===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata38.html,v
retrieving revision 1.71
retrieving revision 1.72
diff -c -r1.71 -r1.72
*** www/errata38.html 2019/05/27 22:55:19 1.71
--- www/errata38.html 2019/05/28 16:32:42 1.72
***************
*** 85,214 ****
! -
! 020: SECURITY FIX: October 12, 2006
All architectures
! Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
! by Tavis Ormandy) that would cause
! sshd(8)
! to spin until the login grace time expired.
! An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
! that could be exploited to perform a pre-authentication denial of service.
! CVE-2006-4924,
! CVE-2006-5051
!
A source code patch exists which remedies this problem.
!
-
! 019: SECURITY FIX: October 7, 2006
All architectures
! Fix for an integer overflow in
! systrace(4)'s
! STRIOCREPLACE support, found by
! Chris Evans. This could be exploited for DoS, limited kmem reads or local
! privilege escalation.
!
A source code patch exists which remedies this problem.
!
-
! 018: SECURITY FIX: October 7, 2006
! All architectures
! Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
! structures an error condition is mishandled, possibly resulting in an infinite
! loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
! pointer may be dereferenced in the SSL version 2 client code. In addition, many
! applications using OpenSSL do not perform any validation of the lengths of
! public keys being used.
! CVE-2006-2937,
! CVE-2006-3738,
! CVE-2006-4343,
! CVE-2006-2940
!
A source code patch exists which remedies this problem.
!
-
! 017: SECURITY FIX: October 7, 2006
All architectures
! httpd(8)
! does not sanitize the Expect header from an HTTP request when it is
! reflected back in an error message, which might allow cross-site scripting (XSS)
! style attacks.
! CVE-2006-3918
!
A source code patch exists which remedies this problem.
!
-
! 016: SECURITY FIX: September 8, 2006
All architectures
! Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
! an attacker to construct an invalid signature which OpenSSL would accept as a
! valid PKCS#1 v1.5 signature.
! CVE-2006-4339
!
A source code patch exists which remedies this problem.
!
-
! 015: SECURITY FIX: September 8, 2006
All architectures
! Two Denial of Service issues have been found with BIND.
! An attacker who can perform recursive lookups on a DNS server and is able
! to send a sufficiently large number of recursive queries, or is able to
! get the DNS server to return more than one SIG(covered) RRsets can stop
! the functionality of the DNS service.
! An attacker querying an authoritative DNS server serving a RFC 2535
! DNSSEC zone may be able to crash the DNS server.
! CVE-2006-4095
! CVE-2006-4096
!
A source code patch exists which remedies this problem.
!
-
! 014: SECURITY FIX: September 2, 2006
All architectures
! Due to the failure to correctly validate LCP configuration option lengths,
! it is possible for an attacker to send LCP packets via an
! sppp(4)
! connection causing the kernel to panic.
! CVE-2006-4304
!
A source code patch exists which remedies this problem.
!
-
! 013: SECURITY FIX: August 25, 2006
All architectures
! A problem in
! isakmpd(8)
! caused IPsec to run partly without replay protection. If
! isakmpd(8)
! was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
! An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
! replay counter.
!
A source code patch exists which remedies this problem.
!
-
! 012: SECURITY FIX: August 25, 2006
All architectures
! It is possible to cause the kernel to panic when more than the default number of
! sempahores have been allocated.
!
A source code patch exists which remedies this problem.
--- 85,211 ----
! -
! 001: SECURITY FIX: January 5, 2006
All architectures
! A buffer overflow has been found in the Perl interpreter with the sprintf function which
! may be exploitable under certain conditions.
!
A source code patch exists which remedies this problem.
!
-
! 002: SECURITY FIX: January 5, 2006
All architectures
! Do not allow users to trick suid programs into re-opening files via /dev/fd.
!
A source code patch exists which remedies this problem.
!
-
! 003: RELIABILITY FIX: January 13, 2006
! i386 architecture
! Change the implementation of i386 W^X so that the "execute line" can move around.
! Before it was limited to being either at 512MB (below which all code normally
! lands) or at the top of the stack. Now the line can float as
! mprotect(2)
! and
! mmap(2)
! requests need it to. This is now implemented using only GDT selectors
! instead of the LDT so that it is more robust as well.
!
A source code patch exists which remedies this problem.
!
