|
|
 Up |
|
|
  |
Author: NetBSD Security-OfficerNetBSD Security-Officer
Date: Sep 4, 2008 14:52
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2008-011
=================================
Topic: ICMPv6 MLD query
Version: NetBSD-current: affected
NetBSD 4.0: affected
NetBSD 3.1.*: not affected
NetBSD 3.1: not affected
NetBSD 3.0.*: not affected
NetBSD 3.0: not affected
Severity: Denial of service
Fixed: NetBSD-current: August 22, 2008
NetBSD-4-0 branch: August 23, 2008
( 4.0.1 will include the fix)
NetBSD-4 branch: August 23, 2008
(4.1 will include the fix)
Abstract
========
|
| Show full article (3.40Kb) |
|
| |
no comments
|
|
|
Author: Adrian PortelliAdrian Portelli
Date: Aug 31, 2008 14:47
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Just to let everyone know there have been some further updates to BIND
in the NetBSD CVS trees in order to address performance issues with the
initial fixes to address CVE-2008-1447. All the updates have been
documented in NetBSD Security Advisory 2008-009 which is available at:
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-009.txt.asc
On behalf of security-officer@ NetBSD.org,
adrian.
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAki7EXIACgkQLc2rR0mnFJ+fuwCg+4E5igu7txRdVNLYPWH+3+Q1
CfoAoLUOIfPmKVJBV/hFX+vRm/OPBK4t
=4hRD -----END PGP SIGNATURE-----
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
|
| |
|
| |
no comments
|
|
|
Author: NetBSD Security-OfficerNetBSD Security-Officer
Date: Aug 26, 2008 07:13
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2008-010
=================================
Topic: Malicious PPPoE discovery packet can overrun a kernel buffer
Version: NetBSD-current: affected
NetBSD 4.0: affected
NetBSD 3.1.*: affected
NetBSD 3.1 affected
NetBSD 3.0.*: affected
NetBSD 3.0: affected
Severity: Remote denial-of-service
|
| Show full article (4.31Kb) |
|
3 Comments |
|
|
Author: markuczmarkucz
Date: Aug 19, 2008 01:40
> I use the following settings in my mk.conf (plus there should be some
> changes to some makefiles and to the sets lists, but I haven't got
> around to them yet):
>
> MKPAM = no
> USE_PAM = no
Well, blow me down! I'm still using my old mk.conf. I haven't even noticed
there's MKPAM and USE_PAM. Lots of thanks for the tip, Greg!
>> I've lived happily without it so far. I don't mind having it in base, I'm
>> just curious whether it's possible to replace its functionality by BSD
>> Auth. I managed to find some code written in 2003 and now I'm examining
>> it to see what can be done with it and if it can be somehow integrated
>> alongside with PAM.
>
> I'm not sure it would make sense to have them integrated together into
> the same system. In my estimation they can't really both be there in
> the same build (certainly not for anyone who wants the full and
> guaranteed privilege separation offered by BSD Auth), and with a
> compile-time option the non-default one is sure to bitrot.
|
| Show full article (1.82Kb) |
|
no comments
|
|
|
Author: Greg A. Woods; Planix, Inc.Greg A. Woods; Planix, Inc.
Date: Aug 18, 2008 22:33
On 19-Aug-08, at 12:23 AM, SODA Noriyuki wrote:
>>>>>> On Mon, 18 Aug 2008 14:12:10 -0400,
> "Greg A. Woods; Planix, Inc." said:
>
>> Previous discussions resulted in nothing really and PAM was blasted
>> into the tree without taking into account any technical
>> considerations.
>
> Such summary is unfair.
I think it's pretty fair. No consensus was reached on the contentious
points
> From some points of view, PAM is more secure than BSD Auth, and that
> was one of reasons why PAM was choosed.
I've never seen any real technical evaluation showing PAM to be more
secure.
