===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/plus36.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -c -r1.3 -r1.4
*** www/plus36.html 2005/03/24 13:09:56 1.3
--- www/plus36.html 2005/05/17 16:21:22 1.4
***************
*** 62,68 ****
Fix tcpdump(8)'s bpf(4) attachment on atw(4) devices.
SECURITY FIX: Eilko Bos reported that radius authentication, as implemented by login_radius(8), was not checking the shared secret used for replies sent by the radius server. This could allow an attacker to spoof a reply granting access to the attacker. Note that OpenBSD does not ship with radius authentication enabled.
! A source code patch is available.
[Applied to stable]
Bail out of newfs(8) on errors when making very small filesystems.
--- 62,68 ----
Fix tcpdump(8)'s bpf(4) attachment on atw(4) devices.
SECURITY FIX: Eilko Bos reported that radius authentication, as implemented by login_radius(8), was not checking the shared secret used for replies sent by the radius server. This could allow an attacker to spoof a reply granting access to the attacker. Note that OpenBSD does not ship with radius authentication enabled.
! A source code patch is available.
[Applied to stable]
Bail out of newfs(8) on errors when making very small filesystems.
***************
*** 75,81 ****
Stop routed(8) fiddling with routes controlled by bgpd(8).
SECURITY FIX: httpd(8)'s mod_rewrite module can be made to write one zero byte in an arbitrary memory position outside of a char array, causing a DoS or possibly buffer overflows. This would require enabling dbm for mod_rewrite and making use of a malicious dbm file.
! A source code patch is available.
[Applied to stable]
Stop telnetd(8) closing the slave fd from openpty(3) and then reopening it.
--- 75,81 ----
Stop routed(8) fiddling with routes controlled by bgpd(8).
SECURITY FIX: httpd(8)'s mod_rewrite module can be made to write one zero byte in an arbitrary memory position outside of a char array, causing a DoS or possibly buffer overflows. This would require enabling dbm for mod_rewrite and making use of a malicious dbm file.
! A source code patch is available.
[Applied to stable]
Stop telnetd(8) closing the slave fd from openpty(3) and then reopening it.
***************
*** 94,100 ****
Make sure kernfs_xread() isn't called with a negative offset.
SECURITY FIX: Chris Evans reported several flaws (stack and integer overflows) in the Xpm library code that parses image files (CAN-2004-0687, CAN-2004-0688). Some of these would be exploitable when parsing malicious image files in an application that handles XPM images, if they could escape ProPolice.
! A source code patch is available.
[Applied to stable]
Stop non-MASTER carp(4) hosts replying to ARP requests, as this upsets some layer 3 switches.
--- 94,100 ----
Make sure kernfs_xread() isn't called with a negative offset.
SECURITY FIX: Chris Evans reported several flaws (stack and integer overflows) in the Xpm library code that parses image files (CAN-2004-0687, CAN-2004-0688). Some of these would be exploitable when parsing malicious image files in an application that handles XPM images, if they could escape ProPolice.
! A source code patch is available.
[Applied to stable]
Stop non-MASTER carp(4) hosts replying to ARP requests, as this upsets some layer 3 switches.
***************
*** 113,119 ****
Make sure pkg_create(1) keeps track of the current working directory.
RELIABILITY FIX: Due to incorrect error handling in zlib an attacker could potentially cause a denial of service attack (CAN-2004-0797).
! A source code patch is available.
[Applied to stable]
Have /etc/security(8) store a copy of the disklabel and report any changes.
--- 113,119 ----
Make sure pkg_create(1) keeps track of the current working directory.
RELIABILITY FIX: Due to incorrect error handling in zlib an attacker could potentially cause a denial of service attack (CAN-2004-0797).
! A source code patch is available.
[Applied to stable]
Have /etc/security(8) store a copy of the disklabel and report any changes.
***************
*** 189,195 ****
A stack of ohci(4) fixes from NetBSD.
RELIABILITY FIX: Improved verification of ICMP errors in order to minimize the impact of ICMP attacks against TCP.
! A source code patch is available.
[Applied to stable]
Show the difference between the expected and received IP checksum in tcpdump(8).
Now that tcpdump(8) decodes the IP fragment returned in an ICMP error message, allow the TCP parser to print the source and destination ports from incomplete TCP headers.
