| version 1.3, 2009/04/08 02:44:06 |
version 1.4, 2009/04/11 23:46:45 |
|
|
| |
|
| <ul> |
<ul> |
| |
|
| |
<li><a name="002_pf"></a> |
| |
<font color="#009000"><strong>002: RELIABILITY FIX: April 11, 2009</strong></font> <i>All architectures</i><br> |
| |
When pf attempts to perform translation on a specially crafted IP datagram, |
| |
a null pointer dereference will occur, resulting in a kernel panic. |
| |
In certain configurations this may be triggered by a remote attacker. |
| |
<p> |
| |
Restricting translation rules to protocols that are specific to the IP version |
| |
in use, is an effective workaround until the patch can be installed. As an |
| |
example, for IPv4 nat/binat/rdr rules you can use: |
| |
<pre> |
| |
nat/rdr ... inet proto { tcp udp icmp } ... |
| |
</pre> |
| |
Or for IPv6 nat/binat/rdr rules you can use: |
| |
<pre> |
| |
nat/rdr ... inet6 proto { tcp udp icmp6 } ... |
| |
</pre> |
| |
<a href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_pf.patch"> |
| |
A source code patch exists which remedies this problem</a>.<br> |
| |
<p> |
| |
|
| <li><a name="001_openssl"></a> |
<li><a name="001_openssl"></a> |
| <font color="#009000"><strong>001: RELIABILITY FIX: April 8, 2009</strong></font> <i>All architectures</i><br> |
<font color="#009000"><strong>001: RELIABILITY FIX: April 8, 2009</strong></font> <i>All architectures</i><br> |
| The OpenSSL ASN.1 handling code could be forced to perform invalid memory |
The OpenSSL ASN.1 handling code could be forced to perform invalid memory |
![[BACK]](/icons/back.gif){kind=icon}
Return to errata45.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www