=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN249
_____________________________________________________________________

DATE                      : 07/04/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : OpenBSD.

======================================================================

+ httpd(8) 's mod_include module fails to properly validate the length of
user supplied tag strings prior to copying them to a local buffer, causing
a buffer overflow. This would require enabling the XBitHack directive or server-side includes
and making use of a malicious document.
3.5 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/026_httpd3.patch
3.6 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/009_httpd.patch

+ A bug in the tcp(4) stack allows an invalid argument to be used in
calculating the TCP retransmit timeout. By sending packets with specific
values in the TCP timestamp option, an attacker can cause a system panic.
3.5 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/027_rtt.patch3.6 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/010_rtt.patch

+ More stringent checking should be done in the copy(9) functions to
prevent their misuse.  i386 and amd64 only.
3.6 patches:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/i386/011_locore.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/amd64/012_copy.patch
the same patches can be used for 3.5.

+ Bugs in the tcp(4) stack can lead to memory exhaustion or processing of
TCP segments with invalid SACK options and cause a system crash.
3.5 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/030_sack.patch
3.6 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/013_sack.patch

+ Due to buffer overflows in telnet(1), a malicious server or
man-in-the-middle attack could allow execution of arbitrary code with the
privileges of the user invoking telnet(1). Noone should use telnet
anymore. Please use ssh(1).
3.5 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/031_telnet.patch3.6 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/014_telnet.patch

+ Handle an edge condition in tcp(4) timestamps.
3.5 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/032_tcp2.patch
3.6 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/015_tcp.patch


======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================