===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata35.html,v
retrieving revision 1.78
retrieving revision 1.79
diff -c -r1.78 -r1.79
*** www/errata35.html 2019/05/27 22:55:19 1.78
--- www/errata35.html 2019/05/28 16:32:42 1.79
***************
*** 84,274 ****
! -
! 033: SECURITY FIX: April 28, 2005
All architectures
! Fix a buffer overflow, memory leaks, and NULL pointer dereference in
! cvs(1)
! . None of these issues are known to be exploitable.
! CAN-2005-0753
! .
!
A source code patch exists which remedies this problem.
!
-
! 032: RELIABILITY FIX: April 4, 2005
All architectures
! Handle an edge condition in
! tcp(4)
! timestamps.
!
A source code patch exists which remedies this problem.
!
-
! 031: SECURITY FIX: March 30, 2005
All architectures
! Due to buffer overflows in
! telnet(1)
! , a malicious server or man-in-the-middle attack could allow execution of
! arbitrary code with the privileges of the user invoking
! telnet(1)
! .
!
A source code patch exists which remedies this problem.
!
-
! 030: RELIABILITY FIX: March 30, 2005
All architectures
! Bugs in the
! tcp(4)
! stack can lead to memory exhaustion or processing of TCP segments with
! invalid SACK options and cause a system crash.
!
A source code patch exists which remedies this problem.
!
-
! 029: SECURITY FIX: March 16, 2005
! amd64 only
! More stringent checking should be done in the
! copy(9)
! functions to prevent their misuse.
!
A source code patch exists which remedies this problem.
!
-
! 028: SECURITY FIX: February 28, 2005
! i386 only
! More stringent checking should be done in the
! copy(9)
! functions to prevent their misuse.
!
A source code patch exists which remedies this problem.
!
-
! 027: RELIABILITY FIX: January 11, 2005
All architectures
! A bug in the
! tcp(4)
! stack allows an invalid argument to be used in calculating the TCP
! retransmit timeout. By sending packets with specific values in the TCP
! timestamp option, an attacker can cause a system panic.
!
A source code patch exists which remedies this problem.
!
-
! 026: SECURITY FIX: January 12, 2005
All architectures
! httpd(8)
! 's mod_include module fails to properly validate the length of
! user supplied tag strings prior to copying them to a local buffer,
! causing a buffer overflow.
! This would require enabling the XBitHack directive or server-side
! includes and making use of a malicious document.
!
A source code patch exists which remedies this problem.
!
-
! 025: RELIABILITY FIX: January 6, 2005
All architectures
! The
! getcwd(3)
! library function contains a memory management error, which causes failure
! to retrieve the current working directory if the path is very long.
!
A source code patch exists which remedies this problem.
!
-
! 024: SECURITY FIX: December 14, 2004
All architectures
! On systems running
isakmpd(8)
! it is possible for a local user to cause kernel memory corruption
! and system panic by setting
! ipsec(4)
! credentials on a socket.
!
A source code patch exists which remedies this problem.
!
-
! 023: RELIABILITY FIX: November 10, 2004
All architectures
! Due to a bug in
! lynx(1)
! it is possible for pages such as
! this
! to cause
! lynx(1)
! to exhaust memory and then crash when parsing such pages.
!
A source code patch exists which remedies this problem.
!
-
! 022: RELIABILITY FIX: November 10, 2004
All architectures
! pppd(8)
! contains a bug that allows an attacker to crash his own connection, but it cannot
! be used to deny service to other users.
!
A source code patch exists which remedies this problem.
!
-
! 021: RELIABILITY FIX: November 10, 2004
All architectures
! BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in
! cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and
! thus slow DNS queries.
!
A source code patch exists which remedies this problem.
!
-
! 020: SECURITY FIX: September 20, 2004
All architectures
! Eilko Bos reported that radius authentication, as implemented by
! login_radius(8),
! was not checking the shared secret used for replies sent by the radius server.
! This could allow an attacker to spoof a reply granting access to the
! attacker. Note that OpenBSD does not ship with radius authentication enabled.
!
A source code patch exists which remedies this problem.
!
-
! 019: SECURITY FIX: September 16, 2004
All architectures
! Chris Evans reported several flaws (stack and integer overflows) in the
! Xpm
! library code that parses image files
! (CAN-2004-0687,
! CAN-2004-0688).
! Some of these would be exploitable when parsing malicious image files in
! an application that handles XPM images, if they could escape ProPolice.
!
A source code patch exists which remedies this problem.
-
018: SECURITY FIX: September 10, 2004
All architectures
--- 84,298 ----
!
! -
! 001: BROKEN PACKAGE ON CD: May 4, 2004 macppc only
! The powerpc autobook-1.3.tgz package found on CD2 has been found to be corrupt,
! and will not extract.
