===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata35.html,v
retrieving revision 1.78
retrieving revision 1.79
diff -u -r1.78 -r1.79
--- www/errata35.html 2019/05/27 22:55:19 1.78
+++ www/errata35.html 2019/05/28 16:32:42 1.79
@@ -84,191 +84,215 @@
--
-033: SECURITY FIX: April 28, 2005
+
+
-
+001: BROKEN PACKAGE ON CD: May 4, 2004 macppc only
+The powerpc autobook-1.3.tgz package found on CD2 has been found to be corrupt,
+and will not extract.
+A replacement package can be found on the ftp sites.
+
+
+
-
+002: SECURITY FIX: May 5, 2004
All architectures
-Fix a buffer overflow, memory leaks, and NULL pointer dereference in
-cvs(1)
-. None of these issues are known to be exploitable.
-CAN-2005-0753
-.
+Pathname validation problems have been found in
+cvs(1),
+allowing malicious clients to create files outside the repository, allowing
+malicious servers to overwrite files outside the local CVS tree on
+the client and allowing clients to check out files outside the CVS
+repository.
-
+
A source code patch exists which remedies this problem.
-
-
-032: RELIABILITY FIX: April 4, 2005
+
-
+003: RELIABILITY FIX: May 5, 2004
All architectures
-Handle an edge condition in
-tcp(4)
-timestamps.
+Under load "recent model"
+gdt(4)
+controllers will lock up.
-
+
A source code patch exists which remedies this problem.
-
-
-031: SECURITY FIX: March 30, 2005
+
-
+004: RELIABILITY FIX: May 5, 2004
All architectures
-Due to buffer overflows in
-telnet(1)
-, a malicious server or man-in-the-middle attack could allow execution of
-arbitrary code with the privileges of the user invoking
-telnet(1)
-.
+Restore the ability to negotiate tags/wide/sync with some SCSI controllers ( i.e.
+siop(4),
+trm(4),
+iha(4)
+).
-
+
A source code patch exists which remedies this problem.
-
-
-030: RELIABILITY FIX: March 30, 2005
+
-
+005: RELIABILITY FIX: May 6, 2004
All architectures
-Bugs in the
-tcp(4)
-stack can lead to memory exhaustion or processing of TCP segments with
-invalid SACK options and cause a system crash.
+Reply to in-window SYN with a rate-limited ACK.
-
+
A source code patch exists which remedies this problem.
-
-
-029: SECURITY FIX: March 16, 2005
- amd64 only
-More stringent checking should be done in the
-copy(9)
-functions to prevent their misuse.
+ -
+006: SECURITY FIX: May 13, 2004
+ All architectures
+Check for integer overflow in procfs. Use of procfs is not recommended.
-
+
A source code patch exists which remedies this problem.
-
-
-028: SECURITY FIX: February 28, 2005
- i386 only
-More stringent checking should be done in the
-copy(9)
-functions to prevent their misuse.
+ -
+007: SECURITY FIX: May 20, 2004
+ All architectures
+A heap overflow in the
+cvs(1)
+server has been discovered that can be exploited by clients sending
+malformed requests, enabling these clients to run arbitrary code
+with the same privileges as the CVS server program.
-
+
A source code patch exists which remedies this problem.
-
-
-027: RELIABILITY FIX: January 11, 2005
+
-
+008: SECURITY FIX: May 26, 2004
All architectures
-A bug in the
-tcp(4)
-stack allows an invalid argument to be used in calculating the TCP
-retransmit timeout. By sending packets with specific values in the TCP
-timestamp option, an attacker can cause a system panic.
+With the introduction of IPv6 code in
+xdm(1),
+one test on the 'requestPort' resource was deleted by accident. This
+makes xdm create the chooser socket even if xdmcp is disabled in
+xdm-config, by setting requestPort to 0. See
+XFree86
+bugzilla for details.
-
+
A source code patch exists which remedies this problem.
-
-
-026: SECURITY FIX: January 12, 2005
+
-
+009: SECURITY FIX: May 30, 2004
All architectures
-httpd(8)
-'s mod_include module fails to properly validate the length of
-user supplied tag strings prior to copying them to a local buffer,
-causing a buffer overflow.
