[Midnightbsd-cvs] www [585] trunk/security/index.html: add security advisories
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Fri Mar 20 19:48:59 EDT 2015
Revision: 585
http://svnweb.midnightbsd.org/www/?rev=585
Author: laffer1
Date: 2015-03-20 19:48:58 -0400 (Fri, 20 Mar 2015)
Log Message:
-----------
add security advisories
Modified Paths:
--------------
trunk/security/index.html
Modified: trunk/security/index.html
===================================================================
--- trunk/security/index.html 2015-03-20 23:38:46 UTC (rev 584)
+++ trunk/security/index.html 2015-03-20 23:48:58 UTC (rev 585)
@@ -16,7 +16,131 @@
<div class="clear"></div>
<div id="text">
<h2><img src="../images/oxygen/security32.png" alt="" /> Security Updates</h2>
+<blockquote class="bluebox" id="a20150319">
+<h3>March 19, 2015</h3>
+ <p>0.5.10 RELEASE
+ <p>OpenSSL Security update
+
+ <p>A malformed elliptic curve private key file could cause a use-after-free
+ condition in the d2i_ECPrivateKey function. [CVE-2015-0209]
+
+ <p>An attempt to compare ASN.1 boolean types will cause the ASN1_TYPE_cmp
+ function to crash with an invalid read. [CVE-2015-0286]
+
+ <p>Reusing a structure in ASN.1 parsing may allow an attacker to cause memory
+ corruption via an invalid write. [CVE-2015-0287]
+
+ <p>The function X509_to_X509_REQ will crash with a NULL pointer dereference if
+ the certificate key is invalid. [CVE-2015-0288]
+
+ <p>The PKCS#7 parsing code does not handle missing outer ContentInfo correctly.
+ [CVE-2015-0289]
+
+ <p>A malicious client can trigger an OPENSSL_assert in servers that both support
+ SSLv2 and enable export cipher suites by sending a specially crafted SSLv2
+ CLIENT-MASTER-KEY message. [CVE-2015-0293]
+ </blockquote>
+<blockquote class="bluebox" id="a20150225">
+<h3>February 25, 2015</h3>
+ <p>0.5.9 RELEASE
+
+ <p>Fix two security vulnerabilities.
+
+ <p>1. BIND servers which are configured to perform DNSSEC validation and which
+ are using managed keys (which occurs implicitly when using
+ "dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit
+ unpredictable behavior due to the use of an improperly initialized
+ variable.
+
+ <p>CVE-2015-1349
+
+ <p>2. An integer overflow in computing the size of IGMPv3 data buffer can result
+ in a buffer which is too small for the requested operation.
+
+ <p>This can result in a DOS attack.
+ </blockquote>
+
+ <blockquote class="bluebox" id="a20150114">
+ <h3>January 14, 2015</h3>
+ <p>0.5.8 RELEASE
+
+ <p>Fix several security issues with OpenSSL.
+
+ <p>A carefully crafted DTLS message can cause a segmentation fault in OpenSSL
+ due to a NULL pointer dereference. [CVE-2014-3571]
+
+ <p>A memory leak can occur in the dtls1_buffer_record function under certain
+ conditions. [CVE-2015-0206]
+
+ <p>When OpenSSL is built with the no-ssl3 option and a SSL v3 ClientHello is
+ received the ssl method would be set to NULL which could later result in
+ a NULL pointer dereference. [CVE-2014-3569]
+
+ <p>An OpenSSL client will accept a handshake using an ephemeral ECDH
+ ciphersuite using an ECDSA certificate if the server key exchange message
+ is omitted. [CVE-2014-3572]
+
+ <p>An OpenSSL client will accept the use of an RSA temporary key in a non-export
+ RSA key exchange ciphersuite. [CVE-2015-0204]
+
+ <p>An OpenSSL server will accept a DH certificate for client authentication
+ without the certificate verify message. [CVE-2015-0205]
+
+ <p>OpenSSL accepts several non-DER-variations of certificate signature
+ algorithm and signature encodings. OpenSSL also does not enforce a
+ match between the signature algorithm between the signed and unsigned
+ portions of the certificate. [CVE-2014-8275]
+
+ <p>Bignum squaring (BN_sqr) may produce incorrect results on some
+ platforms, including x86_64. [CVE-2014-3570]
+ </blockquote>
+<blockquote class="bluebox" id="a20141211">
+
+<h3>December 11, 2014</h3>
+ <p>0.5.7 RELEASE
+
+ <p>Fix a security issue with file and libmagic that can allow
+ an attacker to create a denial of service attack on any
+ program that uses libmagic.
+
+<p>20141109:
+ <p>Fix building perl during buildworld when the GDBM port is installed.
+
+ </blockquote>
+ <blockquote class="bluebox" id="a20141106">
+<h3>November 6, 2014</h3>
+ <p>0.5.6 RELEASE
+
+ <p>Update timezone data tzdata 2014i
+
+ <p>(plus previous security fixes)
+
+ <p>Fix two security issues:
+
+ <p>1. sshd may link libpthread in the wrong order, shadowing libc
+ functions and causing a possible DOS attack for connecting clients.
+ <p>2. getlogin may leak kernel memory via a buffer that is
+ copied without clearing.
+ </blockquote>
+
+<blockquote class="bluebox" id="a20141031">
+
+ <h3>October 31, 2014</h3>
+ <p>0.5.5 RELEASE
+
+ <p>tnftp 20141031 fixes a security vulnerability with tnftp,
+ CVE-2014-8517.
+ </blockquote>
+
+ <blockquote class="bluebox" id="a20141027">
+ <h3>October 27, 2014</h3>
+
+ <p>0.5.4 RELEASE
+
+ <p>libmport fix for packages
+ </blockquote>
+
<blockquote class="bluebox" id="a20141021">
<h3>October 21, 2014</h3>
<p>0.5.3-RELEASE</p>
More information about the Midnightbsd-cvs
mailing list