File: [local] / www / errata55.html (download) (as text)
Revision 1.11, Sat Apr 12 17:39:57 2014 UTC (10 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.10: +10 -0 lines
errata for 5.3 - 5.5.
In truth, this bug goes back about EIGHT YEARS. The feature it depends
on is optional on sockets, so it appears OpenBSD's httpd (apache 1) may
avoid it, but other web server and client software are not.
A use-after-free race condition in OpenSSL's read buffer may permit an attacker
to inject data from one connection into another.
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenBSD 5.5 errata</title>
<meta name="resource-type" content="document">
<meta name="description" content="the OpenBSD CD errata page">
<meta name="keywords" content="openbsd,cd,errata">
<meta name="distribution" content="global">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#ffffff" text="#000000" link="#23238E">
<a href="index.html"><img alt="[OpenBSD]" height="30" width="141" src="images/smalltitle.gif" border="0"></a>
<h2><font color="#0000e0">
This is the OpenBSD 5.5 release errata & patch list:
</font></h2>
<hr>
<a href=stable.html>For OpenBSD patch branch information, please refer here.</a><br>
<br>
For errata on a certain release, click below:<br>
<a href="errata21.html">2.1</a>,
<a href="errata22.html">2.2</a>,
<a href="errata23.html">2.3</a>,
<a href="errata24.html">2.4</a>,
<a href="errata25.html">2.5</a>,
<a href="errata26.html">2.6</a>,
<a href="errata27.html">2.7</a>,
<a href="errata28.html">2.8</a>,
<a href="errata29.html">2.9</a>,
<a href="errata30.html">3.0</a>,
<a href="errata31.html">3.1</a>,
<a href="errata32.html">3.2</a>,
<a href="errata33.html">3.3</a>,
<a href="errata34.html">3.4</a>,
<a href="errata35.html">3.5</a>,
<a href="errata36.html">3.6</a>,
<br>
<a href="errata37.html">3.7</a>,
<a href="errata38.html">3.8</a>,
<a href="errata39.html">3.9</a>,
<a href="errata40.html">4.0</a>,
<a href="errata41.html">4.1</a>,
<a href="errata42.html">4.2</a>,
<a href="errata43.html">4.3</a>,
<a href="errata44.html">4.4</a>,
<a href="errata45.html">4.5</a>,
<a href="errata46.html">4.6</a>,
<a href="errata47.html">4.7</a>,
<a href="errata48.html">4.8</a>,
<a href="errata49.html">4.9</a>,
<a href="errata50.html">5.0</a>,
<a href="errata51.html">5.1</a>,
<a href="errata52.html">5.2</a>,
<br>
<a href="errata53.html">5.3</a>,
<a href="errata54.html">5.4</a>.
<br>
<hr>
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.5.tar.gz">
You can also fetch a tar.gz file containing all the following patches</a>.
This file is updated once a day.
<p>
The patches below are available in CVS via the
<code>OPENBSD_5_5</code> <a href="stable.html">patch branch</a>.
<p>
For more detailed information on how to install patches to OpenBSD, please
consult the <a href="./faq/faq10.html#Patches">OpenBSD FAQ</a>.
<p>
<hr>
<ul>
<li><a name="001_icmp"></a>
<font color="#009000"><strong>001: RELIABILITY FIX: March 15, 2014</strong></font>
<i>All architectures</i><br>
Memory corruption happens during
ICMP reflection handling. ICMP reflection is disabled by default.
<br>
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/001_icmp.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>
<li><a name="002_openssl"></a>
<font color="#009000"><strong>002: SECURITY FIX: April 8, 2014</strong></font>
<i>All architectures</i><br>
Missing bounds checking in OpenSSL's implementation of the TLS/DTLS
heartbeat extension (RFC6520) which can result in a leak of memory contents.
<br>
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/002_openssl.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>
<li><a name="003_ftp"></a>
<font color="#009000"><strong>003: SECURITY FIX: April 9, 2014</strong></font>
<i>All architectures</i><br>
Missing hostname check for HTTPS connections in the
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftp&manpath=OpenBSD+5.5&sektion=1">ftp(1)</a>
utility.
<br>
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/003_ftp.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>
<li><a name="004_openssl"></a>
<font color="#009000"><strong>002: SECURITY FIX: April 12, 2014</strong></font>
<i>All architectures</i><br>
A use-after-free race condition in OpenSSL's read buffer may permit an attacker
to inject data from one connection into another.
<br>
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>
</ul>
</body>
</html>
![[BACK]](/icons/back.gif){kind=icon}
Return to errata55.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www