+A flaw in the Kerberos V
+kdc(8)
+server could result in the administrator of a Kerberos realm having
+the ability to impersonate any principal in any other realm which
+has established a cross-realm trust with their realm. The flaw is due to
+inadequate checking of the "transited" field in a Kerberos request. For
+more details see
+Heimdal's announcement.
-This would require enabling the XBitHack directive or server-side
-includes and making use of a malicious document.
+
+A source code patch exists which remedies this problem.
+
+
+
-
+010: RELIABILITY FIX: June 9, 2004
+ All architectures
+A FIFO bug was introduced in OpenBSD 3.5 that occurs when a FIFO is opened in
+non-blocking mode for writing when there are no processes reading the FIFO.
+One program affected by this is the qmail
+mail server which could go into an infinite loop and consume all CPU.
-
+
A source code patch exists which remedies this problem.
-
-
-025: RELIABILITY FIX: January 6, 2005
+
-
+011: SECURITY FIX: June 9, 2004
All architectures
-The
-getcwd(3)
-library function contains a memory management error, which causes failure
-to retrieve the current working directory if the path is very long.
+Multiple remote vulnerabilities have been found in the
+cvs(1)
+server that allow an attacker to crash the server or possibly execute arbitrary
+code with the same privileges as the CVS server program.
-
+
A source code patch exists which remedies this problem.
-
-
-024: SECURITY FIX: December 14, 2004
+
-
+012: SECURITY FIX: June 10, 2004
All architectures
-On systems running
+As
+disclosed
+by Thomas Walpuski
isakmpd(8)
-it is possible for a local user to cause kernel memory corruption
-and system panic by setting
-ipsec(4)
-credentials on a socket.
+is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec
+tunnels at will.
-
+
A source code patch exists which remedies this problem.
-
-
-023: RELIABILITY FIX: November 10, 2004
+
+
-
+013: SECURITY FIX: June 12, 2004
All architectures
-Due to a bug in
-lynx(1)
-it is possible for pages such as
-this
-to cause
-lynx(1)
-to exhaust memory and then crash when parsing such pages.
+Multiple vulnerabilities have been found in
+httpd(8)
+/ mod_ssl.
+CAN-2003-0020,
+CAN-2003-0987,
+CAN-2004-0488,
+CAN-2004-0492.
-
+
A source code patch exists which remedies this problem.
-
-
-022: RELIABILITY FIX: November 10, 2004
+
+
-
+014: RELIABILITY FIX: July 25, 2004
All architectures
-pppd(8)
-contains a bug that allows an attacker to crash his own connection, but it cannot
-be used to deny service to other users.
+Under a certain network load the kernel can run out of stack space. This was
+encountered in an environment using CARP on a VLAN interface. This issue initially
+manifested itself as a FPU related crash on boot up.
-
+
A source code patch exists which remedies this problem.
-
-
-021: RELIABILITY FIX: November 10, 2004
+
+
-
+015: RELIABILITY FIX: August 25, 2004
All architectures
-BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in
-cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and
-thus slow DNS queries.
+Improved verification of ICMP errors in order to minimize the impact of ICMP attacks
+against TCP.
-
+http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html
+
+
A source code patch exists which remedies this problem.
-
-
-020: SECURITY FIX: September 20, 2004
+
+
-
+016: RELIABILITY FIX: August 26, 2004
All architectures
-Eilko Bos reported that radius authentication, as implemented by
-login_radius(8),
-was not checking the shared secret used for replies sent by the radius server.
-This could allow an attacker to spoof a reply granting access to the
-attacker. Note that OpenBSD does not ship with radius authentication enabled.
+As
+reported
+by Vafa Izadinia
+bridge(4)
+with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
-
+
A source code patch exists which remedies this problem.
-
-
-019: SECURITY FIX: September 16, 2004
+
+
-
+017: RELIABILITY FIX: August 29, 2004
All architectures
-Chris Evans reported several flaws (stack and integer overflows) in the
-Xpm
-library code that parses image files
-(CAN-2004-0687,
-CAN-2004-0688).
-Some of these would be exploitable when parsing malicious image files in
-an application that handles XPM images, if they could escape ProPolice.
+Due to incorrect error handling in zlib an attacker could potentially cause a Denial
+of Service attack.
+CAN-2004-0797
+.
-
+
A source code patch exists which remedies this problem.
