===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/errata39.html,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- www/errata39.html 2019/05/27 22:55:20 1.70
+++ www/errata39.html 2019/05/28 16:32:42 1.71
@@ -85,148 +85,147 @@
--
-023: STABILITY FIX: April 26, 2007
- PowerPC
-An unhandled AltiVec assist exception can cause a kernel panic.
-
+-
+001: SECURITY FIX: March 25, 2006
+ All architectures
+A race condition has been reported to exist in the handling by sendmail of
+asynchronous signals. A remote attacker may be able to execute arbitrary code with the
+privileges of the user running sendmail, typically root. This is the second revision of
+this patch.
+
+
A source code patch exists which remedies this problem.
-
-
-022: SECURITY FIX: April 23, 2007
+
-
+002: SECURITY FIX: May 2, 2006
All architectures
-IPv6 type 0 route headers can be used to mount a DoS attack against
-hosts and networks. This is a design flaw in IPv6 and not a bug in
-OpenBSD.
-
+A security vulnerability has been found in the X.Org server --
+CVE-2006-1526.
+Clients authorized to connect to the X server are able to crash it and to execute
+malicious code within the X server.
+
+
A source code patch exists which remedies this problem.
-
-
-021: SECURITY FIX: April 4, 2007
+
-
+003: SECURITY FIX: June 15, 2006
All architectures
-Multiple vulnerabilities have been discovered in X.Org.
-XC-MISC extension ProcXCMiscGetXIDList memory corruption vulnerability,
-BDFFont parsing integer overflow vulnerability,
-fonts.dir file parsing integer overflow vulnerability,
-multiple integer overflows in the XGetPixel() and XInitImage functions
-in ImUtil.c.
-CVE-2007-1003,
-CVE-2007-1351,
-CVE-2007-1352,
-CVE-2007-1667.
+A potential denial of service problem has been found in sendmail. A malformed MIME
+message could trigger excessive recursion which will lead to stack exhaustion.
+This denial of service attack only affects delivery of mail from the queue and
+delivery of a malformed message. Other incoming mail is still accepted and
+delivered. However, mail messages in the queue may not be reattempted if a
+malformed MIME message exists.
-
+
A source code patch exists which remedies this problem.
-
-
-020: SECURITY FIX: March 7, 2007
+
-
+004: SECURITY FIX: July 30, 2006
All architectures
-2nd revision, March 17, 2007
-Incorrect mbuf handling for ICMP6 packets.
-Using
-pf(4)
-to avoid the problem packets is an effective workaround until the patch
-can be installed.
-Use "block in inet6" in /etc/pf.conf
+httpd(8)'s
+mod_rewrite has a potentially exploitable off-by-one buffer overflow.
+The buffer overflow may result in a vulnerability which, in combination
+with certain types of Rewrite rules in the web server configuration files,
+could be triggered remotely. The default install is not affected by the
+buffer overflow. CVE-2006-3747
-
+
A source code patch exists which remedies this problem.
-
-
-019: INTEROPERABILITY FIX: February 4, 2007
+
-
+005: SECURITY FIX: August 25, 2006
All architectures
-A US daylight saving time rules change takes effect in 2007.
+A potential denial of service problem has been found in sendmail. A message
+with really long header lines could trigger a use-after-free bug causing
+sendmail to crash.
-
-A source code patch exists which syncs the timezone data files with tzdata2007a.
+
+A source code patch exists which remedies this problem.
-
-
-018: RELIABILITY FIX: January 16, 2007
+
-
+006: SECURITY FIX: August 25, 2006
All architectures
-Under some circumstances, processing an ICMP6 echo request would cause
-the kernel to enter an infinite loop.
+Due to an off-by-one error in
+dhcpd(8),
+it is possible to cause
+dhcpd(8)
+to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
+CVE-2006-3122
-
+
A source code patch exists which remedies this problem.
-
-
-017: SECURITY FIX: January 3, 2007
- i386 only
-Insufficient validation in
-vga(4)
-may allow an attacker to gain root privileges if the kernel is compiled with
-option PCIAGP
-and the actual device is not an AGP device.
-The PCIAGP
option is present by default on i386
-kernels only.
+ -
+007: SECURITY FIX: August 25, 2006
+ All architectures
+It is possible to cause the kernel to panic when more than the default number of
+sempahores have been allocated.
-
+
A source code patch exists which remedies this problem.
-
-
-016: SECURITY FIX: November 19, 2006
+
-
+008: SECURITY FIX: August 25, 2006
All architectures
-The ELF
-ld.so(1)
-fails to properly sanitize the environment. There is a potential localhost security
-problem in cases we have not found yet. This patch applies to all ELF-based
-systems (m68k, m88k, and vax are a.out-based systems).
+A problem in
+isakmpd(8)
+caused IPsec to run partly without replay protection. If
+isakmpd(8)
+was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
+An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
+replay counter.