-
! 004: RELIABILITY FIX: January 13, 2006
! i386 architecture
! Constrain
! i386_set_ioperm(2)
! so even root is blocked from accessing the ioports
! unless the machine is running at lower securelevels or with an open X11 aperture.
!
!
! A source code patch exists which remedies this problem.
!
!
!
-
! 005: SECURITY FIX: February 12, 2006
All architectures
! Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the
! system(3)
! function in
! scp(1)
! when performing copy operations using filenames that are supplied by the user from the command line.
! This can be exploited to execute shell commands with privileges of the user running
! scp(1).
!
A source code patch exists which remedies this problem.
!
-
! 006: SECURITY FIX: March 25, 2006
All architectures
! A race condition has been reported to exist in the handling by sendmail of
! asynchronous signals. A remote attacker may be able to execute arbitrary code with the
! privileges of the user running sendmail, typically root.
!
A source code patch exists which remedies this problem.
!
-
! 007: SECURITY FIX: May 2, 2006
All architectures
! A security vulnerability has been found in the X.Org server --
! CVE-2006-1526.
! Clients authorized to connect to the X server are able to crash it and to execute
! malicious code within the X server.
!
A source code patch exists which remedies this problem.
!
-
! 008: SECURITY FIX: June 15, 2006
All architectures
! A potential denial of service problem has been found in sendmail. A malformed MIME
! message could trigger excessive recursion which will lead to stack exhaustion.
! This denial of service attack only affects delivery of mail from the queue and
! delivery of a malformed message. Other incoming mail is still accepted and
! delivered. However, mail messages in the queue may not be reattempted if a
! malformed MIME message exists.
!
A source code patch exists which remedies this problem.
!
-
! 009: SECURITY FIX: July 30, 2006
All architectures
! httpd(8)'s
! mod_rewrite has a potentially exploitable off-by-one buffer overflow.
! The buffer overflow may result in a vulnerability which, in combination
! with certain types of Rewrite rules in the web server configuration files,
! could be triggered remotely. The default install is not affected by the
! buffer overflow. CVE-2006-3747
!
A source code patch exists which remedies this problem.
!
-
! 010: SECURITY FIX: August 25, 2006
All architectures
! A potential denial of service problem has been found in sendmail. A message
! with really long header lines could trigger a use-after-free bug causing
! sendmail to crash.
!
A source code patch exists which remedies this problem.
***************
*** 226,352 ****
A source code patch exists which remedies this problem.
!
-
! 010: SECURITY FIX: August 25, 2006
All architectures
! A potential denial of service problem has been found in sendmail. A message
! with really long header lines could trigger a use-after-free bug causing
! sendmail to crash.
!
A source code patch exists which remedies this problem.
!
-
! 009: SECURITY FIX: July 30, 2006
All architectures
! httpd(8)'s
! mod_rewrite has a potentially exploitable off-by-one buffer overflow.
! The buffer overflow may result in a vulnerability which, in combination
! with certain types of Rewrite rules in the web server configuration files,
! could be triggered remotely. The default install is not affected by the
! buffer overflow. CVE-2006-3747
!
A source code patch exists which remedies this problem.
!
-
! 008: SECURITY FIX: June 15, 2006
All architectures
! A potential denial of service problem has been found in sendmail. A malformed MIME
! message could trigger excessive recursion which will lead to stack exhaustion.
! This denial of service attack only affects delivery of mail from the queue and
! delivery of a malformed message. Other incoming mail is still accepted and
! delivered. However, mail messages in the queue may not be reattempted if a
! malformed MIME message exists.
!
A source code patch exists which remedies this problem.
!
-
! 007: SECURITY FIX: May 2, 2006
All architectures
! A security vulnerability has been found in the X.Org server --
! CVE-2006-1526.
! Clients authorized to connect to the X server are able to crash it and to execute
! malicious code within the X server.
!
A source code patch exists which remedies this problem.
!
-
! 006: SECURITY FIX: March 25, 2006
All architectures
! A race condition has been reported to exist in the handling by sendmail of
! asynchronous signals. A remote attacker may be able to execute arbitrary code with the
! privileges of the user running sendmail, typically root.
!
A source code patch exists which remedies this problem.
!
-
! 005: SECURITY FIX: February 12, 2006
All architectures
! Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the
! system(3)
! function in
! scp(1)
! when performing copy operations using filenames that are supplied by the user from the command line.
! This can be exploited to execute shell commands with privileges of the user running
! scp(1).
!