+
-
018: SECURITY FIX: September 10, 2004
All architectures
@@ -281,196 +305,207 @@
A source code patch exists which remedies this problem.
-
-
-017: RELIABILITY FIX: August 29, 2004
+
+
-
+019: SECURITY FIX: September 16, 2004
All architectures
-Due to incorrect error handling in zlib an attacker could potentially cause a Denial
-of Service attack.
-CAN-2004-0797
-.
+Chris Evans reported several flaws (stack and integer overflows) in the
+Xpm
+library code that parses image files
+(CAN-2004-0687,
+CAN-2004-0688).
+Some of these would be exploitable when parsing malicious image files in
+an application that handles XPM images, if they could escape ProPolice.
-
+
A source code patch exists which remedies this problem.
-
-
-016: RELIABILITY FIX: August 26, 2004
+
+
-
+020: SECURITY FIX: September 20, 2004
All architectures
-As
-reported
-by Vafa Izadinia
-bridge(4)
-with IPsec processing enabled can be crashed remotely by a single ICMP echo traversing the bridge.
+Eilko Bos reported that radius authentication, as implemented by
+login_radius(8),
+was not checking the shared secret used for replies sent by the radius server.
+This could allow an attacker to spoof a reply granting access to the
+attacker. Note that OpenBSD does not ship with radius authentication enabled.
-
+
A source code patch exists which remedies this problem.
-
-
-015: RELIABILITY FIX: August 25, 2004
+
+
-
+021: RELIABILITY FIX: November 10, 2004
All architectures
-Improved verification of ICMP errors in order to minimize the impact of ICMP attacks
-against TCP.
+BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in
+cases where IPv6 connectivity is non-existent. This results in unnecessary timeouts and
+thus slow DNS queries.
-http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html
-
-
+
A source code patch exists which remedies this problem.
-
-
-014: RELIABILITY FIX: July 25, 2004
+
+
-
+022: RELIABILITY FIX: November 10, 2004
All architectures
-Under a certain network load the kernel can run out of stack space. This was
-encountered in an environment using CARP on a VLAN interface. This issue initially
-manifested itself as a FPU related crash on boot up.
+pppd(8)
+contains a bug that allows an attacker to crash his own connection, but it cannot
+be used to deny service to other users.
-
+
A source code patch exists which remedies this problem.
-
-
-013: SECURITY FIX: June 12, 2004
+
+
-
+023: RELIABILITY FIX: November 10, 2004
All architectures
-Multiple vulnerabilities have been found in
-httpd(8)
-/ mod_ssl.
-CAN-2003-0020,
-CAN-2003-0987,
-CAN-2004-0488,
-CAN-2004-0492.
+Due to a bug in
+lynx(1)
+it is possible for pages such as
+this
+to cause
+lynx(1)
+to exhaust memory and then crash when parsing such pages.
-
+
A source code patch exists which remedies this problem.
-
-
-012: SECURITY FIX: June 10, 2004
+
+
+
+
+
-
+033: SECURITY FIX: April 28, 2005
All architectures
-As
-disclosed
-by Thomas Walpuski
-isakmpd(8)
-is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec
-tunnels at will.
-
-
-A source code patch exists which remedies this problem.
-
-
-
-011: SECURITY FIX: June 9, 2004
- All architectures
-Multiple remote vulnerabilities have been found in the
+Fix a buffer overflow, memory leaks, and NULL pointer dereference in
cvs(1)
-server that allow an attacker to crash the server or possibly execute arbitrary
-code with the same privileges as the CVS server program.
+. None of these issues are known to be exploitable.
+CAN-2005-0753
+.
-
+
A source code patch exists which remedies this problem.
-
-
-010: RELIABILITY FIX: June 9, 2004
+
+
+
-
+032: RELIABILITY FIX: April 4, 2005
All architectures
-A FIFO bug was introduced in OpenBSD 3.5 that occurs when a FIFO is opened in
-non-blocking mode for writing when there are no processes reading the FIFO.
-One program affected by this is the qmail
-mail server which could go into an infinite loop and consume all CPU.
+Handle an edge condition in
+tcp(4)
+timestamps.
-
+
A source code patch exists which remedies this problem.
