http://blog.gmane.org/gmane.os.netbsd.announce hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.os.netbsd.announce/497 <pre>On behalf of NetBSD developers, I'm happy to announce the availability of the second (and final) public beta of NetBSD 6.0, for testing. Binaries of NetBSD 6.0_BETA2 are available for download at: ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-6.0_BETA2/ ISO images and (for amd64 and i386) images suitable for installing from USB sticks or other hard drives, and torrent files for downloading via BitTorrent are available here: ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-6.0_BETA2/images/ We are very pleased with the state of NetBSD 6.0_BETA2. With your help, we have made improvements since NetBSD 6.0_BETA. A sampling: - Fixed PR/39444 - fixes to hdaudio - fixes to LFS - fixed detaching ehci(4) - PR/41673 - PR/44097 - Added the ability to configure RAIDframe components on raw disks. - Fixed iwi(4) firmware decoding on bigendian platforms. - more variants supported by mfi(4) - PR/46217 - Prevent sshd from consuming all available entropy. - Update pcc to pcc-20120325. - Power management for bthub(4). - PR/45829 - PR/46232 - PR/46120 - PR/46284 - Work around some AMD processor errata - Fixed x86k boot problem - PR/45131 - PR/46286 - PR/46221 - PR/46282 - PR/46146 - Added mpii(4) driver for LSI Logic Fusion-MPT Message Passing Interface II SAS controllers. - Many PUFFS fixes - Several OpenSSL fixes - PR/46325 - PR/46121 - PR/46391 - PR/41267 - PR/46360 - PR/46408 - PR/46419 - Added tgamma() and tgammaf() to libm - Avoid a tools build error on Cygwin hosts - many fixes for building with clang - switched vax back to gcc 4.1 - Added new sysinst post-install config menu - PR/46041 - PR/44092 - PR/46101 - PR/46457 - PR/43903 Please continue to report problems and to help us test! We anticipate the first Release Candidate of NetBSD 6.0 in late June/early July. As always, please help us out by testing these changes and reporting problems either to an appropriate mailing list, via send-pr, or via the web form: http://www.netbsd.org/cgi-bin/sendpr.cgi?gndb=netbsd Thanks again for your help in making NetBSD 6.0 the best release yet! </pre> riz< at >NetBSD.org 2012-05-26T17:13:51 http://comments.gmane.org/gmane.os.netbsd.announce/496 <pre>Hi! I've just finished branching the pkgsrc-2012Q1 release. There's no special announcement... just enjoy the release :) Thomas </pre> Thomas Klausner 2012-04-07T15:06:15 http://comments.gmane.org/gmane.os.netbsd.announce/495 <pre>On behalf of NetBSD developers, I'm happy to announce the availability of a public beta of NetBSD 6.0, for your testing pleasure. (For a more-marked-up version of this announcment, see the NetBSD blog: http://blog.NetBSD.org/tnf/entry/netbsd_6_0_beta_binaries ) This beta is substantially feature-complete; there may be some additional changes to the installer and possibly some additional hardware support if some is found missing and is easily added, but the major changes are done. What we need now is for you, the end users, to test it in your preferred configuration. Please DO keep in mind, however, that this is a beta release; we fully expect there are some lurking bugs, so use with caution. Binaries of NetBSD 6.0_BETA are available for download at: ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-6.0_BETA/ Bootable (for many arches) ISO images are also available, in ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-6.0_BETA/iso Here are some highlighted changes since NetBSD 5.0. As always, full details can be found in doc/CHANGES and doc/CHANGES-6.0: time_t is now 64 bits. syslog improvements: Reliable TCP connections, encryption, syslog protocol API. LKMs removed; superseded by the new module(7) framework. Boot loaders on some arches (i386, amd64) support loading modules at boot. Added crash(8) a new utility based on ddb(4) to diagnose kernel crashes. Added netpgp(1), a BSD-licensed implementation of PGP. Added LVM (Logical Volume Manager) functionality. Multiprocessor support for Xen PV DomUs. Xen2 support has been dropped. Better Xen PV support on Linux dom0, including Citrix XenServer. Much improved copmpat_linux support for running Linux binaries. x.org was updated with new versions of most utilities, and the X server. Some arches now default to UFS2 in sysinst. FFS: softdep is no longer available, use WAPBL logging instead. gpio(4) has been completely reworked to integrate with kauth(9) evbarm now has support for Gumstix Verdex and Verdex Pro, Marvell Sheevaplug and other Marvell SoC NAS boxes, i.MX51 SoC. arm platforms have support for Cortex-A8 CPUs. pfsync(4) from OpenBSD 4.2 mDNSResponder is now in base raid(4) now has parity maps, greatly improving parity rewrite times after unclean shutdown. Added support for 64-bit MIPS processors (O32, N32, N64 ABIs are supported) Added mkubootimage(1) tool for generating u-boot kernel images. Added NPF - the NetBSD Packet Filter - a work in progress. xz(1) - imported XZ compression tool. resize_ffs(8) - support for growing FFSv1 and FFSv2 file systems, and shrinking FFSv1. amd64,i386: booting from a disk with GUID Partition Table (gpt) is now possible. iSCSI: added an in-kernel iSCSI initiator, from Wasabi Systems. New port: eMIPS Added flash(9) and nand(9) subsystems to handle flash devices and NAND controllers. Added CHFS, a file system for flash(9) devices. Reworked quota subsystem for FFS Added TLS (Thread Local Storage) support for most platforms. Added dtv(4), a Digital TV framework. MIPS: add support for RALink RT3883 SoC sparc64: add support for Enterprise (Ex[45]00) systems, most ultrasparc III and IIIi systems. gcc 4.5.3 is the default compiler gdb 7.3.1 in-tree Support for building most of the tree with clang devpubd(8) added, a device publishing daemon Xen: support for suspend/resume SQLite 3 is now in the base system. audio(9): audio drivers are now MP-safe. tprof(8): a sampling-based profiler x86, Xen: added CPU microcode loading support via cpuctl(8). Trusted Platform support added: TrouSerS, tpm-tools, and tpm(4). Added