-
+
A source code patch exists which remedies this problem.
-
-
-015: SECURITY FIX: October 12, 2006
+
-
+009: SECURITY FIX: September 2, 2006
All architectures
-Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
-by Tavis Ormandy) that would cause
-sshd(8)
-to spin until the login grace time expired.
-An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
-that could be exploited to perform a pre-authentication denial of service.
-CVE-2006-4924,
-CVE-2006-5051
+Due to the failure to correctly validate LCP configuration option lengths,
+it is possible for an attacker to send LCP packets via an
+sppp(4)
+connection causing the kernel to panic.
+CVE-2006-4304
-
+
A source code patch exists which remedies this problem.
-
-
-014: SECURITY FIX: October 7, 2006
+
-
+010: SECURITY FIX: September 8, 2006
All architectures
-Fix for an integer overflow in
-systrace(4)'s
-STRIOCREPLACE support, found by
-Chris Evans. This could be exploited for DoS, limited kmem reads or local
-privilege escalation.
+Two Denial of Service issues have been found with BIND.
+An attacker who can perform recursive lookups on a DNS server and is able
+to send a sufficiently large number of recursive queries, or is able to
+get the DNS server to return more than one SIG(covered) RRsets can stop
+the functionality of the DNS service.
+An attacker querying an authoritative DNS server serving a RFC 2535
+DNSSEC zone may be able to crash the DNS server.
+CVE-2006-4095
+CVE-2006-4096
-
+
A source code patch exists which remedies this problem.
-
-
-013: SECURITY FIX: October 7, 2006
+
-
+011: SECURITY FIX: September 8, 2006
All architectures
-Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
-structures an error condition is mishandled, possibly resulting in an infinite
-loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
-pointer may be dereferenced in the SSL version 2 client code. In addition, many
-applications using OpenSSL do not perform any validation of the lengths of
-public keys being used.
-CVE-2006-2937,
-CVE-2006-3738,
-CVE-2006-4343,
-CVE-2006-2940
+Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
+an attacker to construct an invalid signature which OpenSSL would accept as a
+valid PKCS#1 v1.5 signature.
+CVE-2006-4339
-
+
A source code patch exists which remedies this problem.
@@ -243,147 +242,148 @@
A source code patch exists which remedies this problem.
-
-
-011: SECURITY FIX: September 8, 2006
+
-
+013: SECURITY FIX: October 7, 2006
All architectures
-Due to incorrect PKCS#1 v1.5 padding validation in OpenSSL, it is possible for
-an attacker to construct an invalid signature which OpenSSL would accept as a
-valid PKCS#1 v1.5 signature.
-CVE-2006-4339
+Several problems have been found in OpenSSL. While parsing certain invalid ASN.1
+structures an error condition is mishandled, possibly resulting in an infinite
+loop. A buffer overflow exists in the SSL_get_shared_ciphers function. A NULL
+pointer may be dereferenced in the SSL version 2 client code. In addition, many
+applications using OpenSSL do not perform any validation of the lengths of
+public keys being used.
+CVE-2006-2937,
+CVE-2006-3738,
+CVE-2006-4343,
+CVE-2006-2940
-
+
A source code patch exists which remedies this problem.
-
-
-010: SECURITY FIX: September 8, 2006
+
-
+014: SECURITY FIX: October 7, 2006
All architectures
-Two Denial of Service issues have been found with BIND.
-An attacker who can perform recursive lookups on a DNS server and is able
-to send a sufficiently large number of recursive queries, or is able to
-get the DNS server to return more than one SIG(covered) RRsets can stop
-the functionality of the DNS service.
-An attacker querying an authoritative DNS server serving a RFC 2535
-DNSSEC zone may be able to crash the DNS server.
-CVE-2006-4095
-CVE-2006-4096
+Fix for an integer overflow in
+systrace(4)'s
+STRIOCREPLACE support, found by
+Chris Evans. This could be exploited for DoS, limited kmem reads or local
+privilege escalation.
-
+
A source code patch exists which remedies this problem.
-
-
-009: SECURITY FIX: September 2, 2006
+
-
+015: SECURITY FIX: October 12, 2006
All architectures
-Due to the failure to correctly validate LCP configuration option lengths,
-it is possible for an attacker to send LCP packets via an
-sppp(4)
-connection causing the kernel to panic.
-CVE-2006-4304
+Fix 2 security bugs found in OpenSSH. A pre-authentication denial of service (found
+by Tavis Ormandy) that would cause
+sshd(8)
+to spin until the login grace time expired.
+An unsafe signal handler (found by Mark Dowd) that is vulnerable to a race condition
+that could be exploited to perform a pre-authentication denial of service.
+CVE-2006-4924,
+CVE-2006-5051
-
+
A source code patch exists which remedies this problem.