--- 189,195 ----
A stack of ohci(4) fixes from NetBSD.
RELIABILITY FIX: Improved verification of ICMP errors in order to minimize the impact of ICMP attacks against TCP.
! A source code patch is available.
[Applied to stable]
Show the difference between the expected and received IP checksum in tcpdump(8).
Now that tcpdump(8) decodes the IP fragment returned in an ICMP error message, allow the TCP parser to print the source and destination ports from incomplete TCP headers.
***************
*** 454,460 ****
Keep track of historical offset and delay values in ntpd(8), for later use in filtering.
RELIABILITY FIX: Under certain network load the kernel can run out of stack space. This was encountered in an environment using CARP on a VLAN interface. this issue initially manifested itself as an FPU-related crash on bootup.
! A source code patch is available.
[Applied to stable]
Fix a segfault in routed(8) with rtquery(8) messages from a non-local host (PR#3841).
Fix ntpd(8)'s conversion from seconds to microseconds.
--- 454,460 ----
Keep track of historical offset and delay values in ntpd(8), for later use in filtering.
RELIABILITY FIX: Under certain network load the kernel can run out of stack space. This was encountered in an environment using CARP on a VLAN interface. this issue initially manifested itself as an FPU-related crash on bootup.
! A source code patch is available.
[Applied to stable]
Fix a segfault in routed(8) with rtquery(8) messages from a non-local host (PR#3841).
Fix ntpd(8)'s conversion from seconds to microseconds.
***************
*** 749,758 ****
CAN-2004-0488: Stack-based buffer overflow ... in mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow attackers to execute arbitrary code via a client certificate with a long subject DN.
CAN-2004-0492: [mod_proxy] Reject responses from a remote server if sent an invalid (negative) Content-Length: header.
! A source code patch is available.
[Applied to stable]
SECURITY FIX: As disclosed by Thomas Walpuski, isakmpd(8) is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec tunnels at will.
! A source code patch is available.
[Applied to stable]
Add src/lib/libintl and libc i18n directories to the repository.
--- 749,758 ----
CAN-2004-0488: Stack-based buffer overflow ... in mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow attackers to execute arbitrary code via a client certificate with a long subject DN.
CAN-2004-0492: [mod_proxy] Reject responses from a remote server if sent an invalid (negative) Content-Length: header.
! A source code patch is available.
[Applied to stable]
SECURITY FIX: As disclosed by Thomas Walpuski, isakmpd(8) is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec tunnels at will.
! A source code patch is available.
[Applied to stable]
Add src/lib/libintl and libc i18n directories to the repository.
***************
*** 760,766 ****
Fix IPv4 name-to-address translation, so invalid octet values won't be accepted and CIDR address/mask pairs finally work the way one expects.
In tcpdump(8)'s privsep localtime(3) replacement, deal better with timezones with granularity of less than one hour.
SECURITY FIX: Multiple remote vulnerabilities have been found in the cvs(1) server that will allow an attacker to crash the server or possibly execute arbitrary code with the same privileges as the CVS server program.
! A source code patch is available.
On i386 (ppro and above), use the calibrated value for the CPU speed over the value returned by the CPU itself, fixing PR#3814.
Use a dynamically allocated array of pollfds in bgpd(8).
Try to prevent isakmpd(8) deleting SAs on receipt of malicious IKE messages.
--- 760,766 ----
Fix IPv4 name-to-address translation, so invalid octet values won't be accepted and CIDR address/mask pairs finally work the way one expects.
In tcpdump(8)'s privsep localtime(3) replacement, deal better with timezones with granularity of less than one hour.
SECURITY FIX: Multiple remote vulnerabilities have been found in the cvs(1) server that will allow an attacker to crash the server or possibly execute arbitrary code with the same privileges as the CVS server program.
! A source code patch is available.
On i386 (ppro and above), use the calibrated value for the CPU speed over the value returned by the CPU itself, fixing PR#3814.
Use a dynamically allocated array of pollfds in bgpd(8).
Try to prevent isakmpd(8) deleting SAs on receipt of malicious IKE messages.
***************
*** 786,792 ****
CAN-2003-0020: Apache does not filter terminal escape sequences from its error logs.
CAN-2003-0987: Apache mod_digest does not properly verify the nonce of a client response by using an AuthNonce secret.
! A source code patch is available.