posix_spawn() functions. New apropos(1) implementation using SQLite Full Text Index. New drivers added to NetBSD 6.0: bwi(4), age(4), atphy(4), ale(4), sdmmc(4), smsh(4), voyagerfb(4), gpioiic(4), tcx(4), zx(4), hdaudio(4), wb(4), lom(4), acpiwmi(4), udl(4), gfb(4), cas(4), acpismbus(4), uthum(4), cgtwelve(4), upgt(4), omapfb(4), otus(4), fujbp(4), fujhk(4), auvitek(4), acpiwdrt(4), vte(4), alc(4), rdcide(4), rdcpcib(4), s390rtc(4), cxdtv(4), hpacel(4), emdtv(4), urndis(4), p5pb(4), pwdog(4), mppb(4), vmt(4), efa(4), gpiopwm(4), powsw(4), tpm(4), valkyriefb(4), videopll(4) ...and LOTS more hardware support added to existing drivers! Please help us out by testing these changes and reporting problems either to an appropriate mailing list, via send-pr, or via the web form: http://www.netbsd.org/cgi-bin/sendpr.cgi?gndb=netbsd Please remember, though, that this is a BETA release. Don't use it anywhere where the quirks of a beta might cause problems from which it would be hard to recover! Thanks again for your help in making NetBSD 6.0 the best release yet! </pre> riz< at >NetBSD.org 2012-03-13T19:46:52 http://comments.gmane.org/gmane.os.netbsd.announce/494 <pre>*** NetBSD/xen available for Multi-Processor machines The NetBSD Foundation is pleased to announce completion of Multiprocessing Support for the port of its Open Source Operating System to the Xen hypervisor. The NetBSD Fundation started the Xen MP project 8 month ago; the goal was to add SMP support to NetBSD/Xen domU kernels. This project has officially completed, and after a few bug fixes in the pmap(9) code it is now considered stable on both i386 and amd64. NetBSD 6.0 will ship with option MULTIPROCESSOR enabled by default for Xen domU kernels. The availability of Xen MP support in NetBSD allows to run the NetBSD Open Source Operating Systems on a range of available infrastructure providers' systems. Amazon's Web Services with their Elastic Cloud Computing is a prominent examples here. Xen is a virtualization software that enables several independent operating system instances ("domains") to run concurrently on the same computer hardware. The hardware is managed by the first domain (dom0), and further guest/user domains (domU) are spawned and managed by dom0. Operating systems available for running as dom0 and domU guests include Microsoft Windows, Solaris and Linux besides NetBSD. NetBSD is a free, fast, secure, and highly portable Unix-like Open Source operating system. It is available for a wide range of platforms, from large-scale servers and powerful desktop systems to handheld and embedded devices. Its clean design and advanced features make it excellent for use in both production and research environments, and the source code is freely available under a business-friendly license. NetBSD is developed and supported by a large and vivid international community. Many applications are readily available through pkgsrc, the NetBSD Packages Collection. NetBSD has been available for the Xen hypervisor since Xen 1 and NetBSD 2.0, released in 2004 , but until now only a single processor was supported in each NetBSD/xen domain. </pre> Manuel Bouyer 2012-03-06T18:22:44 http://comments.gmane.org/gmane.os.netbsd.announce/493 <pre>EuroBSDcon 2012 =============== EuroBSDcon is the European technical conference for users and developers on BSD-based systems. The EuroBSDcon 2012 conference will be held in Warsaw, Poland from Thursday 18 October 2012 to Sunday 21 October 2012, with tutorials on Thursday and Friday and talks on Saturday and Sunday. Call for Proposals ------------------ The EuroBSDcon conference is inviting developers and users of BSD-based systems to submit innovative and original papers not submitted to other European conferences on BSD-related topics. Topics of interest to the conference include, but are not limited to applications, architecture, implementation, performance and security of BSD-based operating systems, as well as topics concerning the economic or organizational aspects of BSD use. Presentations are expected to be 45 minutes. Call for Tutorial Proposals --------------------------- The EuroBSDcon conference is inviting qualified practitioners in their field to submit proposals for half or full day tutorials on topics relevant to development, implementation and use of BSD-based systems. Submission address ------------------ Proposals should be submitted by email to &lt;submission&lt; at &gt;eurobsdcon.org&gt;. Important dates --------------- The EuroBSDcon conference is accepting abstracts and tutorial proposals until 20 May 2012. Other important dates will be announced soon at the conference website http://2012.eurobsdcon.org/. </pre> Joerg Sonnenberger 2012-03-04T16:07:06 http://comments.gmane.org/gmane.os.netbsd.announce/491 <pre>On behalf of the NetBSD developers, I am pleased to announce that NetBSD 5.1.2 is now available for download. NetBSD 5.1.2 is the second critical/security update of the NetBSD 5.1 release branch. It represents a selected subset of fixes deemed critical for security or stability reasons. All users are encouraged to upgrade. For full details, please see the release notes at: http://www.NetBSD.org/releases/formal-5/NetBSD-5.1.2.html ISO images can be downloaded using BitTorrent, and we encourage users who wish to install via ISO images to take advantage of this, as the images are well seeded. http://www.NetBSD.org/mirrors/torrents/ Complete source and binaries for NetBSD 5.1.2 are available for download at many sites around the world. A list of download sites providing FTP, HTTP, AnonCVS, and other services can be found at: http://www.NetBSD.org/mirrors/ ======================================================================== NetBSD 5.1.2 is dedicated to the memory of Yoshihiro Masuda, who passed away in May 2011. He was a spiritual pillar of the BSD community in Japan. Through an impressive number of books and articles on BSD, he gave courage to BSD developers. We remember his passion and deep love for BSD. ======================================================================== The