===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata38.html,v
retrieving revision 1.65
retrieving revision 1.66
diff -u -r1.65 -r1.66
--- www/errata38.html 2017/03/28 06:41:18 1.65
+++ www/errata38.html 2017/06/26 17:18:57 1.66
@@ -88,7 +88,7 @@
All architectures
Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
by Tavis Ormandy) that would cause
-sshd(8)
+sshd(8)
to spin until the login grace time expired.
An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
that could be exploited to perform a pre-authentication denial of service.
@@ -103,7 +103,7 @@
019: SECURITY FIX: October 7, 2006
All architectures
Fix for an integer overflow in
-systrace(4)'s
+systrace(4)'s
STRIOCREPLACE support, found by
Chris Evans. This could be exploited for DoS, limited kmem reads or local
privilege escalation.
@@ -133,7 +133,7 @@
017: SECURITY FIX: October 7, 2006
All architectures
-httpd(8)
+httpd(8)
does not sanitize the Expect header from an HTTP request when it is
reflected back in an error message, which might allow cross-site scripting (XSS)
style attacks.
@@ -177,7 +177,7 @@
All architectures
Due to the failure to correctly validate LCP configuration option lengths,
it is possible for an attacker to send LCP packets via an
-sppp(4)
+sppp(4)
connection causing the kernel to panic.
CVE-2006-4304
@@ -189,9 +189,9 @@
013: SECURITY FIX: August 25, 2006
All architectures
A problem in
-isakmpd(8)
+isakmpd(8)
caused IPsec to run partly without replay protection. If
-isakmpd(8)
+isakmpd(8)
was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
replay counter.
@@ -214,9 +214,9 @@
011: SECURITY FIX: August 25, 2006
All architectures
Due to an off-by-one error in
-dhcpd(8),
+dhcpd(8),
it is possible to cause
-dhcpd(8)
+dhcpd(8)
to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
CVE-2006-3122
@@ -238,7 +238,7 @@
009: SECURITY FIX: July 30, 2006
All architectures
-httpd(8)'s
+httpd(8)'s
mod_rewrite has a potentially exploitable off-by-one buffer overflow.
The buffer overflow may result in a vulnerability which, in combination
with certain types of Rewrite rules in the web server configuration files,
@@ -290,12 +290,12 @@
005: SECURITY FIX: February 12, 2006
All architectures
Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the
-system(3)
+system(3)
function in
-scp(1)
+scp(1)
when performing copy operations using filenames that are supplied by the user from the command line.
This can be exploited to execute shell commands with privileges of the user running
-scp(1).
+scp(1).
A source code patch exists which remedies this problem.
@@ -305,7 +305,7 @@
004: RELIABILITY FIX: January 13, 2006
i386 architecture
Constrain
-i386_set_ioperm(2)
+i386_set_ioperm(2)
so even root is blocked from accessing the ioports
unless the machine is running at lower securelevels or with an open X11 aperture.
@@ -319,9 +319,9 @@
Change the implementation of i386 W^X so that the "execute line" can move around.
Before it was limited to being either at 512MB (below which all code normally
lands) or at the top of the stack. Now the line can float as
-mprotect(2)
+mprotect(2)
and
-mmap(2)
+mmap(2)
requests need it to. This is now implemented using only GDT selectors
instead of the LDT so that it is more robust as well.