=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/errata38.html,v retrieving revision 1.71 retrieving revision 1.72 diff -c -r1.71 -r1.72 *** www/errata38.html 2019/05/27 22:55:19 1.71 --- www/errata38.html 2019/05/28 16:32:42 1.72 *************** *** 85,214 ****

! 020: SECURITY FIX: October 12, 2006 All architectures
! Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found ! by Tavis Ormandy) that would cause ! sshd(8) ! to spin until the login grace time expired. ! An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition ! that could be exploited to perform a pre-authentication denial of service. ! CVE-2006-4924, ! CVE-2006-5051
! A source code patch exists which remedies this problem.
!
! 019: SECURITY FIX: October 7, 2006 All architectures
! Fix for an integer overflow in ! systrace(4)'s ! STRIOCREPLACE support, found by ! Chris Evans. This could be exploited for DoS, limited kmem reads or local ! privilege escalation.
! A source code patch exists which remedies this problem.
!
! 018: SECURITY FIX: October 7, 2006 ! All architectures
! Several problems have been found in OpenSSL. While parsing certain invalid ASN.1 ! structures an error condition is mishandled, possibly resulting in an infinite ! loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL ! pointer may be dereferenced in the SSL version 2 client code. In addition, many ! applications using OpenSSL do not perform any validation of the lengths of ! public keys being used. ! CVE-2006-2937, ! CVE-2006-3738, ! CVE-2006-4343, ! CVE-2006-2940
! A source code patch exists which remedies this problem.
!
! 017: SECURITY FIX: October 7, 2006 All architectures
! httpd(8) ! does not sanitize the Expect header from an HTTP request when it is ! reflected back in an error message, which might allow cross-site scripting (XSS) ! style attacks. ! CVE-2006-3918
! A source code patch exists which remedies this problem.
!
! 016: SECURITY FIX: September 8, 2006 All architectures
! Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for ! an attacker to construct an invalid signature which OpenSSL would accept as a ! valid PKCS#1 v1.5 signature. ! CVE-2006-4339
! A source code patch exists which remedies this problem.
!
! 015: SECURITY FIX: September 8, 2006 All architectures
! Two Denial of Service issues have been found with BIND. ! An attacker who can perform recursive lookups on a DNS server and is able ! to send a sufficiently large number of recursive queries, or is able to ! get the DNS server to return more than one SIG(covered) RRsets can stop ! the functionality of the DNS service. ! An attacker querying an authoritative DNS server serving a RFC 2535 ! DNSSEC zone may be able to crash the DNS server. ! CVE-2006-4095 ! CVE-2006-4096
! A source code patch exists which remedies this problem.
!
! 014: SECURITY FIX: September 2, 2006 All architectures
! Due to the failure to correctly validate LCP configuration option lengths, ! it is possible for an attacker to send LCP packets via an ! sppp(4) ! connection causing the kernel to panic. ! CVE-2006-4304
! A source code patch exists which remedies this problem.
!
! 013: SECURITY FIX: August 25, 2006 All architectures
! A problem in ! isakmpd(8) ! caused IPsec to run partly without replay protection. If ! isakmpd(8) ! was acting as responder during SA negotiation, SA's with a replay window of size 0 were created. ! An attacker could reinject sniffed IPsec packets, which will be accepted without checking the ! replay counter.
! A source code patch exists which remedies this problem.
!
! 012: SECURITY FIX: August 25, 2006 All architectures
! It is possible to cause the kernel to panic when more than the default number of ! sempahores have been allocated.
! A source code patch exists which remedies this problem.
--- 85,211 ----
- ! 001: SECURITY FIX: January 5, 2006 All architectures
  ! A buffer overflow has been found in the Perl interpreter with the sprintf function which ! may be exploitable under certain conditions.
  ! A source code patch exists which remedies this problem.
  !
- ! 002: SECURITY FIX: January 5, 2006 All architectures
  ! Do not allow users to trick suid programs into re-opening files via /dev/fd.
  ! A source code patch exists which remedies this problem.
  !
- ! 003: RELIABILITY FIX: January 13, 2006 ! i386 architecture
  ! Change the implementation of i386 W^X so that the "execute line" can move around. ! Before it was limited to being either at 512MB (below which all code normally ! lands) or at the top of the stack. Now the line can float as ! mprotect(2) ! and ! mmap(2) ! requests need it to. This is now implemented using only GDT selectors ! instead of the LDT so that it is more robust as well.
  ! A source code patch exists which remedies this problem.
  !
