===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata39.html,v
retrieving revision 1.70
retrieving revision 1.71
diff -c -r1.70 -r1.71
*** www/errata39.html 2019/05/27 22:55:20 1.70
--- www/errata39.html 2019/05/28 16:32:42 1.71
***************
*** 85,232 ****
! -
! 023: STABILITY FIX: April 26, 2007
! PowerPC
! An unhandled AltiVec assist exception can cause a kernel panic.
!
A source code patch exists which remedies this problem.
!
-
! 022: SECURITY FIX: April 23, 2007
All architectures
! IPv6 type 0 route headers can be used to mount a DoS attack against
! hosts and networks. This is a design flaw in IPv6 and not a bug in
! OpenBSD.
!
A source code patch exists which remedies this problem.
!
-
! 021: SECURITY FIX: April 4, 2007
All architectures
! Multiple vulnerabilities have been discovered in X.Org.
! XC-MISC extension ProcXCMiscGetXIDList memory corruption vulnerability,
! BDFFont parsing integer overflow vulnerability,
! fonts.dir file parsing integer overflow vulnerability,
! multiple integer overflows in the XGetPixel() and XInitImage functions
! in ImUtil.c.
! CVE-2007-1003,
! CVE-2007-1351,
! CVE-2007-1352,
! CVE-2007-1667.
!
A source code patch exists which remedies this problem.
!
-
! 020: SECURITY FIX: March 7, 2007
All architectures
! 2nd revision, March 17, 2007
! Incorrect mbuf handling for ICMP6 packets.
! Using
! pf(4)
! to avoid the problem packets is an effective workaround until the patch
! can be installed.
! Use "block in inet6" in /etc/pf.conf
!
A source code patch exists which remedies this problem.
!
-
! 019: INTEROPERABILITY FIX: February 4, 2007
All architectures
! A US daylight saving time rules change takes effect in 2007.
!
! A source code patch exists which syncs the timezone data files with tzdata2007a.
!
-
! 018: RELIABILITY FIX: January 16, 2007
All architectures
! Under some circumstances, processing an ICMP6 echo request would cause
! the kernel to enter an infinite loop.
!
A source code patch exists which remedies this problem.
!
-
! 017: SECURITY FIX: January 3, 2007
! i386 only
! Insufficient validation in
! vga(4)
! may allow an attacker to gain root privileges if the kernel is compiled with
! option PCIAGP
! and the actual device is not an AGP device.
! The PCIAGP
option is present by default on i386
! kernels only.
!
A source code patch exists which remedies this problem.
!
-
! 016: SECURITY FIX: November 19, 2006
All architectures
! The ELF
! ld.so(1)
! fails to properly sanitize the environment. There is a potential localhost security
! problem in cases we have not found yet. This patch applies to all ELF-based
! systems (m68k, m88k, and vax are a.out-based systems).
!
A source code patch exists which remedies this problem.
!
-
! 015: SECURITY FIX: October 12, 2006
All architectures
! Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
! by Tavis Ormandy) that would cause
! sshd(8)
! to spin until the login grace time expired.
! An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
! that could be exploited to perform a pre-authentication denial of service.
! CVE-2006-4924,
! CVE-2006-5051
!
A source code patch exists which remedies this problem.
!
-
! 014: SECURITY FIX: October 7, 2006
All architectures
! Fix for an integer overflow in
! systrace(4)'s
! STRIOCREPLACE support, found by
! Chris Evans. This could be exploited for DoS, limited kmem reads or local
! privilege escalation.
!
A source code patch exists which remedies this problem.
!
-
! 013: SECURITY FIX: October 7, 2006
All architectures
! Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
! structures an error condition is mishandled, possibly resulting in an infinite
! loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
! pointer may be dereferenced in the SSL version 2 client code. In addition, many
! applications using OpenSSL do not perform any validation of the lengths of
! public keys being used.
! CVE-2006-2937,
! CVE-2006-3738,
! CVE-2006-4343,
! CVE-2006-2940
!
A source code patch exists which remedies this problem.
--- 85,231 ----
! -
! 001: SECURITY FIX: March 25, 2006
! All architectures
! A race condition has been reported to exist in the handling by sendmail of
! asynchronous signals. A remote attacker may be able to execute arbitrary code with the
! privileges of the user running sendmail, typically root. This is the second revision of
! this patch.
!
!
A source code patch exists which remedies this problem.
!
-
! 002: SECURITY FIX: May 2, 2006
All architectures
! A security vulnerability has been found in the X.Org server --
! CVE-2006-1526.
! Clients authorized to connect to the X server are able to crash it and to execute
! malicious code within the X server.
!
!
A source code patch exists which remedies this problem.
!
-
! 003: SECURITY FIX: June 15, 2006
All architectures
! A potential denial of service problem has been found in sendmail. A malformed MIME
! message could trigger excessive recursion which will lead to stack exhaustion.
! This denial of service attack only affects delivery of mail from the queue and
! delivery of a malformed message. Other incoming mail is still accepted and
! delivered. However, mail messages in the queue may not be reattempted if a
! malformed MIME message exists.