Show me where the evaluation is.
|
| Show full article (1.92Kb) |
|
8 Comments |
|
|
Author: Sheri.LeggetSheri.Legget
Date: Aug 14, 2008 16:37
http://summit.googlebong.com
Dolf Jasin GoogleBong
img { border: 2px solid Black }
pre { font: 6pt/8pt }
p,blockquote { font: 16pt; font-family: verdana, arial, 'sans serif' }
h1,h2,h3,h4,ul { font-family: verdana, arial, 'sans serif'; font: 14p }
table,li,td { font-family: verdana, arial, 'sans serif'; font: 12p }
ul { list-style: disc }
ol { list-style: decimal }
body { background: "#EEEEEE" }
h1,h2,h3,h4,hr,p,ul,blockquote,pre { color:Black }
a:link { color:Blue }
a:visited { color:Blue }
a:active { color:"#008000" }
a:hover { color:"#008000" }
h1.header { padding:0em; margin:0 }
div.container { width:100%%; margin:0px; border:1px solid Black; line-height:150%% }
div.header,div.footer { padding:0.5em; color:white; background-color:Black; clear:left }
div.left { width:15%%; margin:0; float:left; padding:0; }
|
| Show full article (1.07Kb) |
|
no comments
|
|
|
Author: Antti KanteeAntti Kantee
Date: Jul 29, 2008 09:15
It is done.
One actually cool byproduct which I'd hadn't thought of before (although
it is quite obvious) is the ability to mount suspicious file system
images using non-kernel code. I am suspecting it would be quite easy
to construct a file system image so that if mounted it would compromise
the host kernel.
As the usual usecase is being handed a usb stick with fat on it, I
converted rump_msdos to have the same syntax as mount_msdos by sharing
the option parsing code. It should be possible to use them entirely
interchangeably, except the former will of course only compromise the
integrity of the file server process.
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
|
| |
|
no comments
|
|
|
Author: NetBSD Security-OfficerNetBSD Security-Officer
Date: Jul 24, 2008 17:16
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2008-009
=================================
Topic: BIND cache poisoning
Version: NetBSD-current: affected
NetBSD 4.0: affected
NetBSD 3.1.*: affected
NetBSD 3.1: affected
NetBSD 3.0.*: affected
NetBSD 3.0: affected
bind 8.x packages
bind 9.4.x packages prior to 9.4.2pl1
bind 9.5.x packages prior to 9.5.0pl1
Severity: Remote DNS cache poisoning
|
| Show full article (7.71Kb) |
|
no comments
|
|
|
Author: Matthias DrochnerMatthias Drochner
Date: Jul 14, 2008 11:34
When I checked the pam-pwauth_suid module for information
leaks I found that kernel buffers used for IPC keep
sensitive information for longer time too.
Most notably tty buffers, because raw tty devices
are used normally to enter passwords.
In this case, since tty input is processed character by
character anyway, it would not cost much to clear the
buffer out after the reader got the data.
Do you think this is OK?
This could be taken much further, but for sockets we have
encrypted protocols. Remain pipes... don't know whether
something should be done here. Would be easy in
the !PIPE_SOCKETPAIR case.
best regards
Matthias
-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
|
| Show full article (1.84Kb) |
|
1 Comment |
|
|
|
|
|
Author: Jeremy C. ReedJeremy C. Reed
Date: Jul 10, 2008 06:27
> AFAIK we typically don't remove anything before a cvs import is done
> into dist/. BTW what do you mean by 'bogus files' ?
Extra files that previously not there in the "NetBSD" source tree like the
PDF documentation (src/dist/bind/doc/arm/Bv9ARM.pdf but not in netbsd-3).
> That I don't know. Like I said I've used these scripts before to generate
> patches and they have saved a lot of leg work for me.
Well maybe I should start all over and do it the bind2netbsd way. Just to
clarify: Okay if I do the commits as I follow the steps (that say to
commit)?
And when did you do cvs update for the steps?
Can you double check the steps as outlined in the few scripts to add
missing steps?
Thanks
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
|
| |
|
3 Comments |
|
|
|
|
|
|
