 ----
018: SECURITY FIX: September 10, 2004
All architectures
! httpd(8)
's mod_rewrite module can be made to write one zero byte in an arbitrary memory
position outside of a char array, causing a DoS or possibly buffer overflows.
This would require enabling dbm for mod_rewrite and making use of a malicious
***************
*** 297,303 ****
As
reported
by Vafa Izadinia
! bridge(4)
with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
--- 297,303 ----
As
reported
by Vafa Izadinia
! bridge(4)
with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
***************
*** 328,334 ****
013: SECURITY FIX: June 12, 2004
All architectures
Multiple vulnerabilities have been found in
! httpd(8)
/ mod_ssl.
CAN-2003-0020,
CAN-2003-0987,
--- 328,334 ----
013: SECURITY FIX: June 12, 2004
All architectures
Multiple vulnerabilities have been found in
! httpd(8)
/ mod_ssl.
CAN-2003-0020,
CAN-2003-0987,
***************
*** 344,350 ****
As
disclosed
by Thomas Walpuski
! isakmpd(8)
is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec
tunnels at will.
--- 344,350 ----
As
disclosed
by Thomas Walpuski
! isakmpd(8)
is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec
tunnels at will.
***************
*** 355,361 ****
011: SECURITY FIX: June 9, 2004
All architectures
Multiple remote vulnerabilities have been found in the
! cvs(1)
server that allow an attacker to crash the server or possibly execute arbitrary
code with the same privileges as the CVS server program.
--- 355,361 ----
011: SECURITY FIX: June 9, 2004
All architectures
Multiple remote vulnerabilities have been found in the
! cvs(1)
server that allow an attacker to crash the server or possibly execute arbitrary
code with the same privileges as the CVS server program.
***************
*** 377,383 ****
009: SECURITY FIX: May 30, 2004
All architectures
A flaw in the Kerberos V
! kdc(8)
server could result in the administrator of a Kerberos realm having
the ability to impersonate any principal in any other realm which
has established a cross-realm trust with their realm. The flaw is due to
--- 377,383 ----
009: SECURITY FIX: May 30, 2004
All architectures
A flaw in the Kerberos V
! kdc(8)
server could result in the administrator of a Kerberos realm having
the ability to impersonate any principal in any other realm which
has established a cross-realm trust with their realm. The flaw is due to
***************
*** 392,398 ****
008: SECURITY FIX: May 26, 2004
All architectures
With the introduction of IPv6 code in
! xdm(1),
one test on the 'requestPort' resource was deleted by accident. This
makes xdm create the chooser socket even if xdmcp is disabled in
xdm-config, by setting requestPort to 0. See
--- 392,398 ----
008: SECURITY FIX: May 26, 2004
All architectures
With the introduction of IPv6 code in
! xdm(1),
one test on the 'requestPort' resource was deleted by accident. This
makes xdm create the chooser socket even if xdmcp is disabled in
xdm-config, by setting requestPort to 0. See
***************
*** 406,412 ****
007: SECURITY FIX: May 20, 2004
All architectures
A heap overflow in the
! cvs(1)
server has been discovered that can be exploited by clients sending
malformed requests, enabling these clients to run arbitrary code
with the same privileges as the CVS server program.
--- 406,412 ----
007: SECURITY FIX: May 20, 2004
All architectures
A heap overflow in the
! cvs(1)
server has been discovered that can be exploited by clients sending
malformed requests, enabling these clients to run arbitrary code
with the same privileges as the CVS server program.
***************
*** 434,442 ****
004: RELIABILITY FIX: May 5, 2004
All architectures
Restore the ability to negotiate tags/wide/sync with some SCSI controllers ( i.e.
! siop(4),
! trm(4),
! iha(4)
).
--- 434,442 ----
004: RELIABILITY FIX: May 5, 2004
All architectures
Restore the ability to negotiate tags/wide/sync with some SCSI controllers ( i.e.
! siop(4),
! trm(4),
! iha(4)
).
***************
*** 446,452 ****
003: RELIABILITY FIX: May 5, 2004
All architectures
Under load "recent model"
! gdt(4)
controllers will lock up.
--- 446,452 ----
003: RELIABILITY FIX: May 5, 2004
All architectures
Under load "recent model"
! gdt(4)
controllers will lock up.
***************
*** 456,462 ****
002: SECURITY FIX: May 5, 2004
All architectures
Pathname validation problems have been found in
! cvs(1),
allowing malicious clients to create files outside the repository, allowing
malicious servers to overwrite files outside the local CVS tree on
the client and allowing clients to check out files outside the CVS
--- 456,462 ----
002: SECURITY FIX: May 5, 2004
All architectures
Pathname validation problems have been found in
! cvs(1),
allowing malicious clients to create files outside the repository, allowing
malicious servers to overwrite files outside the local CVS tree on
the client and allowing clients to check out files outside the CVS