===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata39.html,v
retrieving revision 1.53
retrieving revision 1.54
diff -c -r1.53 -r1.54
*** www/errata39.html 2016/02/20 14:18:42 1.53
--- www/errata39.html 2016/03/21 05:46:20 1.54
***************
*** 126,132 ****
2nd revision, March 17, 2007
Incorrect mbuf handling for ICMP6 packets.
Using
! pf(4)
to avoid the problem packets is an effective workaround until the patch
can be installed.
Use "block in inet6" in /etc/pf.conf
--- 126,132 ----
2nd revision, March 17, 2007
Incorrect mbuf handling for ICMP6 packets.
Using
! pf(4)
to avoid the problem packets is an effective workaround until the patch
can be installed.
Use "block in inet6" in /etc/pf.conf
***************
*** 158,164 ****
017: SECURITY FIX: January 3, 2007
i386 only
Insufficient validation in
! vga(4)
may allow an attacker to gain root privileges if the kernel is compiled with
option PCIAGP
and the actual device is not an AGP device.
--- 158,164 ----
017: SECURITY FIX: January 3, 2007
i386 only
Insufficient validation in
! vga(4)
may allow an attacker to gain root privileges if the kernel is compiled with
option PCIAGP
and the actual device is not an AGP device.
***************
*** 173,179 ****
016: SECURITY FIX: November 19, 2006
All architectures
The ELF
! ld.so(1)
fails to properly sanitize the environment. There is a potential localhost security
problem in cases we have not found yet. This patch applies to all ELF-based
systems (m68k, m88k, and vax are a.out-based systems).
--- 173,179 ----
016: SECURITY FIX: November 19, 2006
All architectures
The ELF
! ld.so(1)
fails to properly sanitize the environment. There is a potential localhost security
problem in cases we have not found yet. This patch applies to all ELF-based
systems (m68k, m88k, and vax are a.out-based systems).
***************
*** 187,193 ****
All architectures
Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
by Tavis Ormandy) that would cause
! sshd(8)
to spin until the login grace time expired.
An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
that could be exploited to perform a pre-authentication denial of service.
--- 187,193 ----
All architectures
Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
by Tavis Ormandy) that would cause
! sshd(8)
to spin until the login grace time expired.
An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
that could be exploited to perform a pre-authentication denial of service.
***************
*** 202,208 ****
014: SECURITY FIX: October 7, 2006
All architectures
Fix for an integer overflow in
! systrace(4)'s
STRIOCREPLACE support, found by
Chris Evans. This could be exploited for DoS, limited kmem reads or local
privilege escalation.
--- 202,208 ----
014: SECURITY FIX: October 7, 2006
All architectures
Fix for an integer overflow in
! systrace(4)'s
STRIOCREPLACE support, found by
Chris Evans. This could be exploited for DoS, limited kmem reads or local
privilege escalation.
***************
*** 232,238 ****
012: SECURITY FIX: October 7, 2006
All architectures
! httpd(8)
does not sanitize the Expect header from an HTTP request when it is
reflected back in an error message, which might allow cross-site scripting (XSS)
style attacks.
--- 232,238 ----
012: SECURITY FIX: October 7, 2006
All architectures
! httpd(8)
does not sanitize the Expect header from an HTTP request when it is
reflected back in an error message, which might allow cross-site scripting (XSS)
style attacks.
***************
*** 276,282 ****
All architectures
Due to the failure to correctly validate LCP configuration option lengths,
it is possible for an attacker to send LCP packets via an
! sppp(4)
connection causing the kernel to panic.
CVE-2006-4304
--- 276,282 ----
All architectures
Due to the failure to correctly validate LCP configuration option lengths,
it is possible for an attacker to send LCP packets via an
! sppp(4)
connection causing the kernel to panic.
CVE-2006-4304
***************
*** 288,296 ****
008: SECURITY FIX: August 25, 2006
All architectures
A problem in
! isakmpd(8)
caused IPsec to run partly without replay protection. If
! isakmpd(8)
was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
replay counter.
--- 288,296 ----
008: SECURITY FIX: August 25, 2006
All architectures
A problem in
! isakmpd(8)
caused IPsec to run partly without replay protection. If
! isakmpd(8)
was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
replay counter.
***************
*** 313,321 ****
006: SECURITY FIX: August 25, 2006
All architectures
Due to an off-by-one error in
! dhcpd(8),
it is possible to cause
! dhcpd(8)
to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
CVE-2006-3122
--- 313,321 ----
006: SECURITY FIX: August 25, 2006
All architectures
Due to an off-by-one error in
! dhcpd(8),
it is possible to cause
! dhcpd(8)
to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
CVE-2006-3122
***************
*** 337,343 ****
004: SECURITY FIX: July 30, 2006
All architectures
! httpd(8)'s
mod_rewrite has a potentially exploitable off-by-one buffer overflow.
The buffer overflow may result in a vulnerability which, in combination
with certain types of Rewrite rules in the web server configuration files,
--- 337,343 ----
004: SECURITY FIX: July 30, 2006
All architectures
! httpd(8)'s
mod_rewrite has a potentially exploitable off-by-one buffer overflow.
The buffer overflow may result in a vulnerability which, in combination
with certain types of Rewrite rules in the web server configuration files,