-
-
-009: SECURITY FIX: May 30, 2004
+
+
+
-
+031: SECURITY FIX: March 30, 2005
All architectures
-A flaw in the Kerberos V
-kdc(8)
-server could result in the administrator of a Kerberos realm having
-the ability to impersonate any principal in any other realm which
-has established a cross-realm trust with their realm. The flaw is due to
-inadequate checking of the "transited" field in a Kerberos request. For
-more details see
-Heimdal's announcement.
+Due to buffer overflows in
+telnet(1)
+, a malicious server or man-in-the-middle attack could allow execution of
+arbitrary code with the privileges of the user invoking
+telnet(1)
+.
-
+
A source code patch exists which remedies this problem.
-
-
-008: SECURITY FIX: May 26, 2004
+
+
+
-
+030: RELIABILITY FIX: March 30, 2005
All architectures
-With the introduction of IPv6 code in
-xdm(1),
-one test on the 'requestPort' resource was deleted by accident. This
-makes xdm create the chooser socket even if xdmcp is disabled in
-xdm-config, by setting requestPort to 0. See
-XFree86
-bugzilla for details.
+Bugs in the
+tcp(4)
+stack can lead to memory exhaustion or processing of TCP segments with
+invalid SACK options and cause a system crash.
-
+
A source code patch exists which remedies this problem.
-
-
-007: SECURITY FIX: May 20, 2004
- All architectures
-A heap overflow in the
-cvs(1)
-server has been discovered that can be exploited by clients sending
-malformed requests, enabling these clients to run arbitrary code
-with the same privileges as the CVS server program.
+
+
+ -
+029: SECURITY FIX: March 16, 2005
+ amd64 only
+More stringent checking should be done in the
+copy(9)
+functions to prevent their misuse.
-
+
A source code patch exists which remedies this problem.
-
-
-006: SECURITY FIX: May 13, 2004
- All architectures
-Check for integer overflow in procfs. Use of procfs is not recommended.
+
+
+ -
+028: SECURITY FIX: February 28, 2005
+ i386 only
+More stringent checking should be done in the
+copy(9)
+functions to prevent their misuse.
-
+
A source code patch exists which remedies this problem.
-
-
-005: RELIABILITY FIX: May 6, 2004
+
+
+
-
+027: RELIABILITY FIX: January 11, 2005
All architectures
-Reply to in-window SYN with a rate-limited ACK.
+A bug in the
+tcp(4)
+stack allows an invalid argument to be used in calculating the TCP
+retransmit timeout. By sending packets with specific values in the TCP
+timestamp option, an attacker can cause a system panic.
-
+
A source code patch exists which remedies this problem.
-
-
-004: RELIABILITY FIX: May 5, 2004
+
+
+
-
+026: SECURITY FIX: January 12, 2005
All architectures
-Restore the ability to negotiate tags/wide/sync with some SCSI controllers ( i.e.
-siop(4),
-trm(4),
-iha(4)
-).
+httpd(8)
+'s mod_include module fails to properly validate the length of
+user supplied tag strings prior to copying them to a local buffer,
+causing a buffer overflow.
-
+This would require enabling the XBitHack directive or server-side
+includes and making use of a malicious document.
+
+
A source code patch exists which remedies this problem.
-
-
-003: RELIABILITY FIX: May 5, 2004
+
+
+
-
+025: RELIABILITY FIX: January 6, 2005
All architectures
-Under load "recent model"
-gdt(4)
-controllers will lock up.
+The
+getcwd(3)
+library function contains a memory management error, which causes failure
+to retrieve the current working directory if the path is very long.
-
+
A source code patch exists which remedies this problem.
-
-
-002: SECURITY FIX: May 5, 2004
+
+
-
+024: SECURITY FIX: December 14, 2004
All architectures
-Pathname validation problems have been found in
-cvs(1),
-allowing malicious clients to create files outside the repository, allowing
-malicious servers to overwrite files outside the local CVS tree on
-the client and allowing clients to check out files outside the CVS
-repository.
+On systems running
+isakmpd(8)
+it is possible for a local user to cause kernel memory corruption
+and system panic by setting
+ipsec(4)
+credentials on a socket.
-
+
A source code patch exists which remedies this problem.
-
-
-
-001: BROKEN PACKAGE ON CD: May 4, 2004 macppc only
-The powerpc autobook-1.3.tgz package found on CD2 has been found to be corrupt,
-and will not extract.
-A replacement package can be found on the ftp sites.