From d3c30ae0a746214ba8290c25e64adc627d50094f Mon Sep 17 00:00:00 2001
From: "Bruce A. Mah" <bmah@FreeBSD.org>
Date: Thu, 1 Aug 2002 17:39:52 +0000
Subject: [PATCH] Regen from article.sgml 1.1.2.74.

---
 en/releases/4.6R/errata.html | 47 +++++++++++++++++++++++++++++++++---
 1 file changed, 43 insertions(+), 4 deletions(-)

diff --git a/en/releases/4.6R/errata.html b/en/releases/4.6R/errata.html
index 0ecb9bc75c..b421b5e4c7 100644
--- a/en/releases/4.6R/errata.html
+++ b/en/releases/4.6R/errata.html
@@ -22,7 +22,7 @@
 
         <p class="PUBDATE">$FreeBSD:
         src/release/doc/en_US.ISO8859-1/errata/article.sgml,v
-        1.1.2.73 2002/07/30 16:50:49 bmah Exp $<br>
+        1.1.2.74 2002/08/01 17:36:26 bmah Exp $<br>
         </p>
         <hr>
       </div>
@@ -83,6 +83,22 @@
         <h1 class="SECT1"><a name="AEN25">2 Security
         Advisories</a></h1>
 
+        <p>FreeBSD 4.6-RELEASE contains a fix for a bug described
+        in security advisory SA-02:23 (which addressed the use of
+        file descriptors by set-user-id or set-group-id programs).
+        An error has been discovered in the bugfix; it is still
+        possible for systems using <a href=
+        "http://www.FreeBSD.org/cgi/man.cgi?query=procfs&sektion=5&manpath=FreeBSD+4.5-stable">
+        <span class="CITEREFENTRY"><span class=
+        "REFENTRYTITLE">procfs</span>(5)</span></a> or <a href=
+        "http://www.FreeBSD.org/cgi/man.cgi?query=linprocfs&sektion=5&manpath=FreeBSD+4.5-stable">
+        <span class="CITEREFENTRY"><span class=
+        "REFENTRYTITLE">linprocfs</span>(5)</span></a> to be
+        exploited. A revised version of security advisory <a href=
+        "ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc"
+         target="_top">FreeBSD-SA-02:23</a> contains a corrected
+        bugfix.</p>
+
         <p>A buffer overflow in the resolver could be exploited by
         a malicious domain name server or an attacker forging DNS
         messages. This could potentially be used to force arbitrary
@@ -112,12 +128,35 @@
         "ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:30.ktrace.asc"
          target="_top">FreeBSD-SA-02:30</a> for a workaround and a
         fix.</p>
+
+        <p>A race condition in <a href=
+        "http://www.FreeBSD.org/cgi/man.cgi?query=pppd&sektion=8&manpath=FreeBSD+4.5-stable">
+        <span class="CITEREFENTRY"><span class=
+        "REFENTRYTITLE">pppd</span>(8)</span></a> can be used to
+        change the permissions of an arbitrary file. For more
+        details, a workaround, and bugfix information, see security
+        advisory <a href=
+        "ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:32.pppd.asc"
+         target="_top">FreeBSD-SA-02:32</a>.</p>
+
+        <p>Multiple buffer overflows have been discovered in <b
+        class="APPLICATION">OpenSSL</b>. More details (including
+        workarounds and bugfixes) can be found in security advisory
+        <a href=
+        "ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:33.openssl.asc"
+         target="_top">FreeBSD-SA-02:33</a>.</p>
+
+        <p>A bug in the XDR decoder (used by Sun RPC) could result
+        in a heap buffer overflow. Security advisory <a href=
+        "ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc"
+         target="_top">FreeBSD-SA-02:34</a> contains workaround and
+        bugfix information.</p>
       </div>
 
       <div class="SECT1">
         <hr>
 
-        <h1 class="SECT1"><a name="AEN39">3 Late-Breaking
+        <h1 class="SECT1"><a name="AEN57">3 Late-Breaking
         News</a></h1>
 
         <p>In FreeBSD 4.6-RELEASE, the default maximum TCP window
@@ -262,8 +301,8 @@
           </ol>
         </div>
 
-        <p>As of this writing, this issue is under continuing
-        investigation.</p>
+        <p>This problem has been corrected in FreeBSD 4.6-STABLE
+        snapshots.</p>
 
         <p>Due to a bug in the release generation process, some of
         the directories under <tt class=