===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/security.html,v
retrieving revision 1.386
retrieving revision 1.387
diff -u -r1.386 -r1.387
--- www/security.html	2010/05/21 16:06:05	1.386
+++ www/security.html	2011/05/01 15:24:14	1.387
@@ -54,8 +54,8 @@
 <a href="#31">3.1</a>,
 <a href="#32">3.2</a>,
 <a href="#33">3.3</a>,
-<br>
 <a href="#34">3.4</a>,
+<br>
 <a href="#35">3.5</a>,
 <a href="#36">3.6</a>,
 <a href="#37">3.7</a>,
@@ -68,7 +68,9 @@
 <a href="#44">4.4</a>,
 <a href="#45">4.5</a>,
 <a href="#46">4.6</a>,
-<a href="#47">4.7</a>.
+<a href="#47">4.7</a>,
+<a href="#48">4.8</a>,
+<a href="#49">4.9</a>.
 </td>
 </tr>
 </table>
@@ -233,6 +235,58 @@
 <li><h3><font color="#e00000">Advisories</font></h3><p>
 
 <li>
+<a name="49"></a>
+
+<h3><font color="#e00000">OpenBSD 4.9 Security Advisories</font></h3>
+These are the OpenBSD 4.9 advisories -- all these problems are solved
+in <a href=anoncvs.html>OpenBSD current</a> and the
+<a href=stable.html>patch branch</a>.
+
+<p>
+<ul>
+None yet!
+</ul>
+
+<li>
+<a name="48"></a>
+
+<h3><font color="#e00000">OpenBSD 4.8 Security Advisories</font></h3>
+These are the OpenBSD 4.8 advisories -- all these problems are solved
+in <a href=anoncvs.html>OpenBSD current</a> and the
+<a href=stable.html>patch branch</a>.
+
+<p>
+<ul>
+<li><a href="errata48.html#009_pf">February 16, 2011:
+	PF rules specifying address ranges (e.g. "10.1.1.1 - 10.1.1.5") were
+	not correctly handled on little-endian systems (alpha, amd64, arm, i386,
+	mips64el, vax). Other address types (bare addresses "10.1.1.1" and
+	prefixes "10.1.1.1/30") are not affected.</a>
+<li><a href="errata48.html#008_openssl">February 11, 2011:
+	An incorrectly formatted ClientHello handshake message could cause
+	OpenSSL to parse past the end of the message.  An attacker could use
+	this flaw to trigger an invalid memory access, causing a crash of an
+	application linked to OpenSSL.  As well, certain applications may expose
+	the contents of parsed OCSP extensions, specifically the OCSP nonce
+	extension.
+<br>
+	Applications are only affected if they act as a server and call
+	SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX.  It is believed
+	that nothing in the base OS uses this.  Apache httpd started using this
+	in v2.3.3; this is newer than the version in ports.</a>
+<li><a href="errata48.html#005_pf">December 17, 2010:
+	Insufficent initialization of the pf rule structure in the ioctl
+	handler may allow userland to modify kernel memory. By default root
+	privileges are needed to add or modify pf rules.</a>
+</ul>
+
+<p>
+OpenBSD 4.7 and earlier releases are not supported anymore. The following
+paragraphs only list advisories issued while they were maintained; these
+releases are likely to be affected by the advisories for more recent releases.
+<br>
+
+<li>
 <a name="47"></a>
 
 <h3><font color="#e00000">OpenBSD 4.7 Security Advisories</font></h3>
@@ -242,6 +296,29 @@
 
 <p>
 <ul>
+<li><a href="errata47.html#013_pf">February 16, 2011:
+	PF rules specifying address ranges (e.g. "10.1.1.1 - 10.1.1.5") were
+	not correctly handled on little-endian systems (alpha, amd64, arm, i386,
+	mips64el, vax). Other address types (bare addresses "10.1.1.1" and
+	prefixes "10.1.1.1/30") are not affected.</a>
+<li><a href="errata47.html#012_openssl">February 11, 2011:
+	An incorrectly formatted ClientHello handshake message could cause
+	OpenSSL to parse past the end of the message.  An attacker could use
+	this flaw to trigger an invalid memory access, causing a crash of an
+	application linked to OpenSSL.  As well, certain applications may expose
+	the contents of parsed OCSP extensions, specifically the OCSP nonce
+	extension.
+<br>
+	Applications are only affected if they act as a server and call
+	SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX.  It is believed
+	that nothing in the base OS uses this.  Apache httpd started using this
+	in v2.3.3; this is newer than the version in ports.</a>
+<li><a href="errata47.html#009_pf">December 17, 2010:
+	Insufficent initialization of the pf rule structure in the ioctl
+	handler may allow userland to modify kernel memory. By default root
+	privileges are needed to add or modify pf rules.</a>
+<li><a href="errata47.html#004_pfsync">April 23, 2010:
+	The combination of pfsync and IPSEC may crash the kernel.</a>
 <li><a href="errata47.html#003_openssl">April 14, 2010:
 	In TLS connections, certain incorrectly formatted records can
 	cause an OpenSSL client or server to crash due to a read
@@ -270,12 +347,6 @@
         related to renegotiation</a>.
 </ul>
 
-<p>
-OpenBSD 4.5 and earlier releases are not supported anymore. The following
-paragraphs only list advisories issued while they were maintained; these
-releases are likely to be affected by the advisories for more recent releases.
-<br>
-
 <li>
 <a name="45"></a>
 
@@ -1758,7 +1829,7 @@
 <a href="index.html"><img height=24 width=24 src="back.gif" border=0 alt="OpenBSD"></a>
 <a href="mailto:www@openbsd.org">www@openbsd.org</a>
 <br>
-<small>$OpenBSD: security.html,v 1.386 2010/05/21 16:06:05 miod Exp $</small>
+<small>$OpenBSD: security.html,v 1.387 2011/05/01 15:24:14 miod Exp $</small>
 
 </body>
 </html>