NetBSD Foundation would like to thank all those who have contributed code, hardware, documentation, funds, colocation for our servers, web pages and other documentation, release engineering, and other resources over the years. More information on the people who make NetBSD happen is available at: http://www.NetBSD.org/people/ We would like to especially thank the University of California at Berkeley and the GNU Project for particularly large subsets of code that we use. We would also like to thank the Internet Systems Consortium Inc., the Network Security Lab at Columbia University's Computer Science Department, and Ludd (Luleaa Academic Computer Society) computer society at Luleaa University of Technology for current colocation services. </pre> Soren Jacobsen 2012-02-11T04:29:37 http://comments.gmane.org/gmane.os.netbsd.announce/490 <pre> The 16th NetBSD hackathon will be run from February 10th to February 12th. Our goal is fixing all the bugs that need fixing to get NetBSD-current ready for the creation of the NetBSD 6.0 release branch. Everybody that has an interest in NetBSD, from developers, documentation writers, translators, to advanced users are invited to attend. To make sure that NetBSD users get the best possible experience of the new release we would like to fix as many bugs as possible. For a list of bugs and more information look at the Wiki Page under &lt;https://wiki.netbsd.org/hackathon/&gt; please. If you are able to help us fixing these bugs by supplying patches or testing fixes please consider to participate. We are also in need of people to supply documentation fixes, preferably in the form of patches. Release notes and/or manual pages! Join us on the IRC channel #netbsd-code on freenode (irc.freenode.net). Just join, have a look around and ask your questions or what work needs to be done. We are looking forward to seeing you! Matthias Scheler On behalf of the NetBSD project </pre> Matthias Scheler 2012-02-03T19:06:47 http://comments.gmane.org/gmane.os.netbsd.announce/489 <pre>Dear all, {mail, www, anoncvs, blog, wiki, releng}.NetBSD.org are changing IPv4 address from something in 204.152.190 to something in 149.20.53. Do not be alarmed. :) There may be some glitches due to IP addresses hiding in unexpected corners; we apologize in advance for any issues caused by the renumbering. The old addresses are going to be available at least another week. best regards, spz </pre> S.P.Zeidler 2012-01-31T20:04:41 http://comments.gmane.org/gmane.os.netbsd.announce/488 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2011-008 ================================= Topic:OpenPAM privilege escalation Version:NetBSD-current:affected prior to 20111109 NetBSD 5.1:affected prior to 20111119 NetBSD 5.0:affected prior to 20111119 NetBSD 4.0.*:affected prior to 20111119 NetBSD 4.0:affected prior to 20111119 pkgsrc:security/openpam package prior to 20111213 Severity:Privilege escalation Fixed:NetBSD-current:Nov 9th, 2011 NetBSD-5-1 branch:Nov 19th, 2011 NetBSD-5-0 branch:Nov 19th, 2011 NetBSD-5 branch:Nov 19th, 2011 NetBSD-4-0 branch:Nov 19th, 2011 NetBSD-4 branch:Nov 19th, 2011 pkgsrc security/openpam: openpam-20071221nb1 Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== The pam_start() function of OpenPAM doesn't check the "service" argument. With a relative path it can be tricked into reading a config file from an arbitrary location. NetBSD base utilities pass fixed constant strings. 3rd party programs which run with elevated privileges and allow user chosen strings open an attack vector. This vulnerability has been assigned CVE-2011-4122. Technical Details ================= Known 3rd party programs which allow user chosen PAM service names are: - "kcheckpass" from KDE3/4 (installed as SUID per default) - The "pam_auth" helper of "squid" (not SUID per default, but might be by administrator's choice) - "saslauthd" from cyrus-sasl, if built with PAM support, is suspected to accept a PAM service name through its communication socket (not verified in detail; pkgsrc/security/cyrus-saslauthd does not support PAM) Also see the initial post about the problem: http://c-skills.blogspot.com/2011/11/openpam-trickery.html An exploit which uses KDE's "kcheckpass" is here: http://stealth.openwall.net/xSports/pamslam Solutions and Workarounds ========================= Workaround: Install a version of the 3rd party software with a fix for the issue. Fixed versions in pkgsrc are: kdebase-3.5.10nb16 kdebase-workspace4-4.5.5nb4 squid-2.7.9nb2 squid-3.1.16nb1 See the pkg-vulnerabilities file for more details. Fix: Update NetBSD's libpam to one of the versions listed above. * NetBSD-current: The following directories need to be updated from the netbsd CVS tree: dist/openpam/lib To update from CVS, re-build, and re-install libpam: # cd src # cvs update -d -P dist/openpam/lib # cd lib/libpam/modules/pam_deny # make USETOOLS=no cleandir libpam_deny.a # cd ../pam_echo # make USETOOLS=no cleandir libpam_echo.a # cd ../pam_exec # make USETOOLS=no cleandir libpam_exec.a # cd ../pam_ftpusers # make USETOOLS=no cleandir libpam_ftpusers.a # cd ../pam_group # make USETOOLS=no cleandir libpam_group.a # cd ../pam_guest # make USETOOLS=no cleandir libpam_guest.a # cd ../pam_lastlog # make USETOOLS=no cleandir libpam_lastlog.a # cd ../pam_login_access # make USETOOLS=no cleandir libpam_login_access.a # cd ../pam_nologin # make USETOOLS=no cleandir libpam_nologin.a # cd ../pam_permit # make USETOOLS=no cleandir libpam_permit.a # cd ../pam_radius # make USETOOLS=no cleandir libpam_radius.a # cd ../pam_rhosts # make USETOOLS=no cleandir libpam_rhosts.a # cd ../pam_rootok # make USETOOLS=no cleandir libpam_rootok.a # cd ../pam_securetty # make USETOOLS=no cleandir libpam_securetty.a # cd ../pam_self # make USETOOLS=no cleandir libpam_self.a # cd ../pam_unix # make USETOOLS=no cleandir libpam_unix.a # cd ../pam_afslog # make USETOOLS=no cleandir libpam_afslog.a # cd ../pam_krb5 # make USETOOLS=no cleandir libpam_krb5.a # cd ../pam_ksu # make USETOOLS=no cleandir libpam_ksu.a # cd ../pam_skey # make USETOOLS=no cleandir libpam_skey.a # cd ../pam_ssh # make USETOOLS=no cleandir libpam_ssh.a # cd ../../libpam # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD release versions (4.