! A replacement package can be found on the ftp sites.
!
!
!
-
! 002: SECURITY FIX: May 5, 2004
All architectures
! Pathname validation problems have been found in
! cvs(1),
! allowing malicious clients to create files outside the repository, allowing
! malicious servers to overwrite files outside the local CVS tree on
! the client and allowing clients to check out files outside the CVS
! repository.
!
A source code patch exists which remedies this problem.
!
-
! 003: RELIABILITY FIX: May 5, 2004
All architectures
! Under load "recent model"
! gdt(4)
! controllers will lock up.
!
A source code patch exists which remedies this problem.
!
-
! 004: RELIABILITY FIX: May 5, 2004
All architectures
! Restore the ability to negotiate tags/wide/sync with some SCSI controllers ( i.e.
! siop(4),
! trm(4),
! iha(4)
! ).
!
A source code patch exists which remedies this problem.
!
-
! 005: RELIABILITY FIX: May 6, 2004
All architectures
! Reply to in-window SYN with a rate-limited ACK.
!
A source code patch exists which remedies this problem.
!
-
! 006: SECURITY FIX: May 13, 2004
! All architectures
! Check for integer overflow in procfs. Use of procfs is not recommended.
!
A source code patch exists which remedies this problem.
!
-
! 007: SECURITY FIX: May 20, 2004
! All architectures
! A heap overflow in the
! cvs(1)
! server has been discovered that can be exploited by clients sending
! malformed requests, enabling these clients to run arbitrary code
! with the same privileges as the CVS server program.
!
A source code patch exists which remedies this problem.
!
-
! 008: SECURITY FIX: May 26, 2004
All architectures
! With the introduction of IPv6 code in
! xdm(1),
! one test on the 'requestPort' resource was deleted by accident. This
! makes xdm create the chooser socket even if xdmcp is disabled in
! xdm-config, by setting requestPort to 0. See
! XFree86
! bugzilla for details.
!
A source code patch exists which remedies this problem.
!
-
! 009: SECURITY FIX: May 30, 2004
All architectures
! A flaw in the Kerberos V
! kdc(8)
! server could result in the administrator of a Kerberos realm having
! the ability to impersonate any principal in any other realm which
! has established a cross-realm trust with their realm. The flaw is due to
! inadequate checking of the "transited" field in a Kerberos request. For
! more details see
! Heimdal's announcement.
!
! A source code patch exists which remedies this problem.
!
!
!
-
! 010: RELIABILITY FIX: June 9, 2004
! All architectures
! A FIFO bug was introduced in OpenBSD 3.5 that occurs when a FIFO is opened in
! non-blocking mode for writing when there are no processes reading the FIFO.
! One program affected by this is the qmail
! mail server which could go into an infinite loop and consume all CPU.
!
A source code patch exists which remedies this problem.
!
-
! 011: SECURITY FIX: June 9, 2004
All architectures
! Multiple remote vulnerabilities have been found in the
! cvs(1)
! server that allow an attacker to crash the server or possibly execute arbitrary
! code with the same privileges as the CVS server program.
!
A source code patch exists which remedies this problem.
!
-
! 012: SECURITY FIX: June 10, 2004
All architectures
! As
! disclosed
! by Thomas Walpuski
isakmpd(8)
! is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec
! tunnels at will.
!
A source code patch exists which remedies this problem.
!
!
-
! 013: SECURITY FIX: June 12, 2004
All architectures
! Multiple vulnerabilities have been found in
! httpd(8)
! / mod_ssl.
! CAN-2003-0020,
! CAN-2003-0987,
! CAN-2004-0488,
! CAN-2004-0492.
!
A source code patch exists which remedies this problem.
!
!
-
! 014: RELIABILITY FIX: July 25, 2004
All architectures
! Under a certain network load the kernel can run out of stack space. This was
! encountered in an environment using CARP on a VLAN interface. This issue initially
! manifested itself as a FPU related crash on boot up.
!
A source code patch exists which remedies this problem.
!
!
-
! 015: RELIABILITY FIX: August 25, 2004
All architectures
! Improved verification of ICMP errors in order to minimize the impact of ICMP attacks
! against TCP.
! http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html
!
!
A source code patch exists which remedies this problem.
!
!
-
! 016: RELIABILITY FIX: August 26, 2004
All architectures
! As
! reported
! by Vafa Izadinia
! bridge(4)
! with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
!
A source code patch exists which remedies this problem.
!
!
-
! 017: RELIABILITY FIX: August 29, 2004
All architectures
! Due to incorrect error handling in zlib an attacker could potentially cause a Denial
! of Service attack.
! CAN-2004-0797
! .
!