- ! 004: RELIABILITY FIX: January 13, 2006 ! i386 architecture
  ! Constrain ! i386_set_ioperm(2) ! so even root is blocked from accessing the ioports ! unless the machine is running at lower securelevels or with an open X11 aperture. !
  ! ! A source code patch exists which remedies this problem. !
  ! !
- ! 005: SECURITY FIX: February 12, 2006 All architectures
  ! Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the ! system(3) ! function in ! scp(1) ! when performing copy operations using filenames that are supplied by the user from the command line. ! This can be exploited to execute shell commands with privileges of the user running ! scp(1).
  ! A source code patch exists which remedies this problem.
  !
- ! 006: SECURITY FIX: March 25, 2006 All architectures
  ! A race condition has been reported to exist in the handling by sendmail of ! asynchronous signals. A remote attacker may be able to execute arbitrary code with the ! privileges of the user running sendmail, typically root.
  ! A source code patch exists which remedies this problem.
  !
- ! 007: SECURITY FIX: May 2, 2006 All architectures
  ! A security vulnerability has been found in the X.Org server -- ! CVE-2006-1526. ! Clients authorized to connect to the X server are able to crash it and to execute ! malicious code within the X server.
  ! A source code patch exists which remedies this problem.
  !
- ! 008: SECURITY FIX: June 15, 2006 All architectures
  ! A potential denial of service problem has been found in sendmail. A malformed MIME ! message could trigger excessive recursion which will lead to stack exhaustion. ! This denial of service attack only affects delivery of mail from the queue and ! delivery of a malformed message. Other incoming mail is still accepted and ! delivered. However, mail messages in the queue may not be reattempted if a ! malformed MIME message exists.
  ! A source code patch exists which remedies this problem.
  !
- ! 009: SECURITY FIX: July 30, 2006 All architectures
  ! httpd(8)'s ! mod_rewrite has a potentially exploitable off-by-one buffer overflow. ! The buffer overflow may result in a vulnerability which, in combination ! with certain types of Rewrite rules in the web server configuration files, ! could be triggered remotely. The default install is not affected by the ! buffer overflow. CVE-2006-3747
  ! A source code patch exists which remedies this problem.
  !
- ! 010: SECURITY FIX: August 25, 2006 All architectures
  ! A potential denial of service problem has been found in sendmail. A message ! with really long header lines could trigger a use-after-free bug causing ! sendmail to crash.
  ! A source code patch exists which remedies this problem.
  *************** *** 226,352 **** A source code patch exists which remedies this problem.
  !
- ! 010: SECURITY FIX: August 25, 2006 All architectures
  ! A potential denial of service problem has been found in sendmail. A message ! with really long header lines could trigger a use-after-free bug causing ! sendmail to crash.
  ! A source code patch exists which remedies this problem.
  !
- ! 009: SECURITY FIX: July 30, 2006 All architectures
  ! httpd(8)'s ! mod_rewrite has a potentially exploitable off-by-one buffer overflow. ! The buffer overflow may result in a vulnerability which, in combination ! with certain types of Rewrite rules in the web server configuration files, ! could be triggered remotely. The default install is not affected by the ! buffer overflow. CVE-2006-3747
  ! A source code patch exists which remedies this problem.
  !
- ! 008: SECURITY FIX: June 15, 2006 All architectures
  ! A potential denial of service problem has been found in sendmail. A malformed MIME ! message could trigger excessive recursion which will lead to stack exhaustion. ! This denial of service attack only affects delivery of mail from the queue and ! delivery of a malformed message. Other incoming mail is still accepted and ! delivered. However, mail messages in the queue may not be reattempted if a ! malformed MIME message exists.
  ! A source code patch exists which remedies this problem.
  !
- ! 007: SECURITY FIX: May 2, 2006 All architectures
  ! A security vulnerability has been found in the X.Org server -- ! CVE-2006-1526. ! Clients authorized to connect to the X server are able to crash it and to execute ! malicious code within the X server.
  ! A source code patch exists which remedies this problem.
  !
- ! 006: SECURITY FIX: March 25, 2006 All architectures
  ! A race condition has been reported to exist in the handling by sendmail of ! asynchronous signals. A remote attacker may be able to execute arbitrary code with the ! privileges of the user running sendmail, typically root.
  ! A source code patch exists which remedies this problem.
  !
- ! 005: SECURITY FIX: February 12, 2006 All architectures
  ! Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the ! system(3) ! function in ! scp(1) ! when performing copy operations using filenames that are supplied by the user from the command line. ! This can be exploited to execute shell commands with privileges of the user running ! scp(1).
  ! A source code patch exists which remedies this problem.
  !