A source code patch exists which remedies this problem.
!
-
! 004: RELIABILITY FIX: January 13, 2006
! i386 architecture
! Constrain
! i386_set_ioperm(2)
! so even root is blocked from accessing the ioports
! unless the machine is running at lower securelevels or with an open X11 aperture.
!
A source code patch exists which remedies this problem.
!
-
! 003: RELIABILITY FIX: January 13, 2006
! i386 architecture
! Change the implementation of i386 W^X so that the "execute line" can move around.
! Before it was limited to being either at 512MB (below which all code normally
! lands) or at the top of the stack. Now the line can float as
! mprotect(2)
! and
! mmap(2)
! requests need it to. This is now implemented using only GDT selectors
! instead of the LDT so that it is more robust as well.
!
!
! A source code patch exists which remedies this problem.
!
!
!
-
! 002: SECURITY FIX: January 5, 2006
All architectures
! Do not allow users to trick suid programs into re-opening files via /dev/fd.
!
A source code patch exists which remedies this problem.
!
-
! 001: SECURITY FIX: January 5, 2006
All architectures
! A buffer overflow has been found in the Perl interpreter with the sprintf function which
! may be exploitable under certain conditions.
!
A source code patch exists which remedies this problem.
--- 223,352 ----
A source code patch exists which remedies this problem.
!
-
! 012: SECURITY FIX: August 25, 2006
All architectures
! It is possible to cause the kernel to panic when more than the default number of
! sempahores have been allocated.
!
A source code patch exists which remedies this problem.
!
-
! 013: SECURITY FIX: August 25, 2006
All architectures
! A problem in
! isakmpd(8)
! caused IPsec to run partly without replay protection. If
! isakmpd(8)
! was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
! An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
! replay counter.
!
A source code patch exists which remedies this problem.
!
-
! 014: SECURITY FIX: September 2, 2006
All architectures
! Due to the failure to correctly validate LCP configuration option lengths,
! it is possible for an attacker to send LCP packets via an
! sppp(4)
! connection causing the kernel to panic.
! CVE-2006-4304
!
A source code patch exists which remedies this problem.
!
-
! 015: SECURITY FIX: September 8, 2006
All architectures
! Two Denial of Service issues have been found with BIND.
! An attacker who can perform recursive lookups on a DNS server and is able
! to send a sufficiently large number of recursive queries, or is able to
! get the DNS server to return more than one SIG(covered) RRsets can stop
! the functionality of the DNS service.
! An attacker querying an authoritative DNS server serving a RFC 2535
! DNSSEC zone may be able to crash the DNS server.
! CVE-2006-4095
! CVE-2006-4096
!
A source code patch exists which remedies this problem.
!
-
! 016: SECURITY FIX: September 8, 2006
All architectures
! Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
! an attacker to construct an invalid signature which OpenSSL would accept as a
! valid PKCS#1 v1.5 signature.
! CVE-2006-4339
!
A source code patch exists which remedies this problem.
!
-
! 017: SECURITY FIX: October 7, 2006
All architectures
! httpd(8)
! does not sanitize the Expect header from an HTTP request when it is
! reflected back in an error message, which might allow cross-site scripting (XSS)
! style attacks.
! CVE-2006-3918
!
A source code patch exists which remedies this problem.
!
-
! 018: SECURITY FIX: October 7, 2006
! All architectures
! Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
! structures an error condition is mishandled, possibly resulting in an infinite
! loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
! pointer may be dereferenced in the SSL version 2 client code. In addition, many
! applications using OpenSSL do not perform any validation of the lengths of
! public keys being used.
! CVE-2006-2937,
! CVE-2006-3738,
! CVE-2006-4343,
! CVE-2006-2940
!
A source code patch exists which remedies this problem.
!
-
! 019: SECURITY FIX: October 7, 2006
All architectures
! Fix for an integer overflow in
! systrace(4)'s
! STRIOCREPLACE support, found by
! Chris Evans. This could be exploited for DoS, limited kmem reads or local
! privilege escalation.
!
A source code patch exists which remedies this problem.
!
-
! 020: SECURITY FIX: October 12, 2006
All architectures
! Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
! by Tavis Ormandy) that would cause
! sshd(8)
! to spin until the login grace time expired.
! An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
! that could be exploited to perform a pre-authentication denial of service.
! CVE-2006-4924,
! CVE-2006-5051
!
A source code patch exists which remedies this problem.