=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/errata35.html,v retrieving revision 1.78 retrieving revision 1.79 diff -c -r1.78 -r1.79 *** www/errata35.html 2019/05/27 22:55:19 1.78 --- www/errata35.html 2019/05/28 16:32:42 1.79 *************** *** 84,274 ****

! 033: SECURITY FIX: April 28, 2005 All architectures
! Fix a buffer overflow, memory leaks, and NULL pointer dereference in ! cvs(1) ! . None of these issues are known to be exploitable. ! CAN-2005-0753 ! .
! A source code patch exists which remedies this problem.
!
! 032: RELIABILITY FIX: April 4, 2005 All architectures
! Handle an edge condition in ! tcp(4) ! timestamps.
! A source code patch exists which remedies this problem.
!
! 031: SECURITY FIX: March 30, 2005 All architectures
! Due to buffer overflows in ! telnet(1) ! , a malicious server or man-in-the-middle attack could allow execution of ! arbitrary code with the privileges of the user invoking ! telnet(1) ! .
! A source code patch exists which remedies this problem.
!
! 030: RELIABILITY FIX: March 30, 2005 All architectures
! Bugs in the ! tcp(4) ! stack can lead to memory exhaustion or processing of TCP segments with ! invalid SACK options and cause a system crash.
! A source code patch exists which remedies this problem.
!
! 029: SECURITY FIX: March 16, 2005 ! amd64 only
! More stringent checking should be done in the ! copy(9) ! functions to prevent their misuse.
! A source code patch exists which remedies this problem.
!
! 028: SECURITY FIX: February 28, 2005 ! i386 only
! More stringent checking should be done in the ! copy(9) ! functions to prevent their misuse.
! A source code patch exists which remedies this problem.
!
! 027: RELIABILITY FIX: January 11, 2005 All architectures
! A bug in the ! tcp(4) ! stack allows an invalid argument to be used in calculating the TCP ! retransmit timeout. By sending packets with specific values in the TCP ! timestamp option, an attacker can cause a system panic.
! A source code patch exists which remedies this problem.
!
! 026: SECURITY FIX: January 12, 2005 All architectures
! httpd(8) ! 's mod_include module fails to properly validate the length of ! user supplied tag strings prior to copying them to a local buffer, ! causing a buffer overflow.
! This would require enabling the XBitHack directive or server-side ! includes and making use of a malicious document.
! A source code patch exists which remedies this problem.
!
! 025: RELIABILITY FIX: January 6, 2005 All architectures
! The ! getcwd(3) ! library function contains a memory management error, which causes failure ! to retrieve the current working directory if the path is very long.
! A source code patch exists which remedies this problem.
!
! 024: SECURITY FIX: December 14, 2004 All architectures
! On systems running isakmpd(8) ! it is possible for a local user to cause kernel memory corruption ! and system panic by setting ! ipsec(4) ! credentials on a socket.
! A source code patch exists which remedies this problem.
!
! 023: RELIABILITY FIX: November 10, 2004 All architectures
! Due to a bug in ! lynx(1) ! it is possible for pages such as ! this ! to cause ! lynx(1) ! to exhaust memory and then crash when parsing such pages.
! A source code patch exists which remedies this problem.
!
! 022: RELIABILITY FIX: November 10, 2004 All architectures
! pppd(8) ! contains a bug that allows an attacker to crash his own connection, but it cannot ! be used to deny service to other users.
! A source code patch exists which remedies this problem.
!
! 021: RELIABILITY FIX: November 10, 2004 All architectures
! BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in ! cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and ! thus slow DNS queries.
! A source code patch exists which remedies this problem.
!
! 020: SECURITY FIX: September 20, 2004 All architectures
! Eilko Bos reported that radius authentication, as implemented by ! login_radius(8), ! was not checking the shared secret used for replies sent by the radius server. ! This could allow an attacker to spoof a reply granting access to the ! attacker. Note that OpenBSD does not ship with radius authentication enabled.
! A source code patch exists which remedies this problem.
!
! 019: SECURITY FIX: September 16, 2004 All architectures
! Chris Evans reported several flaws (stack and integer overflows) in the ! Xpm ! library code that parses image files ! (CAN-2004-0687, ! CAN-2004-0688). ! Some of these would be exploitable when parsing malicious image files in ! an application that handles XPM images, if they could escape ProPolice.
! A source code patch exists which remedies this problem.
018: SECURITY FIX: September 10, 2004 All architectures
--- 84,298 ----
- ! 001: BROKEN PACKAGE ON CD: May 4, 2004 macppc only
  ! The powerpc autobook-1.3.tgz package found on CD2 has been found to be corrupt, ! and will not extract. ! A replacement package can be found on the ftp sites. !
