===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata39.html,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- www/errata39.html	2019/05/27 22:55:20	1.70
+++ www/errata39.html	2019/05/28 16:32:42	1.71
@@ -85,148 +85,147 @@
 
 <ul>
 
-<li id="p023_altivec">
-<strong>023: STABILITY FIX: April 26, 2007</strong>
-&nbsp; <i>PowerPC</i><br>
-An unhandled AltiVec assist exception can cause a kernel panic.<br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/macppc/023_altivec.patch">
+<li id="sendmail">
+<strong>001: SECURITY FIX: March 25, 2006</strong>
+&nbsp; <i>All architectures</i><br>
+A race condition has been reported to exist in the handling by sendmail of
+asynchronous signals. A remote attacker may be able to execute arbitrary code with the
+privileges of the user running sendmail, typically root. This is the second revision of
+this patch.
+<br>
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="p022_route6">
-<strong>022: SECURITY FIX: April 23, 2007</strong>
+<li id="xorg">
+<strong>002: SECURITY FIX: May 2, 2006</strong>
 &nbsp; <i>All architectures</i><br>
-IPv6 type 0 route headers can be used to mount a DoS attack against
-hosts and networks.  This is a design flaw in IPv6 and not a bug in
-OpenBSD.<br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/022_route6.patch">
+A security vulnerability has been found in the X.Org server --
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1526">CVE-2006-1526</a>.
+Clients authorized to connect to the X server are able to crash it and to execute
+malicious code within the X server.
+<br>
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/002_xorg.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="p021_xorg">
-<strong>021: SECURITY FIX: April 4, 2007</strong>
+<li id="sendmail2">
+<strong>003: SECURITY FIX: June 15, 2006</strong>
 &nbsp; <i>All architectures</i><br>
-Multiple vulnerabilities have been discovered in X.Org.<br>
-XC-MISC extension ProcXCMiscGetXIDList memory corruption vulnerability,
-BDFFont parsing integer overflow vulnerability,
-fonts.dir file parsing integer overflow vulnerability,
-multiple integer overflows in the XGetPixel() and XInitImage functions
-in ImUtil.c.
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1003">CVE-2007-1003</a>,
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351">CVE-2007-1351</a>,
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1352">CVE-2007-1352</a>,
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1667">CVE-2007-1667</a>.
+A potential denial of service problem has been found in sendmail. A malformed MIME
+message could trigger excessive recursion which will lead to stack exhaustion.
+This denial of service attack only affects delivery of mail from the queue and
+delivery of a malformed message. Other incoming mail is still accepted and
+delivered. However, mail messages in the queue may not be reattempted if a
+malformed MIME message exists.
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/021_xorg.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/003_sendmail2.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="m_dup1">
-<strong>020: SECURITY FIX: March 7, 2007</strong>
+<li id="httpd">
+<strong>004: SECURITY FIX: July 30, 2006</strong>
 &nbsp; <i>All architectures</i><br>
-<b>2nd revision, March 17, 2007</b><br>
-Incorrect mbuf handling for ICMP6 packets.<br>
-Using
-<a href="https://man.openbsd.org/OpenBSD-3.9/pf.4">pf(4)</a>
-to avoid the problem packets is an effective workaround until the patch
-can be installed.<br>
-Use "block in inet6" in /etc/pf.conf
+<a href="https://man.openbsd.org/OpenBSD-3.9/httpd.8">httpd(8)</a>'s
+mod_rewrite has a potentially exploitable off-by-one buffer overflow.
+The buffer overflow may result in a vulnerability which, in combination
+with certain types of Rewrite rules in the web server configuration files,
+could be triggered remotely. The default install is not affected by the
+buffer overflow. CVE-2006-3747
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/020_m_dup1.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/004_httpd.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="timezone">
-<strong>019: INTEROPERABILITY FIX: February 4, 2007</strong>
+<li id="sendmail3">
+<strong>005: SECURITY FIX: August 25, 2006</strong>
 &nbsp; <i>All architectures</i><br>
-A US daylight saving time rules change takes effect in 2007.
+A potential denial of service problem has been found in sendmail. A message
+with really long header lines could trigger a use-after-free bug causing
+sendmail to crash.
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/019_timezone.patch">
-A source code patch exists which syncs the timezone data files with tzdata2007a</a>.<br>
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/005_sendmail3.patch">
+A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="icmp6">
-<strong>018: RELIABILITY FIX: January 16, 2007</strong>
+<li id="dhcpd">
+<strong>006: SECURITY FIX: August 25, 2006</strong>
 &nbsp; <i>All architectures</i><br>
-Under some circumstances, processing an ICMP6 echo request would cause
-the kernel to enter an infinite loop.