!
A source code patch exists which remedies this problem.
!
-
! 004: SECURITY FIX: July 30, 2006
All architectures
! httpd(8)'s
! mod_rewrite has a potentially exploitable off-by-one buffer overflow.
! The buffer overflow may result in a vulnerability which, in combination
! with certain types of Rewrite rules in the web server configuration files,
! could be triggered remotely. The default install is not affected by the
! buffer overflow. CVE-2006-3747
!
A source code patch exists which remedies this problem.
!
-
! 005: SECURITY FIX: August 25, 2006
All architectures
! A potential denial of service problem has been found in sendmail. A message
! with really long header lines could trigger a use-after-free bug causing
! sendmail to crash.
!
! A source code patch exists which remedies this problem.
!
-
! 006: SECURITY FIX: August 25, 2006
All architectures
! Due to an off-by-one error in
! dhcpd(8),
! it is possible to cause
! dhcpd(8)
! to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
! CVE-2006-3122
!
A source code patch exists which remedies this problem.
!
-
! 007: SECURITY FIX: August 25, 2006
! All architectures
! It is possible to cause the kernel to panic when more than the default number of
! sempahores have been allocated.
!
A source code patch exists which remedies this problem.
!
-
! 008: SECURITY FIX: August 25, 2006
All architectures
! A problem in
! isakmpd(8)
! caused IPsec to run partly without replay protection. If
! isakmpd(8)
! was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
! An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
! replay counter.
!
A source code patch exists which remedies this problem.
!
-
! 009: SECURITY FIX: September 2, 2006
All architectures
! Due to the failure to correctly validate LCP configuration option lengths,
! it is possible for an attacker to send LCP packets via an
! sppp(4)
! connection causing the kernel to panic.
! CVE-2006-4304
!
A source code patch exists which remedies this problem.
!
-
! 010: SECURITY FIX: September 8, 2006
All architectures
! Two Denial of Service issues have been found with BIND.
! An attacker who can perform recursive lookups on a DNS server and is able
! to send a sufficiently large number of recursive queries, or is able to
! get the DNS server to return more than one SIG(covered) RRsets can stop
! the functionality of the DNS service.
! An attacker querying an authoritative DNS server serving a RFC 2535
! DNSSEC zone may be able to crash the DNS server.
! CVE-2006-4095
! CVE-2006-4096
!
A source code patch exists which remedies this problem.
!
-
! 011: SECURITY FIX: September 8, 2006
All architectures
! Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
! an attacker to construct an invalid signature which OpenSSL would accept as a
! valid PKCS#1 v1.5 signature.
! CVE-2006-4339
!
A source code patch exists which remedies this problem.
***************
*** 243,389 ****
A source code patch exists which remedies this problem.
!
-
! 011: SECURITY FIX: September 8, 2006
All architectures
! Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
! an attacker to construct an invalid signature which OpenSSL would accept as a
! valid PKCS#1 v1.5 signature.
! CVE-2006-4339
!
A source code patch exists which remedies this problem.
!
-
! 010: SECURITY FIX: September 8, 2006
All architectures
! Two Denial of Service issues have been found with BIND.
! An attacker who can perform recursive lookups on a DNS server and is able
! to send a sufficiently large number of recursive queries, or is able to
! get the DNS server to return more than one SIG(covered) RRsets can stop
! the functionality of the DNS service.
! An attacker querying an authoritative DNS server serving a RFC 2535
! DNSSEC zone may be able to crash the DNS server.
! CVE-2006-4095
! CVE-2006-4096
!
A source code patch exists which remedies this problem.
!
-
! 009: SECURITY FIX: September 2, 2006
All architectures
! Due to the failure to correctly validate LCP configuration option lengths,
! it is possible for an attacker to send LCP packets via an
! sppp(4)
! connection causing the kernel to panic.
! CVE-2006-4304
!
A source code patch exists which remedies this problem.
!
-
! 008: SECURITY FIX: August 25, 2006
All architectures
! A problem in
! isakmpd(8)
! caused IPsec to run partly without replay protection. If
! isakmpd(8)
! was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
! An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
! replay counter.
!
A source code patch exists which remedies this problem.
!
-
! 007: SECURITY FIX: August 25, 2006
! All architectures
! It is possible to cause the kernel to panic when more than the default number of
! sempahores have been allocated.
!
A source code patch exists which remedies this problem.
!
-
! 006: SECURITY FIX: August 25, 2006
All architectures
! Due to an off-by-one error in
! dhcpd(8),
! it is possible to cause
! dhcpd(8)
! to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
! CVE-2006-3122
!
A source code patch exists which remedies this problem.
!
-
! 005: SECURITY FIX: August 25, 2006
All architectures
! A potential denial of service problem has been found in sendmail. A message
! with really long header lines could trigger a use-after-free bug causing
! sendmail to crash.
!
! A source code patch exists which remedies this problem.
!
-
! 004: SECURITY FIX: July 30, 2006
All architectures
! httpd(8)'s
! mod_rewrite has a potentially exploitable off-by-one buffer overflow.
