===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata39.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- www/errata39.html 2006/03/08 19:53:56 1.2
+++ www/errata39.html 2006/10/30 20:59:45 1.3
@@ -42,7 +42,7 @@
3.6,
3.7,
3.8,
-current.
+4.0.
@@ -51,7 +51,7 @@
This file is updated once a day.
The patches below are available in CVS via the
-OPENBSD_3_8 patch branch.
+OPENBSD_3_9 patch branch.
For more detailed information on how to install patches to OpenBSD, please
@@ -66,7 +66,6 @@
-
@@ -77,61 +76,193 @@
-
-005: SECURITY FIX: February 12, 2006 All architectures
-Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the
-system(3)
-function in
-scp(1)
-when performing copy operations using filenames that are supplied by the user from the command line.
-This can be exploited to execute shell commands with privileges of the user running
-scp(1).
+015: SECURITY FIX: October 12, 2006 All architectures
+Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
+by Tavis Ormandy) that would cause
+sshd(8)
+to spin until the login grace time expired.
+An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
+that could be exploited to perform a pre-authentication denial of service.
+CVE-2006-4924,
+CVE-2006-5051
-
+
A source code patch exists which remedies this problem.
-
-
-004: RELIABILITY FIX: January 13, 2006 i386 architecture
-Constrain
-i386_set_ioperm(2)
-so even root is blocked from accessing the ioports
-unless the machine is running at lower securelevels or with an open X11 aperture.
+ -
+014: SECURITY FIX: October 7, 2006 All architectures
+Fix for an integer overflow in
+systrace(4)'s
+STRIOCREPLACE support, found by
+Chris Evans. This could be exploited for DoS, limited kmem reads or local
+privilege escalation.
-
+
A source code patch exists which remedies this problem.
-
-
-003: RELIABILITY FIX: January 13, 2006 i386 architecture
-Change the implementation of i386 W^X so that the "execute line" can move around.
-Before it was limited to being either at 512MB (below which all code normally
-lands) or at the top of the stack. Now the line can float as
-mprotect(2)
-and
-mmap(2)
-requests need it to. This is now implemented using only GDT selectors
-instead of the LDT so that it is more robust as well.
+ -
+013: SECURITY FIX: October 7, 2006 All architectures
+Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
+structures an error condition is mishandled, possibly resulting in an infinite
+loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
+pointer may be dereferenced in the SSL version 2 client code. In addition, many
+applications using OpenSSL do not perform any validation of the lengths of
+public keys being used.
+CVE-2006-2937,
+CVE-2006-3738,
+CVE-2006-4343,
+CVE-2006-2940
-
+
A source code patch exists which remedies this problem.
-
-
-002: SECURITY FIX: January 5, 2006 All architectures
-Do not allow users to trick suid programs into re-opening files via /dev/fd.
+ -
+012: SECURITY FIX: October 7, 2006 All architectures
+httpd(8)
+does not sanitize the Expect header from an HTTP request when it is
+reflected back in an error message, which might allow cross-site scripting (XSS)
+style attacks.
+CVE-2006-3918
-
+
A source code patch exists which remedies this problem.
-
-
-001: SECURITY FIX: January 5, 2006 All architectures
-A buffer overflow has been found in the Perl interpreter with the sprintf function which
-may be exploitable under certain conditions.
+ -
+011: SECURITY FIX: September 8, 2006 All architectures
+Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
+an attacker to construct an invalid signature which OpenSSL would accept as a
+valid PKCS#1 v1.5 signature.
+CVE-2006-4339
-
+
A source code patch exists which remedies this problem.
+
+
-
+010: SECURITY FIX: September 8, 2006 All architectures
+Two Denial of Service issues have been found with BIND.
+An attacker who can perform recursive lookups on a DNS server and is able
+to send a sufficiently large number of recursive queries, or is able to
+get the DNS server to return more than one SIG(covered) RRsets can stop
+the functionality of the DNS service.
+An attacker querying an authoritative DNS server serving a RFC 2535
+DNSSEC zone may be able to crash the DNS server.
+CVE-2006-4095
+CVE-2006-4096
+
+
+A source code patch exists which remedies this problem.
+
+
+
-
+009: SECURITY FIX: September 2, 2006 All architectures
+Due to the failure to correctly validate LCP configuration option lengths,
+it is possible for an attacker to send LCP packets via an
+sppp(4)
+connection causing the kernel to panic.
+CVE-2006-4304
+
+
+A source code patch exists which remedies this problem.
+
+
+
-
+008: SECURITY FIX: August 25, 2006 All architectures
+A problem in
+isakmpd(8)
+caused IPsec to run partly without replay protection. If
+isakmpd(8)
+was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
+An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
+replay counter.
+
+
+A source code patch exists which remedies this problem.
+
+
+
-
+007: SECURITY FIX: August 25, 2006 All architectures
+It is possible to cause the kernel to panic when more than the default number of
+sempahores have been allocated.
+
+
+A source code patch exists which remedies this problem.
+
+
+
-
+006: SECURITY FIX: August 25, 2006 All architectures
+Due to an off-by-one error in
+dhcpd(8),
+it is possible to cause
+dhcpd(8)
+to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
+CVE-2006-3122
+
+
+A source code patch exists which remedies this problem.
+
+
+
-
+005: SECURITY FIX: August 25, 2006 All architectures
+A potential denial of service problem has been found in sendmail. A message
+with really long header lines could trigger a use-after-free bug causing
+sendmail to crash.
+
+
+A source code patch exists which remedies this problem.
+
+
+
-
+004: SECURITY FIX: July 30, 2006 All architectures
+httpd(8)'s
+mod_rewrite has a potentially exploitable off-by-one buffer overflow.
+The buffer overflow may result in a vulnerability which, in combination
+with certain types of Rewrite rules in the web server configuration files,
+could be triggered remotely. The default install is not affected by the
+buffer overflow. CVE-2006-3747
+
+
+A source code patch exists which remedies this problem.
+
+
+
-
+003: SECURITY FIX: June 15, 2006 All architectures
+A potential denial of service problem has been found in sendmail. A malformed MIME
+message could trigger excessive recursion which will lead to stack exhaustion.
+This denial of service attack only affects delivery of mail from the queue and
+delivery of a malformed message. Other incoming mail is still accepted and
+delivered. However, mail messages in the queue may not be reattempted if a
+malformed MIME message exists.
+
+
+A source code patch exists which remedies this problem.
+
+
+
-
+002: SECURITY FIX: May 2, 2006 All architectures
+A security vulnerability has been found in the X.Org server --
+CVE-2006-1526.
+Clients authorized to connect to the X server are able to crash it and to execute
+malicious code within the X server.
+
+
+A source code patch exists which remedies this problem.
+
+
+
-
+001: SECURITY FIX: March 25, 2006 All architectures
+A race condition has been reported to exist in the handling by sendmail of
+asynchronous signals. A remote attacker may be able to execute arbitrary code with the
+privileges of the user running sendmail, typically root. This is the second revision of
+this patch.
+
+
+A source code patch exists which remedies this problem.
+
@@ -159,13 +290,13 @@
3.6,
3.7,
3.8,
-current.
+4.0.
www@openbsd.org
-
$OpenBSD: errata39.html,v 1.2 2006/03/08 19:53:56 deraadt dead $
+
$OpenBSD: errata39.html,v 1.3 2006/10/30 20:59:45 deraadt Exp $