  ! !
- ! 002: SECURITY FIX: May 5, 2004 All architectures
  ! Pathname validation problems have been found in ! cvs(1), ! allowing malicious clients to create files outside the repository, allowing ! malicious servers to overwrite files outside the local CVS tree on ! the client and allowing clients to check out files outside the CVS ! repository.
  ! A source code patch exists which remedies this problem.
  !
- ! 003: RELIABILITY FIX: May 5, 2004 All architectures
  ! Under load "recent model" ! gdt(4) ! controllers will lock up.
  ! A source code patch exists which remedies this problem.
  !
- ! 004: RELIABILITY FIX: May 5, 2004 All architectures
  ! Restore the ability to negotiate tags/wide/sync with some SCSI controllers ( i.e. ! siop(4), ! trm(4), ! iha(4) ! ).
  ! A source code patch exists which remedies this problem.
  !
- ! 005: RELIABILITY FIX: May 6, 2004 All architectures
  ! Reply to in-window SYN with a rate-limited ACK.
  ! A source code patch exists which remedies this problem.
  !
- ! 006: SECURITY FIX: May 13, 2004 ! All architectures
  ! Check for integer overflow in procfs. Use of procfs is not recommended.
  ! A source code patch exists which remedies this problem.
  !
- ! 007: SECURITY FIX: May 20, 2004 ! All architectures
  ! A heap overflow in the ! cvs(1) ! server has been discovered that can be exploited by clients sending ! malformed requests, enabling these clients to run arbitrary code ! with the same privileges as the CVS server program.
  ! A source code patch exists which remedies this problem.
  !
- ! 008: SECURITY FIX: May 26, 2004 All architectures
  ! With the introduction of IPv6 code in ! xdm(1), ! one test on the 'requestPort' resource was deleted by accident. This ! makes xdm create the chooser socket even if xdmcp is disabled in ! xdm-config, by setting requestPort to 0. See ! XFree86 ! bugzilla for details.
  ! A source code patch exists which remedies this problem.
  !
- ! 009: SECURITY FIX: May 30, 2004 All architectures
  ! A flaw in the Kerberos V ! kdc(8) ! server could result in the administrator of a Kerberos realm having ! the ability to impersonate any principal in any other realm which ! has established a cross-realm trust with their realm. The flaw is due to ! inadequate checking of the "transited" field in a Kerberos request. For ! more details see ! Heimdal's announcement.
  ! ! A source code patch exists which remedies this problem. !
  ! !
- ! 010: RELIABILITY FIX: June 9, 2004 ! All architectures
  ! A FIFO bug was introduced in OpenBSD 3.5 that occurs when a FIFO is opened in ! non-blocking mode for writing when there are no processes reading the FIFO. ! One program affected by this is the qmail ! mail server which could go into an infinite loop and consume all CPU.
  ! A source code patch exists which remedies this problem.
  !
- ! 011: SECURITY FIX: June 9, 2004 All architectures
  ! Multiple remote vulnerabilities have been found in the ! cvs(1) ! server that allow an attacker to crash the server or possibly execute arbitrary ! code with the same privileges as the CVS server program.
  ! A source code patch exists which remedies this problem.
  !
- ! 012: SECURITY FIX: June 10, 2004 All architectures
  ! As ! disclosed ! by Thomas Walpuski isakmpd(8) ! is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec ! tunnels at will.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 013: SECURITY FIX: June 12, 2004 All architectures
  ! Multiple vulnerabilities have been found in ! httpd(8) ! / mod_ssl. ! CAN-2003-0020, ! CAN-2003-0987, ! CAN-2004-0488, ! CAN-2004-0492.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 014: RELIABILITY FIX: July 25, 2004 All architectures
  ! Under a certain network load the kernel can run out of stack space. This was ! encountered in an environment using CARP on a VLAN interface. This issue initially ! manifested itself as a FPU related crash on boot up.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 015: RELIABILITY FIX: August 25, 2004 All architectures
  ! Improved verification of ICMP errors in order to minimize the impact of ICMP attacks ! against TCP.
  ! http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html !
  ! A source code patch exists which remedies this problem.
  ! !
- ! 016: RELIABILITY FIX: August 26, 2004 All architectures
  ! As ! reported ! by Vafa Izadinia ! bridge(4) ! with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
  ! A source code patch exists which remedies this problem.
  ! !
- ! 017: RELIABILITY FIX: August 29, 2004 All architectures
  ! Due to incorrect error handling in zlib an attacker could potentially cause a Denial ! of Service attack. ! CAN-2004-0797 ! .
  ! A source code patch exists which remedies this problem.