*, 5.*): The following directories need to be updated from the netbsd-4, netbsd-4-0, netbsd-5, netbsd-5-0 or netbsd-5-1 CVS branch: dist/openpam/lib To update from CVS, re-build, and re-install libpam: # cd src # cvs update -d -P -r &lt;branch_name&gt; dist/openpam/lib # cd lib/libpam/modules/pam_deny # make USETOOLS=no cleandir libpam_deny.a # cd ../pam_echo # make USETOOLS=no cleandir libpam_echo.a # cd ../pam_exec # make USETOOLS=no cleandir libpam_exec.a # cd ../pam_ftpusers # make USETOOLS=no cleandir libpam_ftpusers.a # cd ../pam_group # make USETOOLS=no cleandir libpam_group.a # cd ../pam_guest # make USETOOLS=no cleandir libpam_guest.a # cd ../pam_lastlog # make USETOOLS=no cleandir libpam_lastlog.a # cd ../pam_login_access # make USETOOLS=no cleandir libpam_login_access.a # cd ../pam_nologin # make USETOOLS=no cleandir libpam_nologin.a # cd ../pam_permit # make USETOOLS=no cleandir libpam_permit.a # cd ../pam_radius # make USETOOLS=no cleandir libpam_radius.a # cd ../pam_rhosts # make USETOOLS=no cleandir libpam_rhosts.a # cd ../pam_rootok # make USETOOLS=no cleandir libpam_rootok.a # cd ../pam_securetty # make USETOOLS=no cleandir libpam_securetty.a # cd ../pam_self # make USETOOLS=no cleandir libpam_self.a # cd ../pam_unix # make USETOOLS=no cleandir libpam_unix.a # cd ../pam_afslog # make USETOOLS=no cleandir libpam_afslog.a # cd ../pam_krb5 # make USETOOLS=no cleandir libpam_krb5.a # cd ../pam_ksu # make USETOOLS=no cleandir libpam_ksu.a # cd ../pam_skey # make USETOOLS=no cleandir libpam_skey.a # cd ../pam_ssh # make USETOOLS=no cleandir libpam_ssh.a # cd ../../libpam # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Thanks to "Icke" for reporting the issue. Revision History ================ 2011-12-15Initial release 2011-12-19Updated build instructions and clarifications More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-008.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-008.txt,v 1.2 2011/12/18 23:26:46 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (NetBSD) iQIcBAEBAgAGBQJO7nbDAAoJEAZJc6xMSnBuO4sP/25B9q0R0vkftIZoLzV/cHMI LM6m9orSZ2yQHAGli8LpiuX6rI8gyOu0cuFKiUVNb1gX9kPesyyJjvPPaAZ+p+G/ 4R9bZccl2hJuyyg/Sa38zApgb5Hn+16mySWOtM8kX4NNDC0d0V70HxmjKKLO7m9N XEUP+2SX2N4XpO3wA6yzjfIy+Np3hwvEGM/LI5KEz29NrdsPHiOEiS5OPEPCmQu2 b9QToENap4xXcX4FU5Z5kKmt3G+ZZgj97+Bkq6GO4mPLTKiWjw69ThDMfVaHml15 FXsvuyYBmIQoCcLEaME6AZcwcbbfJ1FJX08tsm0pOX/qg3dTDUC2hEmHAKNiU7Sl 61MiYHKbC0dfkWJxbtpoM+Dq9QCjqprdblXtst4sP9VboZioXw3BbiLUCZ2JMhyt pevBO1cVCjJFyicTYDkhfOufTjt9as++jbj8Qi6l+556XUA0HmSMPLDUXYw4YDfc echwpDEvp2VtnmMlxsDyxLq7Y4VDYRdIu5cOQllbs2ZkgjxW7cE0W9vxtT2jY/uY nVqA9t6GoSezndSldLuQm5SkPThfFuYp1RpDeLXcEG9wnk+PXiKUgKtWRuId8yJY v5ODco5Ym3g3Nn1jFX9zrNfxafyDPz2TX+Uh9/djzZZGibAzusAfN18MM/Ar03eQ ovw682nR0YvL/cpzR7y6 =kcvR -----END PGP SIGNATURE----- </pre> NetBSD Security Officer 2011-12-18T23:31:51 http://comments.gmane.org/gmane.os.netbsd.announce/487 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2011-009 ================================= Topic:BIND resolver DoS Version:NetBSD-current:affected prior to 20111116 NetBSD 5.1:affected prior to 20111118 NetBSD 5.0:affected prior to 20111118 NetBSD 4.0.*:affected prior to 20111120 NetBSD 4.0:affected prior to 20111120 pkgsrc:net/bind96, net/bind97 and net/bind98 packages prior to 20111116 Severity:Denial of Service Fixed:NetBSD-current:Nov 16th, 2011 NetBSD-5-1 branch:Nov 18th, 2011 NetBSD-5-0 branch:Nov 18th, 2011 NetBSD-5 branch:Nov 18th, 2011 NetBSD-4-0 branch:Nov 20th, 2011 NetBSD-4 branch:Nov 20th, 2011 pkgsrc net/bind96:bind-9.6.3.1.ESV.5pl1 mitigates this issue pkgsrc net/bind97:bind-9.7.4pl1 mitigates this issue pkgsrc net/bind98:bind-9.8.1pl1 mitigates this issue Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Resolvers crash after logging: "INSIST(! dns_rdataset_isassociated(sigrdataset))" This vulnerability has been assigned CVE-2011-4313. Technical Details ================= An accidential operational error exposed a previously unknown bug in BIND that could be exploited intentionally: Unpatched BIND 9 resolvers may cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC provided a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit. The patch has two components. When a client query is handled, the code which processes the response to the client has to ask the cache for the records for the name that is being queried. The first component of the patch prevents the cache from returning the inconsistent data. The second component prevents named from crashing if it detects that it has been given an inconsistent answer of this nature. Solutions and Workarounds ========================= We suggest fixing this vulnerability by using the current net/bind98 or net/bind97 pkgsrc package instead of the in-system bind until the entire system can be updated (eg to the next security/critical release, or a binary snapshot from http://nyftp.netbsd.org/pub/NetBSD-daily/ from past the fix date). Thanks To ========= Thanks to the Internet Systems Consortium for reporting this vulnerability and providing fixed versions. Revision History ================ 2011-12-15Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-009.txt,v 1.1 2011/12/15 13:52:31 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (NetBSD) iQIcBAEBAgAGBQJO6f//AAoJEAZJc6xMSnBuNrAQANaJI5xwWXvyOocYWijvw+DH kZbudh1rDAtd6IXjJTsxyGty0bKcDVzXtn0pal5MaClViFaXMCPkBjSWXwbY5rXJ OXiqqllj29DK/I1yzEbOtEYx4sAWD8kpK1d+OdqwmPtJcUoK8zGJi2K707o/kPFo vWGtvUmrbznZ8PJHuMiDJCw53nqGddOl3e9SqegITPdpNdQirIgVOTNded84nXQ8 aRlAIVF7fMzZQ+WhI8FJParheCG3J9mtk8fSNCy2wYgXPsBlcMHXF5i7OnsW83bt Iby8h0Z65x3fq8LGT1Vg0YVYWQAFJVJcYvKlJFSxG8565CBm+lRex1tyEqPmmcdU 2LM9+rEzak7Ag4E8GVCNN3sIUIjdyoDjHwQODfdIjFc74g79r8XxNXHIHBqg8dG0 pYuELdj+7w+HTxG+JhqCtbqTWFq0rsVIVQHtTB4S3Z91o63OQybIqlNzA0ElliSO KL9AP0sEPfpoU3CvLJ1dmPQaU+OOiMjJg/chDuU1TmjQvVt3lijyfTGjcO8yWU+p W6GxiS5SPenxA9JIql2RdPx1AS9QTZ05R68ob8sPiY8mckZcCdgK+QxRsfVEgv3s o6eGVonmrf4QXuFDBm+Szm/RxY+v68AE3ohKTtwMq9KkLHfVzdoN3HoKwuoOyk3b VydWKh9yDn89/nv75Kun =1DiA -----END PGP SIGNATURE----- </pre> NetBSD Security Officer 2011-12-16T00:00:54 http://comments.gmane.org/gmane.os.netbsd.announce/486 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2011-008 ================================= Topic:OpenPAM privilege escalation Version:NetBSD-current:affected prior to 20111109 NetBSD 5.1:affected prior to 20111119 NetBSD 5.0:affected prior to 20111119 NetBSD 4.0.