=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/errata39.html,v retrieving revision 1.2 retrieving revision 1.3 diff -c -r1.2 -r1.3 *** www/errata39.html 2006/03/08 19:53:56 1.2 --- www/errata39.html 2006/10/30 20:59:45 1.3 *************** *** 42,48 **** 3.6, 3.7, 3.8, ! current.

--- 42,48 ---- 3.6, 3.7, 3.8, ! 4.0.

*************** *** 51,57 **** This file is updated once a day.

The patches below are available in CVS via the ! OPENBSD_3_8 patch branch.

For more detailed information on how to install patches to OpenBSD, please --- 51,57 ---- This file is updated once a day.

The patches below are available in CVS via the ! OPENBSD_3_9 patch branch.

For more detailed information on how to install patches to OpenBSD, please *************** *** 66,72 **** - --- 66,71 ---- *************** *** 77,137 ****

! 005: SECURITY FIX: February 12, 2006 All architectures
! Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the ! system(3) ! function in ! scp(1) ! when performing copy operations using filenames that are supplied by the user from the command line. ! This can be exploited to execute shell commands with privileges of the user running ! scp(1).
! A source code patch exists which remedies this problem.

!
! 004: RELIABILITY FIX: January 13, 2006 i386 architecture
! Constrain ! i386_set_ioperm(2) ! so even root is blocked from accessing the ioports ! unless the machine is running at lower securelevels or with an open X11 aperture.
! A source code patch exists which remedies this problem.

!
! 003: RELIABILITY FIX: January 13, 2006 i386 architecture
! Change the implementation of i386 W^X so that the "execute line" can move around. ! Before it was limited to being either at 512MB (below which all code normally ! lands) or at the top of the stack. Now the line can float as ! mprotect(2) ! and ! mmap(2) ! requests need it to. This is now implemented using only GDT selectors ! instead of the LDT so that it is more robust as well.
! A source code patch exists which remedies this problem.

!
! 002: SECURITY FIX: January 5, 2006 All architectures
! Do not allow users to trick suid programs into re-opening files via /dev/fd.
! A source code patch exists which remedies this problem.

!
! 001: SECURITY FIX: January 5, 2006 All architectures
! A buffer overflow has been found in the Perl interpreter with the sprintf function which ! may be exploitable under certain conditions.
! A source code patch exists which remedies this problem.

--- 76,268 ----

! 015: SECURITY FIX: October 12, 2006 All architectures
! Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found ! by Tavis Ormandy) that would cause ! sshd(8) ! to spin until the login grace time expired. ! An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition ! that could be exploited to perform a pre-authentication denial of service. ! CVE-2006-4924, ! CVE-2006-5051
! A source code patch exists which remedies this problem.

!
! 014: SECURITY FIX: October 7, 2006 All architectures
! Fix for an integer overflow in ! systrace(4)'s ! STRIOCREPLACE support, found by ! Chris Evans. This could be exploited for DoS, limited kmem reads or local ! privilege escalation.
! A source code patch exists which remedies this problem.

!
! 013: SECURITY FIX: October 7, 2006 All architectures
! Several problems have been found in OpenSSL. While parsing certain invalid ASN.1 ! structures an error condition is mishandled, possibly resulting in an infinite ! loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL ! pointer may be dereferenced in the SSL version 2 client code. In addition, many ! applications using OpenSSL do not perform any validation of the lengths of ! public keys being used. ! CVE-2006-2937, ! CVE-2006-3738, ! CVE-2006-4343, ! CVE-2006-2940
! A source code patch exists which remedies this problem.

!
! 012: SECURITY FIX: October 7, 2006 All architectures
! httpd(8) ! does not sanitize the Expect header from an HTTP request when it is ! reflected back in an error message, which might allow cross-site scripting (XSS) ! style attacks. ! CVE-2006-3918
! A source code patch exists which remedies this problem.

!
! 011: SECURITY FIX: September 8, 2006 All architectures
! Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for ! an attacker to construct an invalid signature which OpenSSL would accept as a ! valid PKCS#1 v1.5 signature. ! CVE-2006-4339
! A source code patch exists which remedies this problem.

