www/errata37.html - diff

Return to errata37.html CVS log

Up to [local] / www

Diff for /www/errata37.html between version 1.51 and 1.52

version 1.51, 2016/03/21 05:46:20

version 1.52, 2016/03/22 10:54:42

Line 111

011: SECURITY FIX: February 12, 2006

All architectures

Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the

<a href="http://man.openbsd.org?query=system&sektion=3">system(3)</a>

<a href="http://man.openbsd.org/?query=system&sektion=3">system(3)</a>

function in

when performing copy operations using filenames that are supplied by the user from the command line.

This can be exploited to execute shell commands with privileges of the user running

<a href="http://man.openbsd.org?query=scp&sektion=1">scp(1)</a>.

<a href="http://man.openbsd.org/?query=scp&sektion=1">scp(1)</a>.

A source code patch exists which remedies this problem.</a>

Line 126

010: RELIABILITY FIX: January 13, 2006

i386 architecture

Constrain

<a href="http://man.openbsd.org?query=i386_set_ioperm&arch=i386&sektion=2">i386_set_ioperm(2)</a>

<a href="http://man.openbsd.org/?query=i386_set_ioperm&arch=i386&sektion=2">i386_set_ioperm(2)</a>

so even root is blocked from accessing the ioports

unless the machine is running at lower securelevels or with an open X11 aperture.

Line 140

Change the implementation of i386 W^X so that the "execute line" can move around.

Before it was limited to being either at 512MB (below which all code normally

lands) or at the top of the stack. Now the line can float as

<a href="http://man.openbsd.org?query=mprotect&sektion=2">mprotect(2)</a>

<a href="http://man.openbsd.org/?query=mprotect&sektion=2">mprotect(2)</a>

and

requests need it to. This is now implemented using only GDT selectors

instead of the LDT so that it is more robust as well.

Line 173

006: RELIABILITY FIX: November 5, 2005

All architectures

Due to wrong advertisement of RFC 3947 compliance interoperability problems with

<a href="http://man.openbsd.org?query=isakmpd&sektion=8">isakmpd(8)</a>

<a href="http://man.openbsd.org/?query=isakmpd&sektion=8">isakmpd(8)</a>

may occur.

Line 184

005: SECURITY FIX: July 21, 2005

All architectures

A buffer overflow has been found in

<a href="http://man.openbsd.org?query=compress&sektion=3">compress(3)</a>

<a href="http://man.openbsd.org/?query=compress&sektion=3">compress(3)</a>

which may be exploitable.

Please note that this fixes a different buffer overflow than the <a href="#libz">previous</a> zlib patch.

Line 196

004: SECURITY FIX: July 6, 2005

All architectures

A buffer overflow has been found in

<a href="http://man.openbsd.org?query=compress&sektion=3">compress(3)</a>

<a href="http://man.openbsd.org/?query=compress&sektion=3">compress(3)</a>

which may be exploitable.

Line 207

003: SECURITY FIX: June 20, 2005

All architectures

Due to a race condition in its command pathname handling, a user with

privileges may be able to run arbitrary commands if the user's entry

is followed by an entry that grants <tt>sudo ALL</tt> privileges to

another user.

Line 220

002: RELIABILITY FIX: June 15, 2005

All architectures

As discovered by Stefan Miltchev calling

<a href="http://man.openbsd.org?query=getsockopt&sektion=2">getsockopt(2)</a>

<a href="http://man.openbsd.org/?query=getsockopt&sektion=2">getsockopt(2)</a>

to get

<a href="http://man.openbsd.org?query=ipsec&sektion=4">ipsec(4)</a>

<a href="http://man.openbsd.org/?query=ipsec&sektion=4">ipsec(4)</a>

credentials for a socket can result in a kernel panic.

Line 234

All architectures

Fix a buffer overflow, memory leaks, and NULL pointer dereference in

. None of these issues are known to be exploitable.