  +
- 018: SECURITY FIX: September 10, 2004 All architectures
  *************** *** 281,476 **** A source code patch exists which remedies this problem.
  !
- ! 017: RELIABILITY FIX: August 29, 2004 All architectures
  ! Due to incorrect error handling in zlib an attacker could potentially cause a Denial ! of Service attack. ! CAN-2004-0797 ! .
  ! A source code patch exists which remedies this problem.
  !
- ! 016: RELIABILITY FIX: August 26, 2004 All architectures
  ! As ! reported ! by Vafa Izadinia ! bridge(4) ! with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
  ! A source code patch exists which remedies this problem.
  !
- ! 015: RELIABILITY FIX: August 25, 2004 All architectures
  ! Improved verification of ICMP errors in order to minimize the impact of ICMP attacks ! against TCP.
  ! http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html !
  ! A source code patch exists which remedies this problem.
  !
- ! 014: RELIABILITY FIX: July 25, 2004 All architectures
  ! Under a certain network load the kernel can run out of stack space. This was ! encountered in an environment using CARP on a VLAN interface. This issue initially ! manifested itself as a FPU related crash on boot up.
  ! A source code patch exists which remedies this problem.
  !
- ! 013: SECURITY FIX: June 12, 2004 All architectures
  ! Multiple vulnerabilities have been found in ! httpd(8) ! / mod_ssl. ! CAN-2003-0020, ! CAN-2003-0987, ! CAN-2004-0488, ! CAN-2004-0492.
  ! A source code patch exists which remedies this problem.
  !
- ! 012: SECURITY FIX: June 10, 2004 All architectures
  ! As ! disclosed ! by Thomas Walpuski ! isakmpd(8) ! is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec ! tunnels at will. !
  ! ! A source code patch exists which remedies this problem. !
  !
- ! 011: SECURITY FIX: June 9, 2004 ! All architectures
  ! Multiple remote vulnerabilities have been found in the cvs(1) ! server that allow an attacker to crash the server or possibly execute arbitrary ! code with the same privileges as the CVS server program.
  ! A source code patch exists which remedies this problem.
  !
- ! 010: RELIABILITY FIX: June 9, 2004 All architectures
  ! A FIFO bug was introduced in OpenBSD 3.5 that occurs when a FIFO is opened in ! non-blocking mode for writing when there are no processes reading the FIFO. ! One program affected by this is the qmail ! mail server which could go into an infinite loop and consume all CPU.
  ! A source code patch exists which remedies this problem.
  !
- ! 009: SECURITY FIX: May 30, 2004 All architectures
  ! A flaw in the Kerberos V ! kdc(8) ! server could result in the administrator of a Kerberos realm having ! the ability to impersonate any principal in any other realm which ! has established a cross-realm trust with their realm. The flaw is due to ! inadequate checking of the "transited" field in a Kerberos request. For ! more details see ! Heimdal's announcement.
  ! A source code patch exists which remedies this problem.
  !
- ! 008: SECURITY FIX: May 26, 2004 All architectures
  ! With the introduction of IPv6 code in ! xdm(1), ! one test on the 'requestPort' resource was deleted by accident. This ! makes xdm create the chooser socket even if xdmcp is disabled in ! xdm-config, by setting requestPort to 0. See ! XFree86 ! bugzilla for details.
  ! A source code patch exists which remedies this problem.
  !
- ! 007: SECURITY FIX: May 20, 2004 ! All architectures
  ! A heap overflow in the ! cvs(1) ! server has been discovered that can be exploited by clients sending ! malformed requests, enabling these clients to run arbitrary code ! with the same privileges as the CVS server program.
  ! A source code patch exists which remedies this problem.
  !
- ! 006: SECURITY FIX: May 13, 2004 ! All architectures
  ! Check for integer overflow in procfs. Use of procfs is not recommended.
  ! A source code patch exists which remedies this problem.
  !
- ! 005: RELIABILITY FIX: May 6, 2004 All architectures
  ! Reply to in-window SYN with a rate-limited ACK.
  ! A source code patch exists which remedies this problem.
  !
- ! 004: RELIABILITY FIX: May 5, 2004 All architectures
  ! Restore the ability to negotiate tags/wide/sync with some SCSI controllers ( i.e. ! siop(4), ! trm(4), ! iha(4) ! ).
  ! A source code patch exists which remedies this problem.
  !
- ! 003: RELIABILITY FIX: May 5, 2004 All architectures
  ! Under load "recent model" ! gdt(4) ! controllers will lock up.
  ! A source code patch exists which remedies this problem.
  !
- ! 002: SECURITY FIX: May 5, 2004 All architectures
  ! Pathname validation problems have been found in ! cvs(1), ! allowing malicious clients to create files outside the repository, allowing ! malicious servers to overwrite files outside the local CVS tree on ! the client and allowing clients to check out files outside the CVS ! repository.