! The buffer overflow may result in a vulnerability which, in combination
! with certain types of Rewrite rules in the web server configuration files,
! could be triggered remotely. The default install is not affected by the
! buffer overflow. CVE-2006-3747
!
A source code patch exists which remedies this problem.
!
-
! 003: SECURITY FIX: June 15, 2006
All architectures
! A potential denial of service problem has been found in sendmail. A malformed MIME
! message could trigger excessive recursion which will lead to stack exhaustion.
! This denial of service attack only affects delivery of mail from the queue and
! delivery of a malformed message. Other incoming mail is still accepted and
! delivered. However, mail messages in the queue may not be reattempted if a
! malformed MIME message exists.
!
A source code patch exists which remedies this problem.
!
-
! 002: SECURITY FIX: May 2, 2006
All architectures
! A security vulnerability has been found in the X.Org server --
! CVE-2006-1526.
! Clients authorized to connect to the X server are able to crash it and to execute
! malicious code within the X server.
!
!
A source code patch exists which remedies this problem.
!
-
! 001: SECURITY FIX: March 25, 2006
! All architectures
! A race condition has been reported to exist in the handling by sendmail of
! asynchronous signals. A remote attacker may be able to execute arbitrary code with the
! privileges of the user running sendmail, typically root. This is the second revision of
! this patch.
!
!
A source code patch exists which remedies this problem.
--- 242,389 ----
A source code patch exists which remedies this problem.
!
-
! 013: SECURITY FIX: October 7, 2006
All architectures
! Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
! structures an error condition is mishandled, possibly resulting in an infinite
! loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
! pointer may be dereferenced in the SSL version 2 client code. In addition, many
! applications using OpenSSL do not perform any validation of the lengths of
! public keys being used.
! CVE-2006-2937,
! CVE-2006-3738,
! CVE-2006-4343,
! CVE-2006-2940
!
A source code patch exists which remedies this problem.
!
-
! 014: SECURITY FIX: October 7, 2006
All architectures
! Fix for an integer overflow in
! systrace(4)'s
! STRIOCREPLACE support, found by
! Chris Evans. This could be exploited for DoS, limited kmem reads or local
! privilege escalation.
!
A source code patch exists which remedies this problem.
!
-
! 015: SECURITY FIX: October 12, 2006
All architectures
! Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
! by Tavis Ormandy) that would cause
! sshd(8)
! to spin until the login grace time expired.
! An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
! that could be exploited to perform a pre-authentication denial of service.
! CVE-2006-4924,
! CVE-2006-5051
!
A source code patch exists which remedies this problem.
!
-
! 016: SECURITY FIX: November 19, 2006
All architectures
! The ELF
! ld.so(1)
! fails to properly sanitize the environment. There is a potential localhost security
! problem in cases we have not found yet. This patch applies to all ELF-based
! systems (m68k, m88k, and vax are a.out-based systems).
!
A source code patch exists which remedies this problem.
!
-
! 017: SECURITY FIX: January 3, 2007
! i386 only
! Insufficient validation in
! vga(4)
! may allow an attacker to gain root privileges if the kernel is compiled with
! option PCIAGP
! and the actual device is not an AGP device.
! The PCIAGP
option is present by default on i386
! kernels only.
!
A source code patch exists which remedies this problem.
!
-
! 018: RELIABILITY FIX: January 16, 2007
All architectures
! Under some circumstances, processing an ICMP6 echo request would cause
! the kernel to enter an infinite loop.
!
A source code patch exists which remedies this problem.
!
-
! 019: INTEROPERABILITY FIX: February 4, 2007
All architectures
! A US daylight saving time rules change takes effect in 2007.
!
! A source code patch exists which syncs the timezone data files with tzdata2007a.
!
-
! 020: SECURITY FIX: March 7, 2007
All architectures
! 2nd revision, March 17, 2007
! Incorrect mbuf handling for ICMP6 packets.
! Using
! pf(4)
! to avoid the problem packets is an effective workaround until the patch
! can be installed.
! Use "block in inet6" in /etc/pf.conf
!
A source code patch exists which remedies this problem.
!
-
! 021: SECURITY FIX: April 4, 2007
All architectures
! Multiple vulnerabilities have been discovered in X.Org.
! XC-MISC extension ProcXCMiscGetXIDList memory corruption vulnerability,
! BDFFont parsing integer overflow vulnerability,
! fonts.dir file parsing integer overflow vulnerability,
! multiple integer overflows in the XGetPixel() and XInitImage functions
! in ImUtil.c.
! CVE-2007-1003,
! CVE-2007-1351,
! CVE-2007-1352,
! CVE-2007-1667.
!
A source code patch exists which remedies this problem.
!
-
! 022: SECURITY FIX: April 23, 2007
All architectures
! IPv6 type 0 route headers can be used to mount a DoS attack against
! hosts and networks. This is a design flaw in IPv6 and not a bug in
! OpenBSD.
!
A source code patch exists which remedies this problem.
!
-
! 023: STABILITY FIX: April 26, 2007
! PowerPC
! An unhandled AltiVec assist exception can cause a kernel panic.
!
A source code patch exists which remedies this problem.