*:affected prior to 20111119 NetBSD 4.0:affected prior to 20111119 pkgsrc:security/openpam package prior to 20111213 Severity:Privilege escalation Fixed:NetBSD-current:Nov 9th, 2011 NetBSD-5-1 branch:Nov 19th, 2011 NetBSD-5-0 branch:Nov 19th, 2011 NetBSD-5 branch:Nov 19th, 2011 NetBSD-4-0 branch:Nov 19th, 2011 NetBSD-4 branch:Nov 19th, 2011 pkgsrc security/openpam: openpam-20071221nb1 Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== The pam_start() function of OpenPAM doesn't check the "service" argument. With a relative path it can be tricked into reading a config file from an arbitrary location. NetBSD base utilities pass fixed constant strings. 3rd party programs which run with elevated privileges and allow user chosen strings open an attack vector. This vulnerability has been assigned CVE-2011-4122. Technical Details ================= Known 3rd party programs which allow user chosen PAM service names are: - -"kcheckpass" from KDE3/4 (installed as SUID per default) - -the "pam_auth" helper of "squid" (not SUID per default, but might be by administator's choice) - -"saslauthd" from cyrus-sasl, if built with PAM support, is suspected to accept a PAM service name through its communication socket (not verified in detail; pkgsrc/security/cyrus-saslauthd does not support PAM) Also see the initial post about the problem: http://c-skills.blogspot.com/2011/11/openpam-trickery.html An exploit which uses KDE's "kcheckpass" is here: http://stealth.openwall.net/xSports/pamslam Solutions and Workarounds ========================= Update NetBSD's libpam to one of the versions listed above, or install a version of the 3rd party software with a fix for the issue. Fixed versions in pkgsrc are: kdebase-3.5.10nb16 kdebase-workspace4-4.5.5nb4 squid-2.7.9nb2 squid-3.1.16nb1 Thanks To ========= Thanks to "Icke" for reporting the issue. Revision History ================ 2011-12-15Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-008.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-008.txt,v 1.1 2011/12/15 13:52:31 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (NetBSD) iQIcBAEBAgAGBQJO6f/4AAoJEAZJc6xMSnBuS/UP/RtxNHH5PEeo40KW05lLTgwH shzPpdm92ZzSLtNQ/TIAJOSsDJ9RtIWLxiwjOYfwOqD2Mvcdo/meVOvfMxInXx8Q ktNiX4Ud2IFU9jAxQfDJt0Hrmt7rc1dSn254uRvoKoMZd5oUrM7F9NMWt2PI/l1X bWs39vcjW8ZALX+nbQrlMIUsRxB9i2COubm/eh1cArhaz0msD06Y9gso1Kib5wzg JWgVzJbgNOxSfu5fHi+vDK5lk655VTnuSmb86+UIbAmRvBXO2AUGkJyhB9CDWiic EeTfRDw6DFOpRBgS+SPoWRs63SKyb9s2P1EC6cLuxX9Fap/xQxvrmEKQYQicG2JG vrqHevJ1W/Ke9x0UvIO56Oqp+gRYtoB0BU/0dCXGRAx2aR51WHZDS2QLA08tJKjH PMLozx30UqCbTpE96nRdR5LzvsYqtiNN4oBzzZ14d0ENfPQfZRcK++/Srbj3qgNZ dYZhplqYijvteyr7ZFbrua7ID/VhHQn7rORrTpsf5H68IWyL9BWHtITFs84NNRAE BFCHLCYzrjATC+dtC7uGWZneEHWmPQF4CPDOE1Q6MpW7ihK/ziC2DFm4+wX8t5Eq GlFX4P7xOnbvHBeV7pa8T1ixgyt7Nit07Z9DiRq/g8iaoKsDU2XYVx3QVcIbHOTU 27BrifxSQWtqqkWCmVWp =hTrO -----END PGP SIGNATURE----- </pre> NetBSD Security Officer 2011-12-16T00:00:14 http://comments.gmane.org/gmane.os.netbsd.announce/485 <pre>ftp.netbsd.org will be offline tomorrow, 15 December 2011, during a 6.5-hour window between 16:30 and 22:00 UTC. We expect total downtime to be less than two hours during this window. The machine is being moved to a new location which hopefully will allow for more traffic growth. </pre> Jeff Rizzo 2011-12-14T16:52:59 http://comments.gmane.org/gmane.os.netbsd.announce/484 <pre>Hello, On September 13th, 2011, the Board of Directors posted a news item [1] requesting project specifications to get rid of the big kernel lock surrounding the networking code. Unfortunately, nobody has taken advantage of the offer and, therefore, the Board has not received any applications to this date. In order to lower the entry barrier, the Board has prepared a set of smaller project proposals that, in aggregate, help in achieving the goal of making the networking stack suitable for SMP systems. Please note that these projects cover a very wide range of topics: there are projects whose only purpose is to add new data structures to the kernel, while others involve refactoring parts of the existing code to make adding locking easier. The list of projects for funding and the tentative plan can be found in the new SMP Networking project page [2]. All of the individual projects that can help in achieving the goal of SMP Networking are suitable for funding. If you are interested in applying for any of them, please contact board&lt; at &gt; and core&lt; at &gt; directly. The project application how-to [3] may be of help. Thank you. Julio Merino, On behalf of the Board of Directors 1: http://blog.netbsd.org/tnf/entry/request_for_project_specs_to 2: http://wiki.netbsd.org/projects/project/smp_networking/ 3: http://wiki.netbsd.org/projects/application/ </pre> Julio Merino 2011-11-25T22:10:46 http://comments.gmane.org/gmane.os.netbsd.announce/483 <pre>Dear all, please be advised that anoncvs.NetBSD.org and ftp.NetBSD.org will have a planned outage roughly 18:00-19:00 UTC coming Thursday, Oct 6th. best regards, spz </pre> S.P.Zeidler 2011-10-03T23:56:45 http://comments.gmane.org/gmane.os.netbsd.announce/482 <pre>Hi! The new stable pkgsrc branch pkgsrc-2011Q3 has just been released. The public announcement is available at http://mail-index.netbsd.org/current-users/2011/10/03/msg017924.html Cheers, Thomas </pre> Thomas Klausner 2011-10-03T09:47:49 http://comments.gmane.org/gmane.os.netbsd.announce/481 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2011-007 ================================= Topic:LZW decoding loop on manipulated compressed files Version:NetBSD-current:source prior to Aug 17th, 2011 NetBSD 5.0.