===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/security.html,v
retrieving revision 1.386
retrieving revision 1.387
diff -c -r1.386 -r1.387
*** www/security.html 2010/05/21 16:06:05 1.386
--- www/security.html 2011/05/01 15:24:14 1.387
***************
*** 54,61 ****
3.1,
3.2,
3.3,
-
3.4,
3.5,
3.6,
3.7,
--- 54,61 ----
3.1,
3.2,
3.3,
3.4,
+
3.5,
3.6,
3.7,
***************
*** 68,74 ****
4.4,
4.5,
4.6,
! 4.7.
--- 68,76 ----
4.4,
4.5,
4.6,
! 4.7,
! 4.8,
! 4.9.
***************
*** 233,238 ****
--- 235,292 ----
Advisories
+
+
+ OpenBSD 4.9 Security Advisories
+ These are the OpenBSD 4.9 advisories -- all these problems are solved
+ in OpenBSD current and the
+ patch branch.
+
+
+
+
+
+
+
+ OpenBSD 4.8 Security Advisories
+ These are the OpenBSD 4.8 advisories -- all these problems are solved
+ in OpenBSD current and the
+ patch branch.
+
+
+
+ - February 16, 2011:
+ PF rules specifying address ranges (e.g. "10.1.1.1 - 10.1.1.5") were
+ not correctly handled on little-endian systems (alpha, amd64, arm, i386,
+ mips64el, vax). Other address types (bare addresses "10.1.1.1" and
+ prefixes "10.1.1.1/30") are not affected.
+
- February 11, 2011:
+ An incorrectly formatted ClientHello handshake message could cause
+ OpenSSL to parse past the end of the message. An attacker could use
+ this flaw to trigger an invalid memory access, causing a crash of an
+ application linked to OpenSSL. As well, certain applications may expose
+ the contents of parsed OCSP extensions, specifically the OCSP nonce
+ extension.
+
+ Applications are only affected if they act as a server and call
+ SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. It is believed
+ that nothing in the base OS uses this. Apache httpd started using this
+ in v2.3.3; this is newer than the version in ports.
+ - December 17, 2010:
+ Insufficent initialization of the pf rule structure in the ioctl
+ handler may allow userland to modify kernel memory. By default root
+ privileges are needed to add or modify pf rules.
+
+
+
+ OpenBSD 4.7 and earlier releases are not supported anymore. The following
+ paragraphs only list advisories issued while they were maintained; these
+ releases are likely to be affected by the advisories for more recent releases.
+
+
+
OpenBSD 4.7 Security Advisories
***************
*** 242,247 ****
--- 296,324 ----
+ - February 16, 2011:
+ PF rules specifying address ranges (e.g. "10.1.1.1 - 10.1.1.5") were
+ not correctly handled on little-endian systems (alpha, amd64, arm, i386,
+ mips64el, vax). Other address types (bare addresses "10.1.1.1" and
+ prefixes "10.1.1.1/30") are not affected.
+
- February 11, 2011:
+ An incorrectly formatted ClientHello handshake message could cause
+ OpenSSL to parse past the end of the message. An attacker could use
+ this flaw to trigger an invalid memory access, causing a crash of an
+ application linked to OpenSSL. As well, certain applications may expose
+ the contents of parsed OCSP extensions, specifically the OCSP nonce
+ extension.
+
+ Applications are only affected if they act as a server and call
+ SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. It is believed
+ that nothing in the base OS uses this. Apache httpd started using this
+ in v2.3.3; this is newer than the version in ports.
+ - December 17, 2010:
+ Insufficent initialization of the pf rule structure in the ioctl
+ handler may allow userland to modify kernel memory. By default root
+ privileges are needed to add or modify pf rules.
+
- April 23, 2010:
+ The combination of pfsync and IPSEC may crash the kernel.
- April 14, 2010:
In TLS connections, certain incorrectly formatted records can
cause an OpenSSL client or server to crash due to a read
***************
*** 270,281 ****
related to renegotiation.
-
- OpenBSD 4.5 and earlier releases are not supported anymore. The following
- paragraphs only list advisories issued while they were maintained; these
- releases are likely to be affected by the advisories for more recent releases.
-
-
--- 347,352 ----
***************
*** 1758,1764 ****
www@openbsd.org
! $OpenBSD: security.html,v 1.386 2010/05/21 16:06:05 miod Exp $