[Applied to stable]
Out-of-line spl(9) functions in SMP on i386, mirroring the UP change to fix VFS corruption.
--- 786,792 ----
CAN-2003-0020: Apache does not filter terminal escape sequences from its error logs.
CAN-2003-0987: Apache mod_digest does not properly verify the nonce of a client response by using an AuthNonce secret.
! A source code patch is available.
[Applied to stable]
Out-of-line spl(9) functions in SMP on i386, mirroring the UP change to fix VFS corruption.
***************
*** 929,935 ****
Let ipsecadm(8) delete tcpmd5 SAs.
Fix ipsecadm(8) so that ipcomp(4) can be used.
SECURITY FIX: With the introduction of IPv6 code in xdm(1), one test on the 'requestPort' resource was deleted by accident. This makes xdm create the chooser socket even if XDMCP is disabled in xdm-config, by setting requestPort to 0. See XFree86 bugzilla for details.
! A source code patch is available.
[Applied to stable]
Fix a boot-time crasher in ahd(4).
Add (to i386 and amd64) ehci(4), a USB Enhanced Host Controller Interface driver, for USB 2.0 support.
--- 929,935 ----
Let ipsecadm(8) delete tcpmd5 SAs.
Fix ipsecadm(8) so that ipcomp(4) can be used.
SECURITY FIX: With the introduction of IPv6 code in xdm(1), one test on the 'requestPort' resource was deleted by accident. This makes xdm create the chooser socket even if XDMCP is disabled in xdm-config, by setting requestPort to 0. See XFree86 bugzilla for details.
! A source code patch is available.
[Applied to stable]
Fix a boot-time crasher in ahd(4).
Add (to i386 and amd64) ehci(4), a USB Enhanced Host Controller Interface driver, for USB 2.0 support.
***************
*** 959,969 ****
Allow anchors within anchors in pf(4). More work to come.
Don't recursively call nd6_output() when route allocation fails, just return a host unreachable error.
SECURITY FIX: A heap overflow in the cvs(1) server has been discovered that can be exploited by clients sending malformed requests. These clients can then run arbitrary code with the same privileges as the CVS server program.
! A source code patch is available.
[Applied to stable]
Allow symbolic service- and protocol names in isakmpd(8), so e.g. "Protocol=tcp" now works.
SECURITY FIX: A flaw in the Kerberos V kdc(8) server could result in the administrator of a Kerberos realm having the ability to impersonate any principal in any other realm which has established a cross-realm trust with their realm. The flaw is due to inadequate checking of the "transited" field in a Kerberos request. For more details see Heimdal's announcement.
! A source code patch is available.
[Applied to stable]
Add word boundary tests to the regexes that find @-commands in pkg_add(1) etc. packing lists.
Fix SIGINT handling in sftp(1).
--- 959,969 ----
Allow anchors within anchors in pf(4). More work to come.
Don't recursively call nd6_output() when route allocation fails, just return a host unreachable error.
SECURITY FIX: A heap overflow in the cvs(1) server has been discovered that can be exploited by clients sending malformed requests. These clients can then run arbitrary code with the same privileges as the CVS server program.
! A source code patch is available.
[Applied to stable]
Allow symbolic service- and protocol names in isakmpd(8), so e.g. "Protocol=tcp" now works.
SECURITY FIX: A flaw in the Kerberos V kdc(8) server could result in the administrator of a Kerberos realm having the ability to impersonate any principal in any other realm which has established a cross-realm trust with their realm. The flaw is due to inadequate checking of the "transited" field in a Kerberos request. For more details see Heimdal's announcement.
! A source code patch is available.
[Applied to stable]
Add word boundary tests to the regexes that find @-commands in pkg_add(1) etc. packing lists.
Fix SIGINT handling in sftp(1).
***************
*** 1085,1091 ****
Add strchr() and strrchr() to libkern.
SECURITY FIX: Check for integer overflow in procfs. Use of procfs is not recommended.
! A source code patch is available.
[Applied to stable]
When a pf(4) scrub rule with the 'reassemble tcp' option is in effect, use RFC1913 PAWS as a means of extending the TCP sequence space by 10 to 18 bits. This makes blind insertion attacks much more difficult, because the timestamp needs to be guessed as well as the TCP sequence number.
Sprinkle strtonum(3) liberally all over ifconfig(8).
