===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/security.html,v
retrieving revision 1.386
retrieving revision 1.387
diff -c -r1.386 -r1.387
*** www/security.html	2010/05/21 16:06:05	1.386
--- www/security.html	2011/05/01 15:24:14	1.387
***************
*** 54,61 ****
  <a href="#31">3.1</a>,
  <a href="#32">3.2</a>,
  <a href="#33">3.3</a>,
- <br>
  <a href="#34">3.4</a>,
  <a href="#35">3.5</a>,
  <a href="#36">3.6</a>,
  <a href="#37">3.7</a>,
--- 54,61 ----
  <a href="#31">3.1</a>,
  <a href="#32">3.2</a>,
  <a href="#33">3.3</a>,
  <a href="#34">3.4</a>,
+ <br>
  <a href="#35">3.5</a>,
  <a href="#36">3.6</a>,
  <a href="#37">3.7</a>,
***************
*** 68,74 ****
  <a href="#44">4.4</a>,
  <a href="#45">4.5</a>,
  <a href="#46">4.6</a>,
! <a href="#47">4.7</a>.
  </td>
  </tr>
  </table>
--- 68,76 ----
  <a href="#44">4.4</a>,
  <a href="#45">4.5</a>,
  <a href="#46">4.6</a>,
! <a href="#47">4.7</a>,
! <a href="#48">4.8</a>,
! <a href="#49">4.9</a>.
  </td>
  </tr>
  </table>
***************
*** 233,238 ****
--- 235,292 ----
  <li><h3><font color="#e00000">Advisories</font></h3><p>
  
  <li>
+ <a name="49"></a>
+ 
+ <h3><font color="#e00000">OpenBSD 4.9 Security Advisories</font></h3>
+ These are the OpenBSD 4.9 advisories -- all these problems are solved
+ in <a href=anoncvs.html>OpenBSD current</a> and the
+ <a href=stable.html>patch branch</a>.
+ 
+ <p>
+ <ul>
+ None yet!
+ </ul>
+ 
+ <li>
+ <a name="48"></a>
+ 
+ <h3><font color="#e00000">OpenBSD 4.8 Security Advisories</font></h3>
+ These are the OpenBSD 4.8 advisories -- all these problems are solved
+ in <a href=anoncvs.html>OpenBSD current</a> and the
+ <a href=stable.html>patch branch</a>.
+ 
+ <p>
+ <ul>
+ <li><a href="errata48.html#009_pf">February 16, 2011:
+ 	PF rules specifying address ranges (e.g. "10.1.1.1 - 10.1.1.5") were
+ 	not correctly handled on little-endian systems (alpha, amd64, arm, i386,
+ 	mips64el, vax). Other address types (bare addresses "10.1.1.1" and
+ 	prefixes "10.1.1.1/30") are not affected.</a>
+ <li><a href="errata48.html#008_openssl">February 11, 2011:
+ 	An incorrectly formatted ClientHello handshake message could cause
+ 	OpenSSL to parse past the end of the message.  An attacker could use
+ 	this flaw to trigger an invalid memory access, causing a crash of an
+ 	application linked to OpenSSL.  As well, certain applications may expose
+ 	the contents of parsed OCSP extensions, specifically the OCSP nonce
+ 	extension.
+ <br>
+ 	Applications are only affected if they act as a server and call
+ 	SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX.  It is believed
+ 	that nothing in the base OS uses this.  Apache httpd started using this
+ 	in v2.3.3; this is newer than the version in ports.</a>
+ <li><a href="errata48.html#005_pf">December 17, 2010:
+ 	Insufficent initialization of the pf rule structure in the ioctl
+ 	handler may allow userland to modify kernel memory. By default root
+ 	privileges are needed to add or modify pf rules.</a>
+ </ul>
+ 
+ <p>
+ OpenBSD 4.7 and earlier releases are not supported anymore. The following
+ paragraphs only list advisories issued while they were maintained; these
+ releases are likely to be affected by the advisories for more recent releases.
+ <br>
+ 
+ <li>
  <a name="47"></a>
  
  <h3><font color="#e00000">OpenBSD 4.7 Security Advisories</font></h3>
***************
*** 242,247 ****
--- 296,324 ----
  
  <p>
  <ul>
+ <li><a href="errata47.html#013_pf">February 16, 2011:
+ 	PF rules specifying address ranges (e.g. "10.1.1.1 - 10.1.1.5") were
+ 	not correctly handled on little-endian systems (alpha, amd64, arm, i386,
+ 	mips64el, vax). Other address types (bare addresses "10.1.1.1" and
+ 	prefixes "10.1.1.1/30") are not affected.</a>
+ <li><a href="errata47.html#012_openssl">February 11, 2011:
+ 	An incorrectly formatted ClientHello handshake message could cause
+ 	OpenSSL to parse past the end of the message.  An attacker could use
+ 	this flaw to trigger an invalid memory access, causing a crash of an
+ 	application linked to OpenSSL.  As well, certain applications may expose
+ 	the contents of parsed OCSP extensions, specifically the OCSP nonce
+ 	extension.
+ <br>
+ 	Applications are only affected if they act as a server and call
+ 	SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX.  It is believed
+ 	that nothing in the base OS uses this.  Apache httpd started using this
+ 	in v2.3.3; this is newer than the version in ports.</a>
+ <li><a href="errata47.html#009_pf">December 17, 2010:
+ 	Insufficent initialization of the pf rule structure in the ioctl
+ 	handler may allow userland to modify kernel memory. By default root
+ 	privileges are needed to add or modify pf rules.</a>
+ <li><a href="errata47.html#004_pfsync">April 23, 2010:
+ 	The combination of pfsync and IPSEC may crash the kernel.</a>
  <li><a href="errata47.html#003_openssl">April 14, 2010:
  	In TLS connections, certain incorrectly formatted records can
  	cause an OpenSSL client or server to crash due to a read
***************
*** 270,281 ****
          related to renegotiation</a>.
  </ul>
  
- <p>
- OpenBSD 4.5 and earlier releases are not supported anymore. The following
- paragraphs only list advisories issued while they were maintained; these
- releases are likely to be affected by the advisories for more recent releases.
- <br>
- 
  <li>
  <a name="45"></a>
  
--- 347,352 ----
***************
*** 1758,1764 ****
  <a href="index.html"><img height=24 width=24 src="back.gif" border=0 alt="OpenBSD"></a>
  <a href="mailto:www@openbsd.org">www@openbsd.org</a>
  <br>
! <small>$OpenBSD: security.html,v 1.386 2010/05/21 16:06:05 miod Exp $</small>
  
  </body>
  </html>
--- 1829,1835 ----
  <a href="index.html"><img height=24 width=24 src="back.gif" border=0 alt="OpenBSD"></a>
  <a href="mailto:www@openbsd.org">www@openbsd.org</a>
  <br>
! <small>$OpenBSD: security.html,v 1.387 2011/05/01 15:24:14 miod Exp $</small>
  
  </body>
  </html>