A source code patch exists which remedies this problem.
+
-
018: SECURITY FIX: September 10, 2004
All architectures
***************
*** 281,476 ****
A source code patch exists which remedies this problem.
!
-
! 017: RELIABILITY FIX: August 29, 2004
All architectures
! Due to incorrect error handling in zlib an attacker could potentially cause a Denial
! of Service attack.
! CAN-2004-0797
! .
!
A source code patch exists which remedies this problem.
!
-
! 016: RELIABILITY FIX: August 26, 2004
All architectures
! As
! reported
! by Vafa Izadinia
! bridge(4)
! with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
!
A source code patch exists which remedies this problem.
!
-
! 015: RELIABILITY FIX: August 25, 2004
All architectures
! Improved verification of ICMP errors in order to minimize the impact of ICMP attacks
! against TCP.
! http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html
!
!
A source code patch exists which remedies this problem.
!
-
! 014: RELIABILITY FIX: July 25, 2004
All architectures
! Under a certain network load the kernel can run out of stack space. This was
! encountered in an environment using CARP on a VLAN interface. This issue initially
! manifested itself as a FPU related crash on boot up.
!
A source code patch exists which remedies this problem.
!
-
! 013: SECURITY FIX: June 12, 2004
All architectures
! Multiple vulnerabilities have been found in
! httpd(8)
! / mod_ssl.
! CAN-2003-0020,
! CAN-2003-0987,
! CAN-2004-0488,
! CAN-2004-0492.
!
A source code patch exists which remedies this problem.
!
-
! 012: SECURITY FIX: June 10, 2004
All architectures
! As
! disclosed
! by Thomas Walpuski
! isakmpd(8)
! is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec
! tunnels at will.
!
!
! A source code patch exists which remedies this problem.
!
!
-
! 011: SECURITY FIX: June 9, 2004
! All architectures
! Multiple remote vulnerabilities have been found in the
cvs(1)
! server that allow an attacker to crash the server or possibly execute arbitrary
! code with the same privileges as the CVS server program.
!
A source code patch exists which remedies this problem.
!
-
! 010: RELIABILITY FIX: June 9, 2004
All architectures
! A FIFO bug was introduced in OpenBSD 3.5 that occurs when a FIFO is opened in
! non-blocking mode for writing when there are no processes reading the FIFO.
! One program affected by this is the qmail
! mail server which could go into an infinite loop and consume all CPU.
!
A source code patch exists which remedies this problem.
!
-
! 009: SECURITY FIX: May 30, 2004
All architectures
! A flaw in the Kerberos V
! kdc(8)
! server could result in the administrator of a Kerberos realm having
! the ability to impersonate any principal in any other realm which
! has established a cross-realm trust with their realm. The flaw is due to
! inadequate checking of the "transited" field in a Kerberos request. For
! more details see
! Heimdal's announcement.
!
A source code patch exists which remedies this problem.
!
-
! 008: SECURITY FIX: May 26, 2004
All architectures
! With the introduction of IPv6 code in
! xdm(1),
! one test on the 'requestPort' resource was deleted by accident. This
! makes xdm create the chooser socket even if xdmcp is disabled in
! xdm-config, by setting requestPort to 0. See
! XFree86
! bugzilla for details.
!
A source code patch exists which remedies this problem.
!
-
! 007: SECURITY FIX: May 20, 2004
! All architectures
! A heap overflow in the
! cvs(1)
! server has been discovered that can be exploited by clients sending
! malformed requests, enabling these clients to run arbitrary code
! with the same privileges as the CVS server program.
!
A source code patch exists which remedies this problem.
!
-
! 006: SECURITY FIX: May 13, 2004
! All architectures
! Check for integer overflow in procfs. Use of procfs is not recommended.
!
A source code patch exists which remedies this problem.
!
-
! 005: RELIABILITY FIX: May 6, 2004
All architectures
! Reply to in-window SYN with a rate-limited ACK.
!
A source code patch exists which remedies this problem.
!
-
! 004: RELIABILITY FIX: May 5, 2004
All architectures
! Restore the ability to negotiate tags/wide/sync with some SCSI controllers ( i.e.
! siop(4),
! trm(4),
! iha(4)
! ).
!
A source code patch exists which remedies this problem.
!
-
! 003: RELIABILITY FIX: May 5, 2004
All architectures
! Under load "recent model"
! gdt(4)
! controllers will lock up.
!
A source code patch exists which remedies this problem.
!
-
! 002: SECURITY FIX: May 5, 2004
All architectures
! Pathname validation problems have been found in
! cvs(1),
! allowing malicious clients to create files outside the repository, allowing
! malicious servers to overwrite files outside the local CVS tree on
! the client and allowing clients to check out files outside the CVS
! repository.