+Due to an off-by-one error in
+<a href="https://man.openbsd.org/OpenBSD-3.9/dhcpd.8">dhcpd(8)</a>,
+it is possible to cause
+<a href="https://man.openbsd.org/OpenBSD-3.9/dhcpd.8">dhcpd(8)</a>
+to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3122">CVE-2006-3122</a>
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/018_icmp6.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/006_dhcpd.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="agp">
-<strong>017: SECURITY FIX: January 3, 2007</strong>
-&nbsp; <i>i386 only</i><br>
-Insufficient validation in
-<a href="https://man.openbsd.org/OpenBSD-3.9/vga.4">vga(4)</a>
-may allow an attacker to gain root privileges if the kernel is compiled with
-<code>option PCIAGP</code>
-and the actual device is not an AGP device.
-The <code>PCIAGP</code> option is present by default on i386
-kernels only.
+<li id="sem">
+<strong>007: SECURITY FIX: August 25, 2006</strong>
+&nbsp; <i>All architectures</i><br>
+It is possible to cause the kernel to panic when more than the default number of
+sempahores have been allocated.
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/i386/017_agp.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/007_sem.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="ldso">
-<strong>016: SECURITY FIX: November 19, 2006</strong>
+<li id="isakmpd">
+<strong>008: SECURITY FIX: August 25, 2006</strong>
 &nbsp; <i>All architectures</i><br>
-The ELF
-<a href="https://man.openbsd.org/OpenBSD-3.9/ld.so.1">ld.so(1)</a>
-fails to properly sanitize the environment. There is a potential localhost security
-problem in cases we have not found yet.  This patch applies to all ELF-based
-systems (m68k, m88k, and vax are a.out-based systems).
+A problem in
+<a href="https://man.openbsd.org/OpenBSD-3.9/isakmpd.8">isakmpd(8)</a>
+caused IPsec to run partly without replay protection. If
+<a href="https://man.openbsd.org/OpenBSD-3.9/isakmpd.8">isakmpd(8)</a>
+was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
+An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
+replay counter.
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/016_ldso.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/008_isakmpd.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="ssh">
-<strong>015: SECURITY FIX: October 12, 2006</strong>
+<li id="sppp">
+<strong>009: SECURITY FIX: September 2, 2006</strong>
 &nbsp; <i>All architectures</i><br>
-Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
-by Tavis Ormandy) that would cause
-<a href="https://man.openbsd.org/OpenBSD-3.9/sshd.8">sshd(8)</a>
-to spin until the login grace time expired.
-An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
-that could be exploited to perform a pre-authentication denial of service.
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924">CVE-2006-4924</a>,
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051">CVE-2006-5051</a>
+Due to the failure to correctly validate LCP configuration option lengths,
+it is possible for an attacker to send LCP packets via an
+<a href="https://man.openbsd.org/OpenBSD-3.9/sppp.4">sppp(4)</a>
+connection causing the kernel to panic.
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4304">CVE-2006-4304</a>
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/015_ssh.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/009_sppp.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="systrace">
-<strong>014: SECURITY FIX: October 7, 2006</strong>
+<li id="bind">
+<strong>010: SECURITY FIX: September 8, 2006</strong>
 &nbsp; <i>All architectures</i><br>
-Fix for an integer overflow in
-<a href="https://man.openbsd.org/OpenBSD-3.9/systrace.4">systrace(4)</a>'s
-STRIOCREPLACE support, found by
-Chris Evans. This could be exploited for DoS, limited kmem reads or local
-privilege escalation.
+Two Denial of Service issues have been found with BIND.
+An attacker who can perform recursive lookups on a DNS server and is able
+to send a sufficiently large number of recursive queries, or is able to
+get the DNS server to return more than one SIG(covered) RRsets can stop
+the functionality of the DNS service.
+An attacker querying an authoritative DNS server serving a RFC 2535
+DNSSEC zone may be able to crash the DNS server.
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4095">CVE-2006-4095</a>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4096">CVE-2006-4096</a>
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/014_systrace.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/010_bind.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="openssl2">
-<strong>013: SECURITY FIX: October 7, 2006</strong>
+<li id="openssl">
+<strong>011: SECURITY FIX: September 8, 2006</strong>
 &nbsp; <i>All architectures</i><br>
-Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
-structures an error condition is mishandled, possibly resulting in an infinite
-loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
-pointer may be dereferenced in the SSL version 2 client code. In addition, many
-applications using OpenSSL do not perform any validation of the lengths of
-public keys being used.
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937">CVE-2006-2937</a>,
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738">CVE-2006-3738</a>,
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343">CVE-2006-4343</a>,
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940">CVE-2006-2940</a>
+Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
+an attacker to construct an invalid signature which OpenSSL would accept as a
+valid PKCS#1 v1.5 signature.
