=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/errata39.html,v retrieving revision 1.70 retrieving revision 1.71 diff -c -r1.70 -r1.71 *** www/errata39.html 2019/05/27 22:55:20 1.70 --- www/errata39.html 2019/05/28 16:32:42 1.71 *************** *** 85,232 ****

! 023: STABILITY FIX: April 26, 2007 ! PowerPC
! An unhandled AltiVec assist exception can cause a kernel panic.
! A source code patch exists which remedies this problem.
!
! 022: SECURITY FIX: April 23, 2007 All architectures
! IPv6 type 0 route headers can be used to mount a DoS attack against ! hosts and networks. This is a design flaw in IPv6 and not a bug in ! OpenBSD.
! A source code patch exists which remedies this problem.
!
! 021: SECURITY FIX: April 4, 2007 All architectures
! Multiple vulnerabilities have been discovered in X.Org.
! XC-MISC extension ProcXCMiscGetXIDList memory corruption vulnerability, ! BDFFont parsing integer overflow vulnerability, ! fonts.dir file parsing integer overflow vulnerability, ! multiple integer overflows in the XGetPixel() and XInitImage functions ! in ImUtil.c. ! CVE-2007-1003, ! CVE-2007-1351, ! CVE-2007-1352, ! CVE-2007-1667.
! A source code patch exists which remedies this problem.
!
! 020: SECURITY FIX: March 7, 2007 All architectures
! 2nd revision, March 17, 2007
! Incorrect mbuf handling for ICMP6 packets.
! Using ! pf(4) ! to avoid the problem packets is an effective workaround until the patch ! can be installed.
! Use "block in inet6" in /etc/pf.conf
! A source code patch exists which remedies this problem.
!
! 019: INTEROPERABILITY FIX: February 4, 2007 All architectures
! A US daylight saving time rules change takes effect in 2007.
! ! A source code patch exists which syncs the timezone data files with tzdata2007a.

!
! 018: RELIABILITY FIX: January 16, 2007 All architectures
! Under some circumstances, processing an ICMP6 echo request would cause ! the kernel to enter an infinite loop.
! A source code patch exists which remedies this problem.
!
! 017: SECURITY FIX: January 3, 2007 ! i386 only
! Insufficient validation in ! vga(4) ! may allow an attacker to gain root privileges if the kernel is compiled with ! option PCIAGP ! and the actual device is not an AGP device. ! The PCIAGP option is present by default on i386 ! kernels only.
! A source code patch exists which remedies this problem.
!
! 016: SECURITY FIX: November 19, 2006 All architectures
! The ELF ! ld.so(1) ! fails to properly sanitize the environment. There is a potential localhost security ! problem in cases we have not found yet. This patch applies to all ELF-based ! systems (m68k, m88k, and vax are a.out-based systems).
! A source code patch exists which remedies this problem.
!
! 015: SECURITY FIX: October 12, 2006 All architectures
! Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found ! by Tavis Ormandy) that would cause ! sshd(8) ! to spin until the login grace time expired. ! An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition ! that could be exploited to perform a pre-authentication denial of service. ! CVE-2006-4924, ! CVE-2006-5051
! A source code patch exists which remedies this problem.
!
! 014: SECURITY FIX: October 7, 2006 All architectures
! Fix for an integer overflow in ! systrace(4)'s ! STRIOCREPLACE support, found by ! Chris Evans. This could be exploited for DoS, limited kmem reads or local ! privilege escalation.
! A source code patch exists which remedies this problem.
!
! 013: SECURITY FIX: October 7, 2006 All architectures
! Several problems have been found in OpenSSL. While parsing certain invalid ASN.1 ! structures an error condition is mishandled, possibly resulting in an infinite ! loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL ! pointer may be dereferenced in the SSL version 2 client code. In addition, many ! applications using OpenSSL do not perform any validation of the lengths of ! public keys being used. ! CVE-2006-2937, ! CVE-2006-3738, ! CVE-2006-4343, ! CVE-2006-2940
! A source code patch exists which remedies this problem.