!
A source code patch exists which remedies this problem.
-
-
-
- 001: BROKEN PACKAGE ON CD: May 4, 2004 macppc only
- The powerpc autobook-1.3.tgz package found on CD2 has been found to be corrupt,
- and will not extract.
- A replacement package can be found on the ftp sites.
--- 305,511 ----
A source code patch exists which remedies this problem.
!
!
-
! 019: SECURITY FIX: September 16, 2004
All architectures
! Chris Evans reported several flaws (stack and integer overflows) in the
! Xpm
! library code that parses image files
! (CAN-2004-0687,
! CAN-2004-0688).
! Some of these would be exploitable when parsing malicious image files in
! an application that handles XPM images, if they could escape ProPolice.
!
A source code patch exists which remedies this problem.
!
!
-
! 020: SECURITY FIX: September 20, 2004
All architectures
! Eilko Bos reported that radius authentication, as implemented by
! login_radius(8),
! was not checking the shared secret used for replies sent by the radius server.
! This could allow an attacker to spoof a reply granting access to the
! attacker. Note that OpenBSD does not ship with radius authentication enabled.
!
A source code patch exists which remedies this problem.
!
!
-
! 021: RELIABILITY FIX: November 10, 2004
All architectures
! BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in
! cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and
! thus slow DNS queries.
!
A source code patch exists which remedies this problem.
!
!
-
! 022: RELIABILITY FIX: November 10, 2004
All architectures
! pppd(8)
! contains a bug that allows an attacker to crash his own connection, but it cannot
! be used to deny service to other users.
!
A source code patch exists which remedies this problem.
!
!
-
! 023: RELIABILITY FIX: November 10, 2004
All architectures
! Due to a bug in
! lynx(1)
! it is possible for pages such as
! this
! to cause
! lynx(1)
! to exhaust memory and then crash when parsing such pages.
!
A source code patch exists which remedies this problem.
!
!
!
!
!
-
! 033: SECURITY FIX: April 28, 2005
All architectures
! Fix a buffer overflow, memory leaks, and NULL pointer dereference in
cvs(1)
! . None of these issues are known to be exploitable.
! CAN-2005-0753
! .
!
A source code patch exists which remedies this problem.
!
!
!
-
! 032: RELIABILITY FIX: April 4, 2005
All architectures
! Handle an edge condition in
! tcp(4)
! timestamps.
!
A source code patch exists which remedies this problem.
!
!
!
-
! 031: SECURITY FIX: March 30, 2005
All architectures
! Due to buffer overflows in
! telnet(1)
! , a malicious server or man-in-the-middle attack could allow execution of
! arbitrary code with the privileges of the user invoking
! telnet(1)
! .
!
A source code patch exists which remedies this problem.
!
!
!
-
! 030: RELIABILITY FIX: March 30, 2005
All architectures
! Bugs in the
! tcp(4)
! stack can lead to memory exhaustion or processing of TCP segments with
! invalid SACK options and cause a system crash.
!
A source code patch exists which remedies this problem.
!
!
!
-
! 029: SECURITY FIX: March 16, 2005
! amd64 only
! More stringent checking should be done in the
! copy(9)
! functions to prevent their misuse.
!
A source code patch exists which remedies this problem.
!
!
!
-
! 028: SECURITY FIX: February 28, 2005
! i386 only
! More stringent checking should be done in the
! copy(9)
! functions to prevent their misuse.
!
A source code patch exists which remedies this problem.
!
!
!
-
! 027: RELIABILITY FIX: January 11, 2005
All architectures
! A bug in the
! tcp(4)
! stack allows an invalid argument to be used in calculating the TCP
! retransmit timeout. By sending packets with specific values in the TCP
! timestamp option, an attacker can cause a system panic.
!
A source code patch exists which remedies this problem.
!
!
!
-
! 026: SECURITY FIX: January 12, 2005
All architectures
! httpd(8)
! 's mod_include module fails to properly validate the length of
! user supplied tag strings prior to copying them to a local buffer,
! causing a buffer overflow.
! This would require enabling the XBitHack directive or server-side
! includes and making use of a malicious document.
!
!
A source code patch exists which remedies this problem.
!
!
!
-
! 025: RELIABILITY FIX: January 6, 2005
All architectures
! The
! getcwd(3)
! library function contains a memory management error, which causes failure
! to retrieve the current working directory if the path is very long.
!
A source code patch exists which remedies this problem.
!
!
-
! 024: SECURITY FIX: December 14, 2004
All architectures
! On systems running
! isakmpd(8)
! it is possible for a local user to cause kernel memory corruption
! and system panic by setting
! ipsec(4)
! credentials on a socket.
!
A source code patch exists which remedies this problem.