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339">CVE-2006-4339</a>
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/013_openssl2.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/011_openssl.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
@@ -243,147 +242,148 @@
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="openssl">
-<strong>011: SECURITY FIX: September 8, 2006</strong>
+<li id="openssl2">
+<strong>013: SECURITY FIX: October 7, 2006</strong>
 &nbsp; <i>All architectures</i><br>
-Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
-an attacker to construct an invalid signature which OpenSSL would accept as a
-valid PKCS#1 v1.5 signature.
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339">CVE-2006-4339</a>
+Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
+structures an error condition is mishandled, possibly resulting in an infinite
+loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
+pointer may be dereferenced in the SSL version 2 client code. In addition, many
+applications using OpenSSL do not perform any validation of the lengths of
+public keys being used.
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937">CVE-2006-2937</a>,
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738">CVE-2006-3738</a>,
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343">CVE-2006-4343</a>,
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940">CVE-2006-2940</a>
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/011_openssl.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/013_openssl2.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="bind">
-<strong>010: SECURITY FIX: September 8, 2006</strong>
+<li id="systrace">
+<strong>014: SECURITY FIX: October 7, 2006</strong>
 &nbsp; <i>All architectures</i><br>
-Two Denial of Service issues have been found with BIND.
-An attacker who can perform recursive lookups on a DNS server and is able
-to send a sufficiently large number of recursive queries, or is able to
-get the DNS server to return more than one SIG(covered) RRsets can stop
-the functionality of the DNS service.
-An attacker querying an authoritative DNS server serving a RFC 2535
-DNSSEC zone may be able to crash the DNS server.
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4095">CVE-2006-4095</a>
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4096">CVE-2006-4096</a>
+Fix for an integer overflow in
+<a href="https://man.openbsd.org/OpenBSD-3.9/systrace.4">systrace(4)</a>'s
+STRIOCREPLACE support, found by
+Chris Evans. This could be exploited for DoS, limited kmem reads or local
+privilege escalation.
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/010_bind.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/014_systrace.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="sppp">
-<strong>009: SECURITY FIX: September 2, 2006</strong>
+<li id="ssh">
+<strong>015: SECURITY FIX: October 12, 2006</strong>
 &nbsp; <i>All architectures</i><br>
-Due to the failure to correctly validate LCP configuration option lengths,
-it is possible for an attacker to send LCP packets via an
-<a href="https://man.openbsd.org/OpenBSD-3.9/sppp.4">sppp(4)</a>
-connection causing the kernel to panic.
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4304">CVE-2006-4304</a>
+Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
+by Tavis Ormandy) that would cause
+<a href="https://man.openbsd.org/OpenBSD-3.9/sshd.8">sshd(8)</a>
+to spin until the login grace time expired.
+An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
+that could be exploited to perform a pre-authentication denial of service.
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924">CVE-2006-4924</a>,
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051">CVE-2006-5051</a>
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/009_sppp.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/015_ssh.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="isakmpd">
-<strong>008: SECURITY FIX: August 25, 2006</strong>
+<li id="ldso">
+<strong>016: SECURITY FIX: November 19, 2006</strong>
 &nbsp; <i>All architectures</i><br>
-A problem in
-<a href="https://man.openbsd.org/OpenBSD-3.9/isakmpd.8">isakmpd(8)</a>
-caused IPsec to run partly without replay protection. If
-<a href="https://man.openbsd.org/OpenBSD-3.9/isakmpd.8">isakmpd(8)</a>
-was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
-An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
-replay counter.
+The ELF
+<a href="https://man.openbsd.org/OpenBSD-3.9/ld.so.1">ld.so(1)</a>
+fails to properly sanitize the environment. There is a potential localhost security
+problem in cases we have not found yet.  This patch applies to all ELF-based
+systems (m68k, m88k, and vax are a.out-based systems).
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/008_isakmpd.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/016_ldso.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="sem">
-<strong>007: SECURITY FIX: August 25, 2006</strong>
-&nbsp; <i>All architectures</i><br>
-It is possible to cause the kernel to panic when more than the default number of
-sempahores have been allocated.
+<li id="agp">
+<strong>017: SECURITY FIX: January 3, 2007</strong>
+&nbsp; <i>i386 only</i><br>
+Insufficient validation in
+<a href="https://man.openbsd.org/OpenBSD-3.9/vga.4">vga(4)</a>
+may allow an attacker to gain root privileges if the kernel is compiled with
+<code>option PCIAGP</code>
+and the actual device is not an AGP device.
+The <code>PCIAGP</code> option is present by default on i386
+kernels only.
