+PF rules specifying address ranges (e.g. "10.1.1.1 - 10.1.1.5") were +not correctly handled on little-endian systems (alpha, amd64, arm, i386, +mips64el, vax). Other address types (bare addresses "10.1.1.1" and +prefixes "10.1.1.1/30") are not affected. +
+ +A source code patch exists which remedies this problem.
+
+ +
+An incorrectly formatted ClientHello handshake message could cause +OpenSSL to parse past the end of the message. An attacker could use this flaw +to trigger an invalid memory access, causing a crash of an application linked +to OpenSSL. As well, certain applications may expose the contents of parsed +OCSP extensions, specifically the OCSP nonce extension. +
+Applications are only affected if they act as a server and call
+SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. It is believed
+that nothing in the base OS uses this. Apache httpd started using this
+in v2.3.3; this is newer than the version in ports.
+
+
+A source code patch exists which remedies this problem.
+
+
sp_protocol in RTM_DELETE messages could contain garbage values @@ -238,7 +266,7 @@
www@openbsd.org
-$OpenBSD: errata47.html,v 1.19 2011/01/13 16:36:58 jsg Exp $ +
$OpenBSD: errata47.html,v 1.20 2011/02/16 20:37:28 sthen Exp $