--- 85,231 ----
- ! 001: SECURITY FIX: March 25, 2006 ! All architectures
  ! A race condition has been reported to exist in the handling by sendmail of ! asynchronous signals. A remote attacker may be able to execute arbitrary code with the ! privileges of the user running sendmail, typically root. This is the second revision of ! this patch. !
  ! A source code patch exists which remedies this problem.
  !
- ! 002: SECURITY FIX: May 2, 2006 All architectures
  ! A security vulnerability has been found in the X.Org server -- ! CVE-2006-1526. ! Clients authorized to connect to the X server are able to crash it and to execute ! malicious code within the X server. !
  ! A source code patch exists which remedies this problem.
  !
- ! 003: SECURITY FIX: June 15, 2006 All architectures
  ! A potential denial of service problem has been found in sendmail. A malformed MIME ! message could trigger excessive recursion which will lead to stack exhaustion. ! This denial of service attack only affects delivery of mail from the queue and ! delivery of a malformed message. Other incoming mail is still accepted and ! delivered. However, mail messages in the queue may not be reattempted if a ! malformed MIME message exists.
  ! A source code patch exists which remedies this problem.
  !
- ! 004: SECURITY FIX: July 30, 2006 All architectures
  ! httpd(8)'s ! mod_rewrite has a potentially exploitable off-by-one buffer overflow. ! The buffer overflow may result in a vulnerability which, in combination ! with certain types of Rewrite rules in the web server configuration files, ! could be triggered remotely. The default install is not affected by the ! buffer overflow. CVE-2006-3747
  ! A source code patch exists which remedies this problem.
  !
- ! 005: SECURITY FIX: August 25, 2006 All architectures
  ! A potential denial of service problem has been found in sendmail. A message ! with really long header lines could trigger a use-after-free bug causing ! sendmail to crash.
  ! ! A source code patch exists which remedies this problem.
  !
- ! 006: SECURITY FIX: August 25, 2006 All architectures
  ! Due to an off-by-one error in ! dhcpd(8), ! it is possible to cause ! dhcpd(8) ! to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option. ! CVE-2006-3122
  ! A source code patch exists which remedies this problem.
  !
- ! 007: SECURITY FIX: August 25, 2006 ! All architectures
  ! It is possible to cause the kernel to panic when more than the default number of ! sempahores have been allocated.
  ! A source code patch exists which remedies this problem.
  !
- ! 008: SECURITY FIX: August 25, 2006 All architectures
  ! A problem in ! isakmpd(8) ! caused IPsec to run partly without replay protection. If ! isakmpd(8) ! was acting as responder during SA negotiation, SA's with a replay window of size 0 were created. ! An attacker could reinject sniffed IPsec packets, which will be accepted without checking the ! replay counter.
  ! A source code patch exists which remedies this problem.
  !
- ! 009: SECURITY FIX: September 2, 2006 All architectures
  ! Due to the failure to correctly validate LCP configuration option lengths, ! it is possible for an attacker to send LCP packets via an ! sppp(4) ! connection causing the kernel to panic. ! CVE-2006-4304
  ! A source code patch exists which remedies this problem.
  !
- ! 010: SECURITY FIX: September 8, 2006 All architectures
  ! Two Denial of Service issues have been found with BIND. ! An attacker who can perform recursive lookups on a DNS server and is able ! to send a sufficiently large number of recursive queries, or is able to ! get the DNS server to return more than one SIG(covered) RRsets can stop ! the functionality of the DNS service. ! An attacker querying an authoritative DNS server serving a RFC 2535 ! DNSSEC zone may be able to crash the DNS server. ! CVE-2006-4095 ! CVE-2006-4096
  ! A source code patch exists which remedies this problem.
  !
- ! 011: SECURITY FIX: September 8, 2006 All architectures
  ! Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for ! an attacker to construct an invalid signature which OpenSSL would accept as a ! valid PKCS#1 v1.5 signature. ! CVE-2006-4339
  ! A source code patch exists which remedies this problem.