*:affected NetBSD 5.0:affected NetBSD 5.1:affected NetBSD 4.0.*:affected NetBSD 4.0:affected Severity:Denial of Service, possible Information Leak Fixed:NetBSD-current:Aug 16th, 2011 NetBSD-5-0 branch:Aug 19th, 2011 (5.0.3 will include the fix) NetBSD-5-1 branch:Aug 19th, 2011 (5.1.1 will include the fix) NetBSD-5 branch:Aug 19th, 2011 NetBSD-4-0 branch:Aug 19th, 2011 NetBSD-4 branch:Aug 19th, 2011 Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A highly compressable input file could overflow the uncompression stack in libXfont. Also, specially crafted compressed files could cause gzip(1) and compress(1) to go into an endless loop or overflow their uncompression stack. This vulnerability has been assigned CVE-2011-2895. Technical Details ================= There are two different issues termed "lzw uncompress issue". The first one is libXfont and the corresponding copy in XFree86's server. It contains a broken size definition of the uncompression stack. If you create a highly compressable input file (e.g. from /dev/zero) and pipe it through compress(1), the result can trivially overflow the decompression stack. For gzip(1) and compress(1), there was an issue with the input validation. If the LZW input stream was manipulated to contain code words larger than the current free entry, the decompressor would access uninitialised memory. Depending on the content of this region, it is possible that the output processing would loop or overflow the output stack. While freetype and freetype2 have the same input validation issue, they are protected by the use of memset(3) on some internal tables. Both libarchive and GNU gzip contain the necessary input validation to avoid the problem. Solutions and Workarounds ========================= Via download: +++++++++++++ Download base.tgz and xbase.tgz from http://nyftp.netbsd.org/pub/NetBSD-daily/&lt;version&gt;/&lt;date&gt;/&lt;arch&gt;/binary/sets/ or a mirror, with version being eg netbsd-4, date being a build version, and arch being the appropriate architecture. Install the downloaded files via eg # cd / # tar xzpf /path/to/base.tgz # tar xzpf /path/to/xbase.tgz If you have been running any X11 server or client binaries on your machine, you will have to restart them now, or to reboot the machine in order to ensure all bits of vulnerable code have been purged from memory. Via building: +++++++++++++ Patch, recompile, and reinstall the library and binaries. libXfont: Xorg: FILE xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c CVS branchRevision --------------------------- HEAD1.3 netbsd-5-01.1.1.1.4.2 netbsd-5-11.1.1.1.2.1.2.1 netbsd-51.1.1.1.2.2 XFree86: FILE xsrc/xfree/xc/lib/font/fontfile/decompress.c CVS branchRevision --------------------------- HEAD1.2 netbsd-5-01.1.1.4.24.1 netbsd-5-11.1.1.4.26.1 netbsd-51.1.1.4.22.1 netbsd-4-01.1.1.4.20.1 netbsd-41.1.1.4.18.1 compress: CVS branchfilerevision ------------------------------------- HEADsrc/usr.bin/compress/zopen.c1.15 netbsd-5-0src/usr.bin/compress/zopen.c1.12.14.1 netbsd-5-1src/usr.bin/compress/zopen.c1.12.18.1 netbsd-5src/usr.bin/compress/zopen.c1.12.10.1 netbsd-4-0src/usr.bin/compress/zopen.c1.8.22.1 netbsd-4src/usr.bin/compress/zopen.c1.8.18.1 gzip: CVS branchfilerevision ------------------------------------- HEADsrc/usr.bin/gzip/zuncompress.c1.11 netbsd-5-0src/usr.bin/gzip/zuncompress.c1.6.32.1 netbsd-5-1src/usr.bin/gzip/zuncompress.c1.6.36.1 netbsd-5src/usr.bin/gzip/zuncompress.c1.6.28.1 netbsd-4-0src/usr.bin/gzip/zuncompress.c1.6.16.1 netbsd-4src/usr.bin/gzip/zuncompress.c1.6.6.1 The following instructions briefly summarize how to update and recompile the involved library and binaries. Replace: VERSION with the fixed version from the appropriate CVS branch (from the above table) FILE with the name of the file from the above table For libXfont: depending on your architecture and release version you will be using XFree86 or Xorg. NetBSD-4 only has XFree, in later versions check by running ls -l /usr/X11R?/man/man5/xorg.conf.5; its presence implies Xorg. # cd &lt;where your xsrc is&gt; # cvs update -r VERSION FILE For compress and gzip, each: # cd &lt;where your src is&gt; # cvs update -r VERSION FILE Then build and install: # cd src # ./build.sh -x -u &lt;your other options&gt; distribution # ./build.sh install=/ Thanks To ========= Thanks to Joerg Sonnenberger for providing the fixes. Revision History ================ 2011-09-20Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-007.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-007.txt,v 1.1 2011/09/20 08:14:22 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJOeEzFAAoJEAZJc6xMSnBuMgUQAM4JlhaDl84S9Gi1YB2r3vsF +jl7bbwmPCRSMUZCxwsjraorSE++KvcNCOe+cYCPt8Jb6cBwJGeILtQsQpqb671e gJwvUwMIJ5GXrmKzTcFcHW5d6yUJthU6ZvO8ftifobGeAgtS/9tOuaLMpsD9MQhj EV33plHETDAQg0PZV6biIUiHD00vBJn1VXPFTPhoiq6mObmHy7huQ3X2bw5YZaBJ f31wJxiUtgmEqK2nTS61ADerzUJTlIwHRCW401UUsSfi3aH7hB67U8aaa6Q1yaOY RPtL1bm6mK6QxYxgUC7k4MeTAAirct34KIlO8miTCU1uw16sgIeTGL2MFZuccXW3 M7oPoRqPxQpuHhLnHhYz71AvhH1rqXRaGqn+d9cHbNNow1HQqLFUEY5BC1tSd83R EodStDaZuhmdDT1P1QwczQtcJWGjJk40WS5VfQCwftnxZ5gcqTPKnNXsChOiKKCK xUlP6azKpFjQ99iEtVFhT8K4b0bX6GOAhz/UZ1Or2quqlgHQAtzvDyKlrhWSsIro gu8bR58D5bbfxBXNsLEQLGk2DFyjohEJvBOLQEyb0LiFvj7YCAISGdh0RWXn042K nseijmE/4ZNev+ILX2X4njPXdNvNdttg//7WrDnfM8np7v8BTOogEiq0eILcMkNB 5z3J0XtLbJRNlbErRb/+ =Jzk2 -----END PGP SIGNATURE----- </pre> NetBSD Security Officer 2011-09-21T19:15:22 http://comments.gmane.org/gmane.os.netbsd.announce/480 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2011-006 ================================= Topic:BIND DoS via packet with rrtype zero Version:NetBSD-current:affected prior to 20110706 NetBSD 5.1:affected prior to 20110708 NetBSD 5.0:affected prior to 20110708 NetBSD 4.0.