+ +
+ 010: SECURITY FIX: September 8, 2006 All architectures
+ Two Denial of Service issues have been found with BIND. + An attacker who can perform recursive lookups on a DNS server and is able + to send a sufficiently large number of recursive queries, or is able to + get the DNS server to return more than one SIG(covered) RRsets can stop + the functionality of the DNS service. + An attacker querying an authoritative DNS server serving a RFC 2535 + DNSSEC zone may be able to crash the DNS server. + CVE-2006-4095 + CVE-2006-4096 +
+ + A source code patch exists which remedies this problem.
+
+ +
+ 009: SECURITY FIX: September 2, 2006 All architectures
+ Due to the failure to correctly validate LCP configuration option lengths, + it is possible for an attacker to send LCP packets via an + sppp(4) + connection causing the kernel to panic. + CVE-2006-4304 +
+ + A source code patch exists which remedies this problem.
+
+ +
+ 008: SECURITY FIX: August 25, 2006 All architectures
+ A problem in + isakmpd(8) + caused IPsec to run partly without replay protection. If + isakmpd(8) + was acting as responder during SA negotiation, SA's with a replay window of size 0 were created. + An attacker could reinject sniffed IPsec packets, which will be accepted without checking the + replay counter. +
+ + A source code patch exists which remedies this problem.
+
+ +
+ 007: SECURITY FIX: August 25, 2006 All architectures
+ It is possible to cause the kernel to panic when more than the default number of + sempahores have been allocated. +
+ + A source code patch exists which remedies this problem.
+
+ +
+ 006: SECURITY FIX: August 25, 2006 All architectures
+ Due to an off-by-one error in + dhcpd(8), + it is possible to cause + dhcpd(8) + to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option. + CVE-2006-3122 +
+ + A source code patch exists which remedies this problem.
+
+ +
+ 005: SECURITY FIX: August 25, 2006 All architectures
+ A potential denial of service problem has been found in sendmail. A message + with really long header lines could trigger a use-after-free bug causing + sendmail to crash. +
+ + A source code patch exists which remedies this problem.
+
+ +
+ 004: SECURITY FIX: July 30, 2006 All architectures
+ httpd(8)'s + mod_rewrite has a potentially exploitable off-by-one buffer overflow. + The buffer overflow may result in a vulnerability which, in combination + with certain types of Rewrite rules in the web server configuration files, + could be triggered remotely. The default install is not affected by the + buffer overflow. CVE-2006-3747 +
+ + A source code patch exists which remedies this problem.
+
+ +
+ 003: SECURITY FIX: June 15, 2006 All architectures
+ A potential denial of service problem has been found in sendmail. A malformed MIME + message could trigger excessive recursion which will lead to stack exhaustion. + This denial of service attack only affects delivery of mail from the queue and + delivery of a malformed message. Other incoming mail is still accepted and + delivered. However, mail messages in the queue may not be reattempted if a + malformed MIME message exists. +
+ + A source code patch exists which remedies this problem.
+
+ +
+ 002: SECURITY FIX: May 2, 2006 All architectures
+ A security vulnerability has been found in the X.Org server -- + CVE-2006-1526. + Clients authorized to connect to the X server are able to crash it and to execute + malicious code within the X server. +
+ + A source code patch exists which remedies this problem.
+
+ +
+ 001: SECURITY FIX: March 25, 2006 All architectures
+ A race condition has been reported to exist in the handling by sendmail of + asynchronous signals. A remote attacker may be able to execute arbitrary code with the + privileges of the user running sendmail, typically root. This is the second revision of + this patch. +
+ + A source code patch exists which remedies this problem.
+

*************** *** 159,171 **** 3.6, 3.7, 3.8, ! current.

www@openbsd.org !
$OpenBSD: errata39.html,v 1.2 2006/03/08 19:53:56 deraadt dead $ --- 290,302 ---- 3.6, 3.7, 3.8, ! 4.0.

www@openbsd.org !
$OpenBSD: errata39.html,v 1.3 2006/10/30 20:59:45 deraadt Exp $