- ! 004: RELIABILITY FIX: January 13, 2006 ! i386 architecture
  ! Constrain ! i386_set_ioperm(2) ! so even root is blocked from accessing the ioports ! unless the machine is running at lower securelevels or with an open X11 aperture.
  ! A source code patch exists which remedies this problem.
  !
- ! 003: RELIABILITY FIX: January 13, 2006 ! i386 architecture
  ! Change the implementation of i386 W^X so that the "execute line" can move around. ! Before it was limited to being either at 512MB (below which all code normally ! lands) or at the top of the stack. Now the line can float as ! mprotect(2) ! and ! mmap(2) ! requests need it to. This is now implemented using only GDT selectors ! instead of the LDT so that it is more robust as well. !
  ! ! A source code patch exists which remedies this problem. !
  ! !
- ! 002: SECURITY FIX: January 5, 2006 All architectures
  ! Do not allow users to trick suid programs into re-opening files via /dev/fd.
  ! A source code patch exists which remedies this problem.
  !
- ! 001: SECURITY FIX: January 5, 2006 All architectures
  ! A buffer overflow has been found in the Perl interpreter with the sprintf function which ! may be exploitable under certain conditions.
  ! A source code patch exists which remedies this problem.
  --- 223,352 ---- A source code patch exists which remedies this problem.
  !
- ! 012: SECURITY FIX: August 25, 2006 All architectures
  ! It is possible to cause the kernel to panic when more than the default number of ! sempahores have been allocated.
  ! A source code patch exists which remedies this problem.
  !
- ! 013: SECURITY FIX: August 25, 2006 All architectures
  ! A problem in ! isakmpd(8) ! caused IPsec to run partly without replay protection. If ! isakmpd(8) ! was acting as responder during SA negotiation, SA's with a replay window of size 0 were created. ! An attacker could reinject sniffed IPsec packets, which will be accepted without checking the ! replay counter.
  ! A source code patch exists which remedies this problem.
  !
- ! 014: SECURITY FIX: September 2, 2006 All architectures
  ! Due to the failure to correctly validate LCP configuration option lengths, ! it is possible for an attacker to send LCP packets via an ! sppp(4) ! connection causing the kernel to panic. ! CVE-2006-4304
  ! A source code patch exists which remedies this problem.
  !
- ! 015: SECURITY FIX: September 8, 2006 All architectures
  ! Two Denial of Service issues have been found with BIND. ! An attacker who can perform recursive lookups on a DNS server and is able ! to send a sufficiently large number of recursive queries, or is able to ! get the DNS server to return more than one SIG(covered) RRsets can stop ! the functionality of the DNS service. ! An attacker querying an authoritative DNS server serving a RFC 2535 ! DNSSEC zone may be able to crash the DNS server. ! CVE-2006-4095 ! CVE-2006-4096
  ! A source code patch exists which remedies this problem.
  !
- ! 016: SECURITY FIX: September 8, 2006 All architectures
  ! Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for ! an attacker to construct an invalid signature which OpenSSL would accept as a ! valid PKCS#1 v1.5 signature. ! CVE-2006-4339
  ! A source code patch exists which remedies this problem.
  !
- ! 017: SECURITY FIX: October 7, 2006 All architectures
  ! httpd(8) ! does not sanitize the Expect header from an HTTP request when it is ! reflected back in an error message, which might allow cross-site scripting (XSS) ! style attacks. ! CVE-2006-3918
  ! A source code patch exists which remedies this problem.
  !
- ! 018: SECURITY FIX: October 7, 2006 ! All architectures
  ! Several problems have been found in OpenSSL. While parsing certain invalid ASN.1 ! structures an error condition is mishandled, possibly resulting in an infinite ! loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL ! pointer may be dereferenced in the SSL version 2 client code. In addition, many ! applications using OpenSSL do not perform any validation of the lengths of ! public keys being used. ! CVE-2006-2937, ! CVE-2006-3738, ! CVE-2006-4343, ! CVE-2006-2940
  ! A source code patch exists which remedies this problem.
  !
- ! 019: SECURITY FIX: October 7, 2006 All architectures
  ! Fix for an integer overflow in ! systrace(4)'s ! STRIOCREPLACE support, found by ! Chris Evans. This could be exploited for DoS, limited kmem reads or local ! privilege escalation.
  ! A source code patch exists which remedies this problem.
  !
- ! 020: SECURITY FIX: October 12, 2006 All architectures
  ! Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found ! by Tavis Ormandy) that would cause ! sshd(8) ! to spin until the login grace time expired. ! An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition ! that could be exploited to perform a pre-authentication denial of service. ! CVE-2006-4924, ! CVE-2006-5051
  ! A source code patch exists which remedies this problem.