--- 1085,1091 ----
Add strchr() and strrchr() to libkern.
SECURITY FIX: Check for integer overflow in procfs. Use of procfs is not recommended.
! A source code patch is available.
[Applied to stable]
When a pf(4) scrub rule with the 'reassemble tcp' option is in effect, use RFC1913 PAWS as a means of extending the TCP sequence space by 10 to 18 bits. This makes blind insertion attacks much more difficult, because the timestamp needs to be guessed as well as the TCP sequence number.
Sprinkle strtonum(3) liberally all over ifconfig(8).
***************
*** 1272,1278 ****
Sync the em(4) driver with FreeBSD.
Tidy up usb(4) kernel configs in line with recent i386 changes.
RELIABILITY FIX: Restore the ability to negotiate tags/wide/sync with some SCSI controllers (siop(4), trm(4) and iha(4)).
! A source code patch is available.
[Applied to stable]
Since dhcpd(8) can now be invoked legitimately without an interface, don't abort when the user doesn't give any options.
--- 1272,1278 ----
Sync the em(4) driver with FreeBSD.
Tidy up usb(4) kernel configs in line with recent i386 changes.
RELIABILITY FIX: Restore the ability to negotiate tags/wide/sync with some SCSI controllers (siop(4), trm(4) and iha(4)).
! A source code patch is available.
[Applied to stable]
Since dhcpd(8) can now be invoked legitimately without an interface, don't abort when the user doesn't give any options.
***************
*** 1288,1294 ****
Undo a non-fix in shared memory sysctl(3) kern.shminfo.shmmni.
[Applied to stable]
SECURITY FIX: Pathname validation problems have been found in cvs(1), allowing malicious clients to create files outside the repository, allowing malicious servers to overwrite files outside the local CVS tree on the client and allowing clients to check out files outside the CVS repository.
! A source code patch is available.
[Applied to stable]
Some address family agnosticism in bgpd(8).
Let bgpctl(8) show IPv6 peer addresses in neighbour view.
--- 1288,1294 ----
Undo a non-fix in shared memory sysctl(3) kern.shminfo.shmmni.
[Applied to stable]
SECURITY FIX: Pathname validation problems have been found in cvs(1), allowing malicious clients to create files outside the repository, allowing malicious servers to overwrite files outside the local CVS tree on the client and allowing clients to check out files outside the CVS repository.
! A source code patch is available.
[Applied to stable]
Some address family agnosticism in bgpd(8).
Let bgpctl(8) show IPv6 peer addresses in neighbour view.
***************
*** 1349,1355 ****
Implement a rate limit for TCP ACKs of 100pps, and use this more general mechanism for in-window SYN handling too.
Safely handle aborts in malloc(3) etc. without tripping the recursive call handler by mistake.
RELIABILITY FIX: Under load "recent model" gdt(4) controllers will lock up.
! A source code patch is available.
[Applied to stable]
Fix an accidental busy-wait in sensorsd(8).
--- 1349,1355 ----
Implement a rate limit for TCP ACKs of 100pps, and use this more general mechanism for in-window SYN handling too.
Safely handle aborts in malloc(3) etc. without tripping the recursive call handler by mistake.
RELIABILITY FIX: Under load "recent model" gdt(4) controllers will lock up.
! A source code patch is available.
[Applied to stable]
Fix an accidental busy-wait in sensorsd(8).
***************
*** 1414,1420 ****
Under Linux emulation, pass madvise(2) straight through to the native syscall.
RELIABILITY FIX: Reply to in-window SYN with a rate-limited ACK.
! A source code patch is available.
[Applied to stable]
Don't try to recreate the xfs(1) logfile after dropping privileges.
Don't abort xfs(1) gracelessly when handling an unimplemented protocol request.
--- 1414,1420 ----
Under Linux emulation, pass madvise(2) straight through to the native syscall.
RELIABILITY FIX: Reply to in-window SYN with a rate-limited ACK.
! A source code patch is available.
[Applied to stable]
Don't try to recreate the xfs(1) logfile after dropping privileges.
Don't abort xfs(1) gracelessly when handling an unimplemented protocol request.
***************
*** 1502,1508 ****
www@openbsd.org
!
$OpenBSD: plus36.html,v 1.3 2005/03/24 13:09:56 deraadt Exp $