  *************** *** 243,389 **** A source code patch exists which remedies this problem.
  !
- ! 011: SECURITY FIX: September 8, 2006 All architectures
  ! Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for ! an attacker to construct an invalid signature which OpenSSL would accept as a ! valid PKCS#1 v1.5 signature. ! CVE-2006-4339
  ! A source code patch exists which remedies this problem.
  !
- ! 010: SECURITY FIX: September 8, 2006 All architectures
  ! Two Denial of Service issues have been found with BIND. ! An attacker who can perform recursive lookups on a DNS server and is able ! to send a sufficiently large number of recursive queries, or is able to ! get the DNS server to return more than one SIG(covered) RRsets can stop ! the functionality of the DNS service. ! An attacker querying an authoritative DNS server serving a RFC 2535 ! DNSSEC zone may be able to crash the DNS server. ! CVE-2006-4095 ! CVE-2006-4096
  ! A source code patch exists which remedies this problem.
  !
- ! 009: SECURITY FIX: September 2, 2006 All architectures
  ! Due to the failure to correctly validate LCP configuration option lengths, ! it is possible for an attacker to send LCP packets via an ! sppp(4) ! connection causing the kernel to panic. ! CVE-2006-4304
  ! A source code patch exists which remedies this problem.
  !
- ! 008: SECURITY FIX: August 25, 2006 All architectures
  ! A problem in ! isakmpd(8) ! caused IPsec to run partly without replay protection. If ! isakmpd(8) ! was acting as responder during SA negotiation, SA's with a replay window of size 0 were created. ! An attacker could reinject sniffed IPsec packets, which will be accepted without checking the ! replay counter.
  ! A source code patch exists which remedies this problem.
  !
- ! 007: SECURITY FIX: August 25, 2006 ! All architectures
  ! It is possible to cause the kernel to panic when more than the default number of ! sempahores have been allocated.
  ! A source code patch exists which remedies this problem.
  !
- ! 006: SECURITY FIX: August 25, 2006 All architectures
  ! Due to an off-by-one error in ! dhcpd(8), ! it is possible to cause ! dhcpd(8) ! to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option. ! CVE-2006-3122
  ! A source code patch exists which remedies this problem.
  !
- ! 005: SECURITY FIX: August 25, 2006 All architectures
  ! A potential denial of service problem has been found in sendmail. A message ! with really long header lines could trigger a use-after-free bug causing ! sendmail to crash.
  ! ! A source code patch exists which remedies this problem.
  !
- ! 004: SECURITY FIX: July 30, 2006 All architectures
  ! httpd(8)'s ! mod_rewrite has a potentially exploitable off-by-one buffer overflow. ! The buffer overflow may result in a vulnerability which, in combination ! with certain types of Rewrite rules in the web server configuration files, ! could be triggered remotely. The default install is not affected by the ! buffer overflow. CVE-2006-3747
  ! A source code patch exists which remedies this problem.
  !
- ! 003: SECURITY FIX: June 15, 2006 All architectures
  ! A potential denial of service problem has been found in sendmail. A malformed MIME ! message could trigger excessive recursion which will lead to stack exhaustion. ! This denial of service attack only affects delivery of mail from the queue and ! delivery of a malformed message. Other incoming mail is still accepted and ! delivered. However, mail messages in the queue may not be reattempted if a ! malformed MIME message exists.
  ! A source code patch exists which remedies this problem.
  !
- ! 002: SECURITY FIX: May 2, 2006 All architectures
  ! A security vulnerability has been found in the X.Org server -- ! CVE-2006-1526. ! Clients authorized to connect to the X server are able to crash it and to execute ! malicious code within the X server. !
  ! A source code patch exists which remedies this problem.
  !
- ! 001: SECURITY FIX: March 25, 2006 ! All architectures
  ! A race condition has been reported to exist in the handling by sendmail of ! asynchronous signals. A remote attacker may be able to execute arbitrary code with the ! privileges of the user running sendmail, typically root. This is the second revision of ! this patch. !
  ! A source code patch exists which remedies this problem.