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/007_sem.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/i386/017_agp.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="dhcpd">
-<strong>006: SECURITY FIX: August 25, 2006</strong>
+<li id="icmp6">
+<strong>018: RELIABILITY FIX: January 16, 2007</strong>
 &nbsp; <i>All architectures</i><br>
-Due to an off-by-one error in
-<a href="https://man.openbsd.org/OpenBSD-3.9/dhcpd.8">dhcpd(8)</a>,
-it is possible to cause
-<a href="https://man.openbsd.org/OpenBSD-3.9/dhcpd.8">dhcpd(8)</a>
-to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3122">CVE-2006-3122</a>
+Under some circumstances, processing an ICMP6 echo request would cause
+the kernel to enter an infinite loop.
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/006_dhcpd.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/018_icmp6.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="sendmail3">
-<strong>005: SECURITY FIX: August 25, 2006</strong>
+<li id="timezone">
+<strong>019: INTEROPERABILITY FIX: February 4, 2007</strong>
 &nbsp; <i>All architectures</i><br>
-A potential denial of service problem has been found in sendmail. A message
-with really long header lines could trigger a use-after-free bug causing
-sendmail to crash.
+A US daylight saving time rules change takes effect in 2007.
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/005_sendmail3.patch">
-A source code patch exists which remedies this problem.</a>
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/019_timezone.patch">
+A source code patch exists which syncs the timezone data files with tzdata2007a</a>.<br>
 <p>
 
-<li id="httpd">
-<strong>004: SECURITY FIX: July 30, 2006</strong>
+<li id="m_dup1">
+<strong>020: SECURITY FIX: March 7, 2007</strong>
 &nbsp; <i>All architectures</i><br>
-<a href="https://man.openbsd.org/OpenBSD-3.9/httpd.8">httpd(8)</a>'s
-mod_rewrite has a potentially exploitable off-by-one buffer overflow.
-The buffer overflow may result in a vulnerability which, in combination
-with certain types of Rewrite rules in the web server configuration files,
-could be triggered remotely. The default install is not affected by the
-buffer overflow. CVE-2006-3747
+<b>2nd revision, March 17, 2007</b><br>
+Incorrect mbuf handling for ICMP6 packets.<br>
+Using
+<a href="https://man.openbsd.org/OpenBSD-3.9/pf.4">pf(4)</a>
+to avoid the problem packets is an effective workaround until the patch
+can be installed.<br>
+Use "block in inet6" in /etc/pf.conf
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/004_httpd.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/020_m_dup1.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="sendmail2">
-<strong>003: SECURITY FIX: June 15, 2006</strong>
+<li id="p021_xorg">
+<strong>021: SECURITY FIX: April 4, 2007</strong>
 &nbsp; <i>All architectures</i><br>
-A potential denial of service problem has been found in sendmail. A malformed MIME
-message could trigger excessive recursion which will lead to stack exhaustion.
-This denial of service attack only affects delivery of mail from the queue and
-delivery of a malformed message. Other incoming mail is still accepted and
-delivered. However, mail messages in the queue may not be reattempted if a
-malformed MIME message exists.
+Multiple vulnerabilities have been discovered in X.Org.<br>
+XC-MISC extension ProcXCMiscGetXIDList memory corruption vulnerability,
+BDFFont parsing integer overflow vulnerability,
+fonts.dir file parsing integer overflow vulnerability,
+multiple integer overflows in the XGetPixel() and XInitImage functions
+in ImUtil.c.
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1003">CVE-2007-1003</a>,
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351">CVE-2007-1351</a>,
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1352">CVE-2007-1352</a>,
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1667">CVE-2007-1667</a>.
 <br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/003_sendmail2.patch">
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/021_xorg.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="xorg">
-<strong>002: SECURITY FIX: May 2, 2006</strong>
+<li id="p022_route6">
+<strong>022: SECURITY FIX: April 23, 2007</strong>
 &nbsp; <i>All architectures</i><br>
-A security vulnerability has been found in the X.Org server --
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1526">CVE-2006-1526</a>.
-Clients authorized to connect to the X server are able to crash it and to execute
-malicious code within the X server.
-<br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/002_xorg.patch">
+IPv6 type 0 route headers can be used to mount a DoS attack against
+hosts and networks.  This is a design flaw in IPv6 and not a bug in
+OpenBSD.<br>
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/022_route6.patch">
 A source code patch exists which remedies this problem.</a>
 <p>
 
-<li id="sendmail">
-<strong>001: SECURITY FIX: March 25, 2006</strong>
-&nbsp; <i>All architectures</i><br>
-A race condition has been reported to exist in the handling by sendmail of
-asynchronous signals. A remote attacker may be able to execute arbitrary code with the
-privileges of the user running sendmail, typically root. This is the second revision of
-this patch.
-<br>
-<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patch">
+<li id="p023_altivec">
+<strong>023: STABILITY FIX: April 26, 2007</strong>
+&nbsp; <i>PowerPC</i><br>
+An unhandled AltiVec assist exception can cause a kernel panic.<br>
+<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.9/macppc/023_altivec.patch">
 A source code patch exists which remedies this problem.</a>
 <p>