SB2023112074 - Multiple vulnerabilities in OpenBSD

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the way ospfd(8) handles simple passwords of 8 characters long, which result in ospfd sending out packets with invalid checksum.

2) NULL pointer dereference (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in httpd when handling a malformed fastcgi request. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

3) Input validation error (CVE-ID: N/A)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of long sequences of UTF-8 combining character in tmux. A local user can perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• http://www.openbsd.org/errata74.html#004
• http://www.openbsd.org/errata74.html#006
• http://www.openbsd.org/errata73.html#020
• http://www.openbsd.org/errata74.html#005