  --- 242,389 ---- A source code patch exists which remedies this problem.
  !
- ! 013: SECURITY FIX: October 7, 2006 All architectures
  ! Several problems have been found in OpenSSL. While parsing certain invalid ASN.1 ! structures an error condition is mishandled, possibly resulting in an infinite ! loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL ! pointer may be dereferenced in the SSL version 2 client code. In addition, many ! applications using OpenSSL do not perform any validation of the lengths of ! public keys being used. ! CVE-2006-2937, ! CVE-2006-3738, ! CVE-2006-4343, ! CVE-2006-2940
  ! A source code patch exists which remedies this problem.
  !
- ! 014: SECURITY FIX: October 7, 2006 All architectures
  ! Fix for an integer overflow in ! systrace(4)'s ! STRIOCREPLACE support, found by ! Chris Evans. This could be exploited for DoS, limited kmem reads or local ! privilege escalation.
  ! A source code patch exists which remedies this problem.
  !
- ! 015: SECURITY FIX: October 12, 2006 All architectures
  ! Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found ! by Tavis Ormandy) that would cause ! sshd(8) ! to spin until the login grace time expired. ! An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition ! that could be exploited to perform a pre-authentication denial of service. ! CVE-2006-4924, ! CVE-2006-5051
  ! A source code patch exists which remedies this problem.
  !
- ! 016: SECURITY FIX: November 19, 2006 All architectures
  ! The ELF ! ld.so(1) ! fails to properly sanitize the environment. There is a potential localhost security ! problem in cases we have not found yet. This patch applies to all ELF-based ! systems (m68k, m88k, and vax are a.out-based systems).
  ! A source code patch exists which remedies this problem.
  !
- ! 017: SECURITY FIX: January 3, 2007 ! i386 only
  ! Insufficient validation in ! vga(4) ! may allow an attacker to gain root privileges if the kernel is compiled with ! option PCIAGP ! and the actual device is not an AGP device. ! The PCIAGP option is present by default on i386 ! kernels only.
  ! A source code patch exists which remedies this problem.
  !
- ! 018: RELIABILITY FIX: January 16, 2007 All architectures
  ! Under some circumstances, processing an ICMP6 echo request would cause ! the kernel to enter an infinite loop.
  ! A source code patch exists which remedies this problem.
  !
- ! 019: INTEROPERABILITY FIX: February 4, 2007 All architectures
  ! A US daylight saving time rules change takes effect in 2007.
  ! ! A source code patch exists which syncs the timezone data files with tzdata2007a.
  
  !
- ! 020: SECURITY FIX: March 7, 2007 All architectures
  ! 2nd revision, March 17, 2007
  ! Incorrect mbuf handling for ICMP6 packets.
  ! Using ! pf(4) ! to avoid the problem packets is an effective workaround until the patch ! can be installed.
  ! Use "block in inet6" in /etc/pf.conf
  ! A source code patch exists which remedies this problem.
  !
- ! 021: SECURITY FIX: April 4, 2007 All architectures
  ! Multiple vulnerabilities have been discovered in X.Org.
  ! XC-MISC extension ProcXCMiscGetXIDList memory corruption vulnerability, ! BDFFont parsing integer overflow vulnerability, ! fonts.dir file parsing integer overflow vulnerability, ! multiple integer overflows in the XGetPixel() and XInitImage functions ! in ImUtil.c. ! CVE-2007-1003, ! CVE-2007-1351, ! CVE-2007-1352, ! CVE-2007-1667.
  ! A source code patch exists which remedies this problem.
  !
- ! 022: SECURITY FIX: April 23, 2007 All architectures
  ! IPv6 type 0 route headers can be used to mount a DoS attack against ! hosts and networks. This is a design flaw in IPv6 and not a bug in ! OpenBSD.
  ! A source code patch exists which remedies this problem.
  !
- ! 023: STABILITY FIX: April 26, 2007 ! PowerPC
  ! An unhandled AltiVec assist exception can cause a kernel panic.
  ! A source code patch exists which remedies this problem.