www/errata35.html - diff

Return to errata35.html CVS log

Up to [local] / www

Diff for /www/errata35.html between version 1.60 and 1.61

version 1.60, 2016/02/20 14:18:42

version 1.61, 2016/03/21 05:46:20

Line 87

033: SECURITY FIX: April 28, 2005

All architectures

Fix a buffer overflow, memory leaks, and NULL pointer dereference in

. None of these issues are known to be exploitable.

Line 100

032: RELIABILITY FIX: April 4, 2005

All architectures

Handle an edge condition in

timestamps.

Line 111

031: SECURITY FIX: March 30, 2005

All architectures

Due to buffer overflows in

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=telnet&apropos=0&sektion=1&manpath=OpenBSD+Current&arch=i386&format=html">telnet(1)</a>

<a href="http://man.openbsd.org?query=telnet&apropos=0&sektion=1&manpath=OpenBSD+Current&arch=i386&format=html">telnet(1)</a>

, a malicious server or man-in-the-middle attack could allow execution of

arbitrary code with the privileges of the user invoking

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=telnet&apropos=0&sektion=1&manpath=OpenBSD+Current&arch=i386&format=html">telnet(1)</a>

<a href="http://man.openbsd.org?query=telnet&apropos=0&sektion=1&manpath=OpenBSD+Current&arch=i386&format=html">telnet(1)</a>

Line 125

030: RELIABILITY FIX: March 30, 2005

All architectures

Bugs in the

stack can lead to memory exhaustion or processing of TCP segments with

invalid SACK options and cause a system crash.

Line 137

029: SECURITY FIX: March 16, 2005

amd64 only

More stringent checking should be done in the

functions to prevent their misuse.

Line 148

028: SECURITY FIX: February 28, 2005

i386 only

More stringent checking should be done in the

functions to prevent their misuse.

Line 159

027: RELIABILITY FIX: January 11, 2005

All architectures

A bug in the

stack allows an invalid argument to be used in calculating the TCP

retransmit timeout. By sending packets with specific values in the TCP

timestamp option, an attacker can cause a system panic.

Line 171

026: SECURITY FIX: January 12, 2005

All architectures

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=httpd&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html">httpd(8)</a>

<a href="http://man.openbsd.org?query=httpd&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html">httpd(8)</a>

's mod_include module fails to properly validate the length of

user supplied tag strings prior to copying them to a local buffer,

causing a buffer overflow.

Line 187

025: RELIABILITY FIX: January 6, 2005

All architectures

The

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getcwd&apropos=0&sektion=3&manpath=OpenBSD+Current&arch=i386&format=html">getcwd(3)</a>

<a href="http://man.openbsd.org?query=getcwd&apropos=0&sektion=3&manpath=OpenBSD+Current&arch=i386&format=html">getcwd(3)</a>

library function contains a memory management error, which causes failure

to retrieve the current working directory if the path is very long.

Line 199

024: SECURITY FIX: December 14, 2004

All architectures

On systems running

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html">isakmpd(8)</a>

<a href="http://man.openbsd.org?query=isakmpd&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html">isakmpd(8)</a>

it is possible for a local user to cause kernel memory corruption

and system panic by setting

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec&apropos=0&sektion=4&manpath=OpenBSD+Current&format=html">ipsec(4)</a>

<a href="http://man.openbsd.org?query=ipsec&apropos=0&sektion=4&manpath=OpenBSD+Current&format=html">ipsec(4)</a>

credentials on a socket.

Line 212

023: RELIABILITY FIX: November 10, 2004

All architectures

Due to a bug in

it is possible for pages such as

to cause

to exhaust memory and then crash when parsing such pages.

Line 225

022: RELIABILITY FIX: November 10, 2004

All architectures

contains a bug that allows an attacker to crash his own connection, but it cannot

be used to deny service to other users.

Line 246

020: SECURITY FIX: September 20, 2004

All architectures

Eilko Bos reported that radius authentication, as implemented by

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=login_radius&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html">login_radius(8)</a>,

<a href="http://man.openbsd.org?query=login_radius&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html">login_radius(8)</a>,

was not checking the shared secret used for replies sent by the radius server.

