===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/security.html,v
retrieving revision 1.386
retrieving revision 1.387
diff -u -r1.386 -r1.387
--- www/security.html 2010/05/21 16:06:05 1.386
+++ www/security.html 2011/05/01 15:24:14 1.387
@@ -54,8 +54,8 @@
3.1,
3.2,
3.3,
-
3.4,
+
3.5,
3.6,
3.7,
@@ -68,7 +68,9 @@
4.4,
4.5,
4.6,
-4.7.
+4.7,
+4.8,
+4.9.
@@ -233,6 +235,58 @@
Advisories
+
+
+OpenBSD 4.9 Security Advisories
+These are the OpenBSD 4.9 advisories -- all these problems are solved
+in OpenBSD current and the
+patch branch.
+
+
+
+
+
+
+
+OpenBSD 4.8 Security Advisories
+These are the OpenBSD 4.8 advisories -- all these problems are solved
+in OpenBSD current and the
+patch branch.
+
+
+
+- February 16, 2011:
+ PF rules specifying address ranges (e.g. "10.1.1.1 - 10.1.1.5") were
+ not correctly handled on little-endian systems (alpha, amd64, arm, i386,
+ mips64el, vax). Other address types (bare addresses "10.1.1.1" and
+ prefixes "10.1.1.1/30") are not affected.
+
- February 11, 2011:
+ An incorrectly formatted ClientHello handshake message could cause
+ OpenSSL to parse past the end of the message. An attacker could use
+ this flaw to trigger an invalid memory access, causing a crash of an
+ application linked to OpenSSL. As well, certain applications may expose
+ the contents of parsed OCSP extensions, specifically the OCSP nonce
+ extension.
+
+ Applications are only affected if they act as a server and call
+ SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. It is believed
+ that nothing in the base OS uses this. Apache httpd started using this
+ in v2.3.3; this is newer than the version in ports.
+ - December 17, 2010:
+ Insufficent initialization of the pf rule structure in the ioctl
+ handler may allow userland to modify kernel memory. By default root
+ privileges are needed to add or modify pf rules.
+
+
+
+OpenBSD 4.7 and earlier releases are not supported anymore. The following
+paragraphs only list advisories issued while they were maintained; these
+releases are likely to be affected by the advisories for more recent releases.
+
+
+
OpenBSD 4.7 Security Advisories
@@ -242,6 +296,29 @@
+- February 16, 2011:
+ PF rules specifying address ranges (e.g. "10.1.1.1 - 10.1.1.5") were
+ not correctly handled on little-endian systems (alpha, amd64, arm, i386,
+ mips64el, vax). Other address types (bare addresses "10.1.1.1" and
+ prefixes "10.1.1.1/30") are not affected.
+
- February 11, 2011:
+ An incorrectly formatted ClientHello handshake message could cause
+ OpenSSL to parse past the end of the message. An attacker could use
+ this flaw to trigger an invalid memory access, causing a crash of an
+ application linked to OpenSSL. As well, certain applications may expose
+ the contents of parsed OCSP extensions, specifically the OCSP nonce
+ extension.
+
+ Applications are only affected if they act as a server and call
+ SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. It is believed
+ that nothing in the base OS uses this. Apache httpd started using this
+ in v2.3.3; this is newer than the version in ports.
+ - December 17, 2010:
+ Insufficent initialization of the pf rule structure in the ioctl
+ handler may allow userland to modify kernel memory. By default root
+ privileges are needed to add or modify pf rules.
+
- April 23, 2010:
+ The combination of pfsync and IPSEC may crash the kernel.
- April 14, 2010:
In TLS connections, certain incorrectly formatted records can
cause an OpenSSL client or server to crash due to a read
@@ -270,12 +347,6 @@
related to renegotiation.
-
-OpenBSD 4.5 and earlier releases are not supported anymore. The following
-paragraphs only list advisories issued while they were maintained; these
-releases are likely to be affected by the advisories for more recent releases.
-
-
@@ -1758,7 +1829,7 @@
www@openbsd.org
-$OpenBSD: security.html,v 1.386 2010/05/21 16:06:05 miod Exp $
+$OpenBSD: security.html,v 1.387 2011/05/01 15:24:14 miod Exp $