===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata39.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -c -r1.2 -r1.3
*** www/errata39.html 2006/03/08 19:53:56 1.2
--- www/errata39.html 2006/10/30 20:59:45 1.3
***************
*** 42,48 ****
3.6,
3.7,
3.8,
! current.
--- 42,48 ----
3.6,
3.7,
3.8,
! 4.0.
***************
*** 51,57 ****
This file is updated once a day.
The patches below are available in CVS via the
! OPENBSD_3_8
patch branch.
For more detailed information on how to install patches to OpenBSD, please
--- 51,57 ----
This file is updated once a day.
The patches below are available in CVS via the
! OPENBSD_3_9
patch branch.
For more detailed information on how to install patches to OpenBSD, please
***************
*** 66,72 ****
-
--- 66,71 ----
***************
*** 77,137 ****
-
! 005: SECURITY FIX: February 12, 2006 All architectures
! Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the
! system(3)
! function in
! scp(1)
! when performing copy operations using filenames that are supplied by the user from the command line.
! This can be exploited to execute shell commands with privileges of the user running
! scp(1).
!
A source code patch exists which remedies this problem.
!
-
! 004: RELIABILITY FIX: January 13, 2006 i386 architecture
! Constrain
! i386_set_ioperm(2)
! so even root is blocked from accessing the ioports
! unless the machine is running at lower securelevels or with an open X11 aperture.
!
A source code patch exists which remedies this problem.
!
-
! 003: RELIABILITY FIX: January 13, 2006 i386 architecture
! Change the implementation of i386 W^X so that the "execute line" can move around.
! Before it was limited to being either at 512MB (below which all code normally
! lands) or at the top of the stack. Now the line can float as
! mprotect(2)
! and
! mmap(2)
! requests need it to. This is now implemented using only GDT selectors
! instead of the LDT so that it is more robust as well.
!
A source code patch exists which remedies this problem.
!
-
! 002: SECURITY FIX: January 5, 2006 All architectures
! Do not allow users to trick suid programs into re-opening files via /dev/fd.
!
A source code patch exists which remedies this problem.
!
-
! 001: SECURITY FIX: January 5, 2006 All architectures
! A buffer overflow has been found in the Perl interpreter with the sprintf function which
! may be exploitable under certain conditions.
!
A source code patch exists which remedies this problem.
--- 76,268 ----
-
! 015: SECURITY FIX: October 12, 2006 All architectures
! Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
! by Tavis Ormandy) that would cause
! sshd(8)
! to spin until the login grace time expired.
! An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
! that could be exploited to perform a pre-authentication denial of service.
! CVE-2006-4924,
! CVE-2006-5051
!
A source code patch exists which remedies this problem.
!
-
! 014: SECURITY FIX: October 7, 2006 All architectures
! Fix for an integer overflow in
! systrace(4)'s
! STRIOCREPLACE support, found by
! Chris Evans. This could be exploited for DoS, limited kmem reads or local
! privilege escalation.
!
A source code patch exists which remedies this problem.
!
-
! 013: SECURITY FIX: October 7, 2006 All architectures
! Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
! structures an error condition is mishandled, possibly resulting in an infinite
! loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
! pointer may be dereferenced in the SSL version 2 client code. In addition, many
! applications using OpenSSL do not perform any validation of the lengths of
! public keys being used.
! CVE-2006-2937,
! CVE-2006-3738,
! CVE-2006-4343,
! CVE-2006-2940
!
A source code patch exists which remedies this problem.
!
-
! 012: SECURITY FIX: October 7, 2006 All architectures
! httpd(8)
! does not sanitize the Expect header from an HTTP request when it is
! reflected back in an error message, which might allow cross-site scripting (XSS)
! style attacks.
! CVE-2006-3918
!
A source code patch exists which remedies this problem.
!
-
! 011: SECURITY FIX: September 8, 2006 All architectures
! Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
! an attacker to construct an invalid signature which OpenSSL would accept as a
! valid PKCS#1 v1.5 signature.
! CVE-2006-4339
!