This could allow an attacker to spoof a reply granting access to the

attacker. Note that OpenBSD does not ship with radius authentication enabled.

Line 271

018: SECURITY FIX: September 10, 2004

All architectures

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=httpd&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html">httpd(8)</a>

<a href="http://man.openbsd.org?query=httpd&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html">httpd(8)</a>

's mod_rewrite module can be made to write one zero byte in an arbitrary memory

position outside of a char array, causing a DoS or possibly buffer overflows.

This would require enabling dbm for mod_rewrite and making use of a malicious

Line 297

<a href="http://marc.info/?l=bugtraq&m=109345131508824&w=2">reported</a>

by Vafa Izadinia

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bridge&apropos=0&sektion=4&manpath=OpenBSD+Current&arch=i386&format=html">bridge(4)</a>

<a href="http://man.openbsd.org?query=bridge&apropos=0&sektion=4&manpath=OpenBSD+Current&arch=i386&format=html">bridge(4)</a>

with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.

Line 328

013: SECURITY FIX: June 12, 2004

All architectures

Multiple vulnerabilities have been found in

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=httpd&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html">httpd(8)</a>

<a href="http://man.openbsd.org?query=httpd&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html">httpd(8)</a>

/ mod_ssl.

<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020</a>,

<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987">CAN-2003-0987</a>,

Line 344

<a href="http://seclists.org/lists/fulldisclosure/2004/Jun/0191.html">disclosed</a>

by Thomas Walpuski

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html">isakmpd(8)</a>

<a href="http://man.openbsd.org?query=isakmpd&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html">isakmpd(8)</a>

is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec

tunnels at will.

Line 355

011: SECURITY FIX: June 9, 2004

All architectures

Multiple remote vulnerabilities have been found in the

server that allow an attacker to crash the server or possibly execute arbitrary

code with the same privileges as the CVS server program.

Line 377

009: SECURITY FIX: May 30, 2004

All architectures

A flaw in the Kerberos V

server could result in the administrator of a Kerberos realm having

the ability to impersonate any principal in any other realm which

has established a cross-realm trust with their realm. The flaw is due to

Line 392

008: SECURITY FIX: May 26, 2004

All architectures

With the introduction of IPv6 code in

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xdm&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html">xdm(1)</a>,

<a href="http://man.openbsd.org?query=xdm&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html">xdm(1)</a>,

one test on the 'requestPort' resource was deleted by accident. This

makes xdm create the chooser socket even if xdmcp is disabled in

xdm-config, by setting requestPort to 0. See

Line 406

007: SECURITY FIX: May 20, 2004

All architectures

A heap overflow in the

server has been discovered that can be exploited by clients sending

malformed requests, enabling these clients to run arbitrary code

with the same privileges as the CVS server program.

Line 434

004: RELIABILITY FIX: May 5, 2004

All architectures

Restore the ability to negotiate tags/wide/sync with some SCSI controllers ( i.e.

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=siop&apropos=0&sektion=4&manpath=OpenBSD+Current&arch=i386&format=html">siop(4)</a>,

<a href="http://man.openbsd.org?query=siop&apropos=0&sektion=4&manpath=OpenBSD+Current&arch=i386&format=html">siop(4)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=trm&apropos=0&sektion=4&manpath=OpenBSD+Current&arch=i386&format=html">trm(4)</a>,

<a href="http://man.openbsd.org?query=trm&apropos=0&sektion=4&manpath=OpenBSD+Current&arch=i386&format=html">trm(4)</a>,

Line 446

003: RELIABILITY FIX: May 5, 2004

All architectures

Under load "recent model"

controllers will lock up.

Line 456

002: SECURITY FIX: May 5, 2004

All architectures

Pathname validation problems have been found in

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&apropos=0&sektion=1&manpath=OpenBSD+Current&arch=i386&format=html">cvs(1)</a>,

<a href="http://man.openbsd.org?query=cvs&apropos=0&sektion=1&manpath=OpenBSD+Current&arch=i386&format=html">cvs(1)</a>,

allowing malicious clients to create files outside the repository, allowing

malicious servers to overwrite files outside the local CVS tree on

the client and allowing clients to check out files outside the CVS