OpenBSD 4.7 Errata

For errata on a certain release, click below:
2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5,
3.6, 3.7, 3.8, 3.9, 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.8, 4.9, 5.0, 5.1, 5.2,
5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8,
6.9, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5.

Patches for the OpenBSD base system are distributed as unified diffs. Each patch contains usage instructions. All the following patches are also available in one tar.gz file for convenience.

Patches for supported releases are also incorporated into the -stable branch.

001: RELIABILITY FIX: March 31, 2010 All architectures
When decrypting packets, the internal decryption functions were not paranoid enough in checking for underruns, which could potentially lead to crashes.
A source code patch exists which remedies this problem.
002: RELIABILITY FIX: April 4, 2010 All architectures
When updating sensors showing the state of RAID volumes mpi(4) allocates temporary memory and then returns it to the kernel as device memory. This causes kernel memory usage to be misrepresented, eventually leading to a denial of service when a resource limit is apparently reached.
A source code patch exists which remedies this problem.
003: SECURITY FIX: April 14, 2010 All architectures
In TLS connections, certain incorrectly formatted records can cause an OpenSSL client or server to crash due to a read attempt at NULL.
A source code patch exists which remedies this problem.
004: SECURITY FIX: April 23, 2010 All architectures
The combination of pfsync and IPSEC may crash the kernel.
A source code patch exists which remedies this problem.
005: RELIABILITY FIX: May 14, 2010 All architectures
Incorrectly initialized state updates can cause pfsync update storms.
A source code patch exists which remedies this problem.
006: RELIABILITY FIX: July 8, 2010 All architectures
Restore an unusual XS_SENSE semantic. Fixes dump(8)/restore(8) problems seen on certain tape drives.
A source code patch exists which remedies this problem.
007: RELIABILITY FIX: September 14, 2010 All architectures
Avoid calling scsi_done() more than once in gdt(4). Fixes a kernel panic triggered by syncing disks during shut down.
Clear the ITSDONE flag before issuing commands to the SCSI adapter. Fixes handling of retried SCSI commands.
A source code patch exists which remedies this problem.
008: RELIABILITY FIX: November 17, 2010 All architectures
Fix a flaw in the OpenSSL TLS server extension code parsing which could lead to a buffer overflow. This affects OpenSSL based TLS servers which are multi-threaded and use OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are not affected.
A source code patch exists which remedies this problem.
009: SECURITY FIX: December 17, 2010 All architectures
Insufficient initialization of the pf rule structure in the ioctl handler may allow userland to modify kernel memory. By default root privileges are needed to add or modify pf rules.
A source code patch exists which remedies this problem.
010: RELIABILITY FIX: December 20, 2010 All architectures
Bring CBC oracle attack countermeasures to hardware crypto accelerator land. This fixes aes-ni, via xcrypt and various drivers (glxsb(4), hifn(4), safe(4) and ubsec(4)).
A source code patch exists which remedies this problem.
011: RELIABILITY FIX: January 13, 2011 All architectures
sp_protocol in RTM_DELETE messages could contain garbage values leading to routing socket users that restrict the AF (such as ospfd) not seeing any of the RTM_DELETE messages.
A source code patch exists which remedies this problem.
012: SECURITY FIX: February 11, 2011 All architectures
An incorrectly formatted ClientHello handshake message could cause OpenSSL to parse past the end of the message. An attacker could use this flaw to trigger an invalid memory access, causing a crash of an application linked to OpenSSL. As well, certain applications may expose the contents of parsed OCSP extensions, specifically the OCSP nonce extension.
Applications are only affected if they act as a server and call SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. It is believed that nothing in the base OS uses this. Apache httpd started using this in v2.3.3; this is newer than the version in ports.
A source code patch exists which remedies this problem.
013: SECURITY FIX: February 16, 2011 Little-endian architectures
PF rules specifying address ranges (e.g. "10.1.1.1 - 10.1.1.5") were not correctly handled on little-endian systems (alpha, amd64, arm, i386, mips64el, vax). Other address types (bare addresses "10.1.1.1" and prefixes "10.1.1.1/30") are not affected.
A source code patch exists which remedies this problem.