-
-
-008: SECURITY FIX: August 25, 2006
+
-
+016: SECURITY FIX: November 19, 2006
All architectures
-A problem in
-isakmpd(8)
-caused IPsec to run partly without replay protection. If
-isakmpd(8)
-was acting as responder during SA negotiation, SA's with a replay window of size 0 were created.
-An attacker could reinject sniffed IPsec packets, which will be accepted without checking the
-replay counter.
+The ELF
+ld.so(1)
+fails to properly sanitize the environment. There is a potential localhost security
+problem in cases we have not found yet. This patch applies to all ELF-based
+systems (m68k, m88k, and vax are a.out-based systems).
-
+
A source code patch exists which remedies this problem.
-
-
-007: SECURITY FIX: August 25, 2006
- All architectures
-It is possible to cause the kernel to panic when more than the default number of
-sempahores have been allocated.
+ -
+017: SECURITY FIX: January 3, 2007
+ i386 only
+Insufficient validation in
+vga(4)
+may allow an attacker to gain root privileges if the kernel is compiled with
+option PCIAGP
+and the actual device is not an AGP device.
+The PCIAGP
option is present by default on i386
+kernels only.
-
+
A source code patch exists which remedies this problem.
-
-
-006: SECURITY FIX: August 25, 2006
+
-
+018: RELIABILITY FIX: January 16, 2007
All architectures
-Due to an off-by-one error in
-dhcpd(8),
-it is possible to cause
-dhcpd(8)
-to exit by sending a DHCPDISCOVER packet with a 32-byte client identifier option.
-CVE-2006-3122
+Under some circumstances, processing an ICMP6 echo request would cause
+the kernel to enter an infinite loop.
-
+
A source code patch exists which remedies this problem.
-
-
-005: SECURITY FIX: August 25, 2006
+
-
+019: INTEROPERABILITY FIX: February 4, 2007
All architectures
-A potential denial of service problem has been found in sendmail. A message
-with really long header lines could trigger a use-after-free bug causing
-sendmail to crash.
+A US daylight saving time rules change takes effect in 2007.
-
-A source code patch exists which remedies this problem.
+
+A source code patch exists which syncs the timezone data files with tzdata2007a.
-
-
-004: SECURITY FIX: July 30, 2006
+
-
+020: SECURITY FIX: March 7, 2007
All architectures
-httpd(8)'s
-mod_rewrite has a potentially exploitable off-by-one buffer overflow.
-The buffer overflow may result in a vulnerability which, in combination
-with certain types of Rewrite rules in the web server configuration files,
-could be triggered remotely. The default install is not affected by the
-buffer overflow. CVE-2006-3747
+2nd revision, March 17, 2007
+Incorrect mbuf handling for ICMP6 packets.
+Using
+pf(4)
+to avoid the problem packets is an effective workaround until the patch
+can be installed.
+Use "block in inet6" in /etc/pf.conf
-
+
A source code patch exists which remedies this problem.
-
-
-003: SECURITY FIX: June 15, 2006
+
-
+021: SECURITY FIX: April 4, 2007
All architectures
-A potential denial of service problem has been found in sendmail. A malformed MIME
-message could trigger excessive recursion which will lead to stack exhaustion.
-This denial of service attack only affects delivery of mail from the queue and
-delivery of a malformed message. Other incoming mail is still accepted and
-delivered. However, mail messages in the queue may not be reattempted if a
-malformed MIME message exists.
+Multiple vulnerabilities have been discovered in X.Org.
+XC-MISC extension ProcXCMiscGetXIDList memory corruption vulnerability,
+BDFFont parsing integer overflow vulnerability,
+fonts.dir file parsing integer overflow vulnerability,
+multiple integer overflows in the XGetPixel() and XInitImage functions
+in ImUtil.c.
+CVE-2007-1003,
+CVE-2007-1351,
+CVE-2007-1352,
+CVE-2007-1667.
-
+
A source code patch exists which remedies this problem.
-
-
-002: SECURITY FIX: May 2, 2006
+
-
+022: SECURITY FIX: April 23, 2007
All architectures
-A security vulnerability has been found in the X.Org server --
-CVE-2006-1526.
-Clients authorized to connect to the X server are able to crash it and to execute
-malicious code within the X server.
-
-
+IPv6 type 0 route headers can be used to mount a DoS attack against
+hosts and networks. This is a design flaw in IPv6 and not a bug in
+OpenBSD.
+
A source code patch exists which remedies this problem.
-
-
-001: SECURITY FIX: March 25, 2006
- All architectures
-A race condition has been reported to exist in the handling by sendmail of
-asynchronous signals. A remote attacker may be able to execute arbitrary code with the
-privileges of the user running sendmail, typically root. This is the second revision of
-this patch.
-
-
+-
+023: STABILITY FIX: April 26, 2007
+ PowerPC
+An unhandled AltiVec assist exception can cause a kernel panic.
+
A source code patch exists which remedies this problem.