Return to errata56.html CVS log

Up to [local] / www

add pfctl errata

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenBSD 5.6 errata</title>
<meta name="resource-type" content="document">
<meta name="description" content="the OpenBSD CD errata page">
<meta name="keywords" content="openbsd,cd,errata">
<meta name="distribution" content="global">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
</head>

<!--
			IMPORTANT REMINDER
	IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
-->

<body bgcolor="#ffffff" text="#000000" link="#23238E">

<a href="index.html"><img alt="[OpenBSD]" height="30" width="141" src="images/smalltitle.gif" border="0"></a>
<h2><font color="#e00000">
OpenBSD 5.6 errata
</font></h2>

<hr>
<a href=stable.html>For OpenBSD patch branch information, please refer here.</a><br>
<br>
For errata on a certain release, click below:<br>
<a href="errata21.html">2.1</a>,
<a href="errata22.html">2.2</a>,
<a href="errata23.html">2.3</a>,
<a href="errata24.html">2.4</a>,
<a href="errata25.html">2.5</a>,
<a href="errata26.html">2.6</a>,
<a href="errata27.html">2.7</a>,
<a href="errata28.html">2.8</a>,
<a href="errata29.html">2.9</a>,
<a href="errata30.html">3.0</a>,
<a href="errata31.html">3.1</a>,
<a href="errata32.html">3.2</a>,
<a href="errata33.html">3.3</a>,
<a href="errata34.html">3.4</a>,
<a href="errata35.html">3.5</a>,
<a href="errata36.html">3.6</a>,
<br>
<a href="errata37.html">3.7</a>,
<a href="errata38.html">3.8</a>,
<a href="errata39.html">3.9</a>,
<a href="errata40.html">4.0</a>,
<a href="errata41.html">4.1</a>,
<a href="errata42.html">4.2</a>,
<a href="errata43.html">4.3</a>,
<a href="errata44.html">4.4</a>,
<a href="errata45.html">4.5</a>,
<a href="errata46.html">4.6</a>,
<a href="errata47.html">4.7</a>,
<a href="errata48.html">4.8</a>,
<a href="errata49.html">4.9</a>,
<a href="errata50.html">5.0</a>,
<a href="errata51.html">5.1</a>,
<a href="errata52.html">5.2</a>,
<br>
<a href="errata53.html">5.3</a>,
<a href="errata54.html">5.4</a>,
<a href="errata55.html">5.5</a>.
<br>
<hr>

<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.6.tar.gz">
You can also fetch a tar.gz file containing all the following patches</a>.
This file is updated once a day.
<p>

The patches below are available in CVS via the
<code>OPENBSD_5_6</code> <a href="stable.html">patch branch</a>.
<p>

For more detailed information on how to install patches to OpenBSD, please
consult the <a href="./faq/faq10.html#Patches">OpenBSD FAQ</a>.
<p>

<hr>

<ul>

<li><a name="001_rxr"></a>
<font color="#009000"><strong>001: RELIABILITY FIX: September 5, 2014</strong></font>
&nbsp; <i>All architectures</i><br>
Incorrect RX ring computation leads to panics under load with bge(4), em(4) and ix(4).
<br>
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/001_rxr.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li><a name="002_nd6"></a>
<font color="#009000"><strong>002: RELIABILITY FIX: October 1, 2014</strong></font>
&nbsp; <i>All architectures</i><br>
If IPv6 autoconf is active on an interface and the autoconfprivacy extension is used,
redundant addresses are added whenever an autoconfprivacy address expires.
The autoconfprivacy extension is used by default and can be disabled with ifconfig(8)
as a workaround:
<pre>
# ifconfig em0 -autoconfprivacy
</pre>
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/002_nd6.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li><a name="003_nginx"></a>
<font color="#009000"><strong>003: SECURITY FIX: October 1, 2014</strong></font>
&nbsp; <i>All architectures</i><br>
nginx can reuse cached SSL sessions in unrelated contexts, allowing virtual
host confusion attacks in some configurations.
This issue was assigned CVE-2014-3616.
<br>
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/003_nginx.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li><a name="004_kernexec"></a>
<font color="#009000"><strong>004: RELIABILITY FIX: October 20, 2014</strong></font>
&nbsp; <i>All architectures</i><br>
Executable headers with an unaligned address will trigger a kernel panic.
<br>
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/004_kernexec.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li><a name="005_nosslv3"></a>
<font color="#009000"><strong>005: SECURITY FIX: October 20, 2014</strong></font>
&nbsp; <i>All architectures</i><br>
This patch disables the SSLv3 protocol by default.
<p>
<i>
Applications depending on SSLv3 may need to be recompiled with
<pre>    SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3);</pre>
but we recommend against the continued use of this obsolete protocol.
</i>
<p>
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/005_nosslv3.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li><a name="006_relayd"></a>
<font color="#009000"><strong>006: RELIABILITY FIX: November 17, 2014</strong></font>
&nbsp; <i>All architectures</i><br>
Certain http requests can crash relayd.
<br>
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/006_relayd.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

<li><a name="007_pfctl"></a>
<font color="#009000"><strong>007: SECURITY FIX: November 17, 2014</strong></font>
&nbsp; <i>All architectures</i><br>
PF rules of the form "pass from {192.0.2.1 2001:db8::1} to (pppoe0)" will
apply an incorrect /32 mask to the dynamic IPv6 address, allowing access to
a wide address range rather than the intended single host.
As a workaround, list the IPv4 address last, i.e. "{2001:db8::1 192.0.2.1}".
<br>
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/007_pfctl.patch.sig">
A source code patch exists which remedies this problem.</a>
<p>

</ul>

</body>
</html>