*:affected prior to 20110716 NetBSD 4.0:affected prior to 20110716 pkgsrc:net/bind96, net/bind97 and net/bind98 packages prior to 20110706 Severity:Denial of Service Fixed:NetBSD-current:Jul 6th, 2011 NetBSD-5-1 branch:Jul 8th, 2011 NetBSD-5-0 branch:Jul 8th, 2011 NetBSD-5 branch:Jul 8th, 2011 NetBSD-4-0 branch:Jul 16th, 2011 NetBSD-4 branch:Jul 16th, 2011 pkgsrc net/bind96:bind-9.6.3.1.ESV4pl3 corrects this issue pkgsrc net/bind97:bind-9.7.3pl3 corrects this issue pkgsrc net/bind98:bind-9.8.0pl4 corrects this issue Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Packets with rrtype zero can cause named to crash. This vulnerability has been assigned CVE-2011-2464. Technical Details ================= A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit by sending a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time. A remote attacker would need to be able to send a specially crafted packet directly to a server running a vulnerable version of BIND. There is also the potential for an indirect attack via malware that is inadvertently installed and run, where infected machines have direct access to an organization's nameservers. Note: CVE-2011-2465 is also fixed with this update, CVE-2011-0414, CVE-2011-1907 and CVE-2011-1910 have been fixed previously but weren't of sufficient impact to warrant an advisory. Solutions and Workarounds ========================= We suggest fixing this vulnerability by using the current net/bind98 or net/bind97 pkgsrc package instead of the in-system bind until the entire system can be updated (eg to the next security/critical release, or a binary snapshot from http://nyftp.netbsd.org/pub/NetBSD-daily/ from past the fix date). Thanks To ========= Thanks to the Internet Systems Consortium for reporting this vulnerability and providing fixed versions. Revision History ================ 2011-07-26Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-006.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-006.txt,v 1.2 2011/07/25 22:17:18 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJOLet2AAoJEAZJc6xMSnBuJBsP/iQvcXDI1wbb8uYSqTd46G9v 07a4y11v0EP0VFP66qezOUrVGVmoll7UgJyNgC8U5iyWWh5qnTgf0VMZzNxCvG1w zZZcP//OD6NC0CVQwGQdZ9P50gvYjdzrGBbBNVUQswrvCZ6AV5296cy+tOGwO3Qe 2j9OlD+y8l1BgbnFFYLtKpn0eQMV9T/39QRFi0iYyeJAZTIS46ozVztjCshh65uA pzSsMBf0axrhRDupph72jl29f1VxVkxc9jSAa+9s63WU8ZCSk+4dHh1eUK3al7Ic 1Jithd6KvTl9T8d2IcViNkqW8JHRuiDm9dAIowr4F6wb5+pek8XQqV22o/ZKYVoR 8Kq7KqdxvUySmEHG8giNlA4LSkPy+jPrWtfgLfdpBPxp9w8ctBW8x3JQ7/i8/rPV mrfM9c3uciMaQlRstXL5FFTeOs8ql4yOBiXZvKN7ptWLcNg++q4DXTIdf8dXrmT0 05qj1N44iCm4bPaIc3W17VotGxcmhbHGhWN+1e6ajna395FtM0ICdGiKGMGh1L8+ 6HJJz+oKZtQpLFt1XJbwPg3XI3I9/mwpQZL+724SRnaIZD30UCuqd324QioYNGhD BGzJOOUdc/nnpfBlyw8+fV7DFQuarJr1dFsxtZ6PrCt41wwycZdczpdM+50Xnsab OPtLtO9aXqUly209AaEm =GKjT -----END PGP SIGNATURE----- </pre> NetBSD Security Officer 2011-07-26T04:04:02 http://comments.gmane.org/gmane.os.netbsd.announce/479 <pre>Dear all, The directors of the NetBSD Foundation and the Core group wish to welcome Alan Barrett as new member of the Core group. He is replacing Antti Kantee; our sincerest thanks to Antti for all his efforts during his core tenure, specially for pushing through the tiered port support model and for making bug bounties a reality. On behalf of board, S.P.Zeidler </pre> S.P.Zeidler 2011-07-13T18:22:46 http://comments.gmane.org/gmane.os.netbsd.announce/478 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2011-005 ================================= Topic:ISC dhclient does not strip shell meta-characters in environment variables passed to scripts. Version:NetBSD-current:affected NetBSD 5.1:affected NetBSD 5.0:affected NetBSD 4.0.*:affected NetBSD 4.0:affected pkgsrc:isc-dhclient4 package prior to 4.2.1-P1 Severity:Arbitrary Script Execution Fixed:NetBSD-current:April 6th, 2011 NetBSD-5-0 branch:April 7th, 2011 NetBSD-5 branch:April 7th, 2011 NetBSD-4-0 branch:April 7th, 2011 NetBSD-4 branch:April 7th, 2011 pkgsrc 2011Q1:April 11th, 2011 Abstract ======== dhclient doesn't strip or escape certain shell meta-characters in dhcpd responses, allowing a rogue server or party with with escalated privileges on the server to cause remote code execution on the client. This vulnerability has been assigned CVE-2011-0997 and CERT Vulnerability Note VU#107886. Technical Details ================= ISC dhclient did not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. This may result in execution of exploit code on the client. For more details, please see CVE-2011-0997. Solutions and Workarounds ========================= dhclient(1) exports many variables to the environment, some of which are strings provided by the dhcp server and were not being sanity checked for shell metacharacters. Although in the current implementation of /sbin/dhclient-script "eval" is only used in ifconfig(8) commands with arguments from the environment that cannot be set to strings by the dhcp server ($interface, $medium are set by the client; $new_ip_address, $new_netmask_arg, $new_broadcast_arg, $alias_ip_address, $old_ip_address are IP addresses), one should either patch dhclient to sanitize all variables or add the following line to /sbin/dhclient-script at the beginning of the set_hostname() function: new_host_name="$(echo "${new_host_name}" | sed -e 's/[^a-zA-Z0-9-]*//g')" The reason to do this, is that unless the hostname is sanitized, a hostname with shell metacharacters can be set on the system, and other scripts might break that use the compromised hostname. In environments where filters/acls can be put into place to limit clients to accessing only legitimate dhcp servers, this will protect clients from rogue dhcp servers deliberately trying to exploit this bug. However, this will not protect from compromised servers. Further workarounds: disable dhclient(8) from the base OS and use the fixed isc-dhclient4 package from pkgsrc. The following instructions describe how to upgrade your dhclient binaries by updating your source tree and rebuilding and installing a new version of dhclient. CVS branch file revision ------------- ---------------- -------- HEAD src/dist/dhcp/client/dhclient.c1.21 netbsd-5-0 src/dist/dhcp/client/dhclient.c1.19.12.2 netbsd-5-1 src/dist/dhcp/client/dhclient.c1.19.8.1.2.1 netbsd-5 src/dist/dhcp/client/dhclient.c1.19.8.2 netbsd-4-0 src/dist/dhcp/client/dhclient.c1.18.12.2 netbsd-4 src/dist/dhcp/client/dhclient.c1.18.2.2 The following instructions briefly summarize how to update and recompile dhclient. In these instructions, replace: VERSION with the fixed version from the appropriate CVS branch (from the above table) FILE with the name of the file from the above table To update from CVS, re-build, and re-install dhclient: # cd src # cvs update -d -P -r VERSION FILE # cd usr.sbin/dhcp # make USETOOLS=no cleandir dependall # cd client # make USETOOLS=no install Thanks To ========= Sebastian Krahmer and Marius Tomaschewski, SuSE Security Team, for discovering and reporting the software flaw. Revision History ================ 2011-04-26Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-005.