  ! A source code patch exists which remedies this problem. -
  -
- - 001: BROKEN PACKAGE ON CD: May 4, 2004 macppc only
  - The powerpc autobook-1.3.tgz package found on CD2 has been found to be corrupt, - and will not extract. - A replacement package can be found on the ftp sites.
--- 305,511 ---- A source code patch exists which remedies this problem.
! !
! 019: SECURITY FIX: September 16, 2004 All architectures
! Chris Evans reported several flaws (stack and integer overflows) in the ! Xpm ! library code that parses image files ! (CAN-2004-0687, ! CAN-2004-0688). ! Some of these would be exploitable when parsing malicious image files in ! an application that handles XPM images, if they could escape ProPolice.
! A source code patch exists which remedies this problem.
! !
! 020: SECURITY FIX: September 20, 2004 All architectures
! Eilko Bos reported that radius authentication, as implemented by ! login_radius(8), ! was not checking the shared secret used for replies sent by the radius server. ! This could allow an attacker to spoof a reply granting access to the ! attacker. Note that OpenBSD does not ship with radius authentication enabled.
! A source code patch exists which remedies this problem.
! !
! 021: RELIABILITY FIX: November 10, 2004 All architectures
! BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in ! cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and ! thus slow DNS queries.
! A source code patch exists which remedies this problem.
! !
! 022: RELIABILITY FIX: November 10, 2004 All architectures
! pppd(8) ! contains a bug that allows an attacker to crash his own connection, but it cannot ! be used to deny service to other users.
! A source code patch exists which remedies this problem.
! !
! 023: RELIABILITY FIX: November 10, 2004 All architectures
! Due to a bug in ! lynx(1) ! it is possible for pages such as ! this ! to cause ! lynx(1) ! to exhaust memory and then crash when parsing such pages.
! A source code patch exists which remedies this problem.
! ! ! ! !
! 033: SECURITY FIX: April 28, 2005 All architectures
! Fix a buffer overflow, memory leaks, and NULL pointer dereference in cvs(1) ! . None of these issues are known to be exploitable. ! CAN-2005-0753 ! .
! A source code patch exists which remedies this problem.
! ! !
! 032: RELIABILITY FIX: April 4, 2005 All architectures
! Handle an edge condition in ! tcp(4) ! timestamps.
! A source code patch exists which remedies this problem.
! ! !
! 031: SECURITY FIX: March 30, 2005 All architectures
! Due to buffer overflows in ! telnet(1) ! , a malicious server or man-in-the-middle attack could allow execution of ! arbitrary code with the privileges of the user invoking ! telnet(1) ! .
! A source code patch exists which remedies this problem.
! ! !
! 030: RELIABILITY FIX: March 30, 2005 All architectures
! Bugs in the ! tcp(4) ! stack can lead to memory exhaustion or processing of TCP segments with ! invalid SACK options and cause a system crash.
! A source code patch exists which remedies this problem.
! ! !
! 029: SECURITY FIX: March 16, 2005 ! amd64 only
! More stringent checking should be done in the ! copy(9) ! functions to prevent their misuse.
! A source code patch exists which remedies this problem.
! ! !
! 028: SECURITY FIX: February 28, 2005 ! i386 only
! More stringent checking should be done in the ! copy(9) ! functions to prevent their misuse.
! A source code patch exists which remedies this problem.
! ! !
! 027: RELIABILITY FIX: January 11, 2005 All architectures
! A bug in the ! tcp(4) ! stack allows an invalid argument to be used in calculating the TCP ! retransmit timeout. By sending packets with specific values in the TCP ! timestamp option, an attacker can cause a system panic.
! A source code patch exists which remedies this problem.
! ! !
! 026: SECURITY FIX: January 12, 2005 All architectures
! httpd(8) ! 's mod_include module fails to properly validate the length of ! user supplied tag strings prior to copying them to a local buffer, ! causing a buffer overflow.
! This would require enabling the XBitHack directive or server-side ! includes and making use of a malicious document. !
! A source code patch exists which remedies this problem.
! ! !
! 025: RELIABILITY FIX: January 6, 2005 All architectures
! The ! getcwd(3) ! library function contains a memory management error, which causes failure ! to retrieve the current working directory if the path is very long.
! A source code patch exists which remedies this problem.
! !
! 024: SECURITY FIX: December 14, 2004 All architectures
! On systems running ! isakmpd(8) ! it is possible for a local user to cause kernel memory corruption ! and system panic by setting ! ipsec(4) ! credentials on a socket.
! A source code patch exists which remedies this problem.