A source code patch exists which remedies this problem.
+
+
-
+ 010: SECURITY FIX: September 8, 2006 All architectures
+ Two Denial of Service issues have been found with BIND.
+ An attacker who can perform recursive lookups on a DNS server and is able
+ to send a sufficiently large number of recursive queries, or is able to
+ get the DNS server to return more than one SIG(covered) RRsets can stop
+ the functionality of the DNS service.
+ An attacker querying an authoritative DNS server serving a RFC 2535
+ DNSSEC zone may be able to crash the DNS server.
+ CVE-2006-4095
+ CVE-2006-4096
+
+
+ A source code patch exists which remedies this problem.
+
+
+
-
+ 009: SECURITY FIX: September 2, 2006 All architectures
+ Due to the failure to correctly validate LCP configuration option lengths,
+ it is possible for an attacker to send LCP packets via an
+ sppp(4)
+ connection causing the kernel to panic.
+ CVE-2006-4304
+
+
+ A source code patch exists which remedies this problem.
+
+
+
-
+ 008: SECURITY FIX: August 25, 2006 All architectures
+ A problem in
+ isakmpd(8)
+ caused IPsec to run partly without replay protection. If
+ isakmpd(8)
+ was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
+ An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
+ replay counter.
+
+
+ A source code patch exists which remedies this problem.
+
+
+
-
+ 007: SECURITY FIX: August 25, 2006 All architectures
+ It is possible to cause the kernel to panic when more than the default number of
+ sempahores have been allocated.
+
+
+ A source code patch exists which remedies this problem.
+
+
+
-
+ 006: SECURITY FIX: August 25, 2006 All architectures
+ Due to an off-by-one error in
+ dhcpd(8),
+ it is possible to cause
+ dhcpd(8)
+ to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
+ CVE-2006-3122
+
+
+ A source code patch exists which remedies this problem.
+
+
+
-
+ 005: SECURITY FIX: August 25, 2006 All architectures
+ A potential denial of service problem has been found in sendmail. A message
+ with really long header lines could trigger a use-after-free bug causing
+ sendmail to crash.
+
+
+ A source code patch exists which remedies this problem.
+
+
+
-
+ 004: SECURITY FIX: July 30, 2006 All architectures
+ httpd(8)'s
+ mod_rewrite has a potentially exploitable off-by-one buffer overflow.
+ The buffer overflow may result in a vulnerability which, in combination
+ with certain types of Rewrite rules in the web server configuration files,
+ could be triggered remotely. The default install is not affected by the
+ buffer overflow. CVE-2006-3747
+
+
+ A source code patch exists which remedies this problem.
+
+
+
-
+ 003: SECURITY FIX: June 15, 2006 All architectures
+ A potential denial of service problem has been found in sendmail. A malformed MIME
+ message could trigger excessive recursion which will lead to stack exhaustion.
+ This denial of service attack only affects delivery of mail from the queue and
+ delivery of a malformed message. Other incoming mail is still accepted and
+ delivered. However, mail messages in the queue may not be reattempted if a
+ malformed MIME message exists.
+
+
+ A source code patch exists which remedies this problem.
+
+
+
-
+ 002: SECURITY FIX: May 2, 2006 All architectures
+ A security vulnerability has been found in the X.Org server --
+ CVE-2006-1526.
+ Clients authorized to connect to the X server are able to crash it and to execute
+ malicious code within the X server.
+
+
+ A source code patch exists which remedies this problem.
+
+
+
-
+ 001: SECURITY FIX: March 25, 2006 All architectures
+ A race condition has been reported to exist in the handling by sendmail of
+ asynchronous signals. A remote attacker may be able to execute arbitrary code with the
+ privileges of the user running sendmail, typically root. This is the second revision of
+ this patch.
+
+
+ A source code patch exists which remedies this problem.
+
***************
*** 159,171 ****
3.6,
3.7,
3.8,
! current.
www@openbsd.org
!
$OpenBSD: errata39.html,v 1.2 2006/03/08 19:53:56 deraadt dead $