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-005.txt,v 1.2 2011/04/26 16:56:52 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (NetBSD) iQIcBAEBAgAGBQJNtvleAAoJEAZJc6xMSnBuqUkP/iuLylj+A2uZYvvLGPiGrnNa dnNyT4dcx54Hc1Uq3Mq8rtPwNJd+zf5eEH1PRxjFUstR3wn8/KORIZ+ZZPY/ftMJ /yLhubzjDuimkS+kyIxLLkQXXmgaLHjj7FvX5BceDghWksFsX/A/HzMDHBHaxZ8t nUXzbAdkqBXXmu9bzd+N4TJbQadk8qAHmg9WuJFmGzbxP4Qu46wl06eMKGW8LU8n Ert/UN+MSV+ELOgNQWHf7GeRMjDi1bd/PZK90rbpMyNkTRvHcIIl1Zp0Bo0WDLAH uNmW9G0PnoRrpf9YalBObs1R2jQV+1s2cWiZGyvUk+SJrhtDdYtljU71uCCA7xE5 vhIZjcMrGyuNhBVjR2v8ifcl6f57M3LyIaXsvFKRT04Exe6S6yjNIDWR3SKmweAx 3Up3nqjlIx1cBaVZP7RGFUw6W+tPHFx0xez+HclXVvWw0fOo12Lz1iacg6REDXP1 2LjGpEcyOjMceUf1A8WX8bLmkP4d/FUv/P+TLmEEBThXsEBw/CU+SJcKkUzIjwPI CXe7GXj5NwrEjOpGskglSi13y3q7e///aql/B9bczKjok5kkOvzK6q/1qCBnsdHc JwCD2HlCFzAc2NDRdkxkAtSP4nsw7rly33C3NiY14JKDXiGBWDAkyVCOisM/IL/R 4Ir8/fBQMfJSHl9xuULA =7pTA -----END PGP SIGNATURE----- </pre> NetBSD Security Officer 2011-04-26T19:37:43 http://comments.gmane.org/gmane.os.netbsd.announce/477 <pre>Dear all, mail.NetBSD.org will undergo a several hours outage starting Sunday 17th at 7:00 UTC. It will receive a hardware change. best regards, spz </pre> S.P.Zeidler 2011-04-15T05:37:37 http://comments.gmane.org/gmane.os.netbsd.announce/476 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2011-004 ================================= Topic:Kernel stack overflow via nested IPCOMP packet Version:NetBSD-current:source prior to April 1st, 2011 NetBSD 5.0.*:affected NetBSD 5.0:affected NetBSD 5.1:affected NetBSD 4.0.*:affected NetBSD 4.0:affected Severity:remote DOS, possible memory corruption Fixed:NetBSD-current:April 1st, 2011 NetBSD-5-0 branch:April 3rd, 2011 (5.0.3 will include the fix) NetBSD-5-1 branch:April 3rd, 2011 (5.1.1 will include the fix) NetBSD-5 branch:April 3rd, 2011 NetBSD-4-0 branch:April 3rd, 2011 NetBSD-4 branch:April 3rd, 2011 Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A malicious packet containing nested RFC 3173 - IP Payload Compression Protocol (IPComp) headers can cause a panic due to kernel stack exhaustion in a kernel with option IPSEC enabled. Under certain conditions, kernel memory may get overwritten. In kernels with option FAST_IPSEC a sufficient quantity of such packets may cause a denial of service. This vulnerability has been assigned CVE-2011-1547. Technical Details ================= The option IPSEC stack recurses through packet headers, expecting them to be ESP/AH-IPCOMP-payload. Due to compression, an IPCOMP-IPCOMP-... packet may contain a lot of headers, so attempting to recurse over all of them may exhaust kernel stack, triggering a panic. The kernel stack may overflow into other memory, causing memory corruption; on amd64 and i386 (and some other architectures) option DIAGNOSTIC in the kernel will prevent this corruption, causing a faster panic instead. The IPv4 FAST_IPSEC stack merely iterates through the packet headers so there is no ressource exhaustion by one packet, but a quine packet may essentially iterate eternally, and thus bind ressources. With FAST_IPSEC, there needs to be a SA configured for ipcomp to be admitted at all. Neither IPSEC nor FAST_IPSEC are enabled in NetBSD kernels by default. Solutions and Workarounds ========================= Workaround: If you do not expect plain ipcomp packets, filter out incoming proto ipcomp packets (using either ipfilter, pf or npf). This is not sufficient if you need to allow IPSEC and cannot trust your IPSEC peers. Fix: Patch, recompile, and reinstall the kernel, then reboot. IPSEC CVS branchfilerevision ------------------------------------- HEADsrc/sys/netinet6/ipcomp_input.c1.37 netbsd-5-0src/sys/netinet6/ipcomp_input.c1.36.16.1 netbsd-5-1src/sys/netinet6/ipcomp_input.c1.36.24.1 netbsd-5src/sys/netinet6/ipcomp_input.c1.36.10.1 netbsd-4-0src/sys/netinet6/ipcomp_input.c1.30.12.1 netbsd-4src/sys/netinet6/ipcomp_input.c1.30.2.1 FAST_IPSEC CVS branchfilerevision ------------------------------------- HEADsrc/sys/netipsec/xform_ipcomp.c1.26 netbsd-5-0src/sys/netipsec/xform_ipcomp.c1.18.18.1 netbsd-5-1src/sys/netipsec/xform_ipcomp.c1.18.22.1 netbsd-5src/sys/netipsec/xform_ipcomp.c1.18.12.1 netbsd-4-0src/sys/netipsec/xform_ipcomp.c1.8.2.1.4.1 netbsd-4src/sys/netipsec/xform_ipcomp.c1.8.2.2 The following instructions briefly summarize how to update and recompile the kernel. In these instructions, replace: VERSION with the fixed version from the appropriate CVS branch (from the above table) FILE with the name of the file from the above table ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -r VERSION FILE # ./build.sh kernel=KERNCONF # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd.new # mv /netbsd /netbsd.old &amp;&amp; mv /netbsd.new /netbsd then reboot: # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To ========= Thanks to Tavis Ormandy, Google Security Team, for finding the issue. Revision History ================ 2011-04-07Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-004.txt,v 1.1 2011/04/06 22:06:57 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (NetBSD) iQIcBAEBAgAGBQJNnORpAAoJEAZJc6xMSnBuYpkP/1QWKycKZdfQRBUVTDBvR9tM +592ibJlojZjmlUYvaw911aJnKpujg7rl6Ui5T0vfhu6ThfyTbrJODLeQdM9FFWH LIFvEU7iZE5r9HFLFSGhkZ9mdwSCQQGdCnOrPnBLTXBq7ew/4iy8uAVNnOG2ZZso Y0ZVZgU8E2KFW8UZSuT5z8MHmmsuu2qMQfQBkPpM+OuuKov3j0iohTJ9ybgQ235j 0YLGsWOsAYYMCWX7w97p1mCaMxWTeXhGiS7nlOAEcRrR3sQfCanUIDqtdH1qppH0 PzG3zH6ETAtlXMj/61JCAHlg4ihpzhUQe+BykDn/eDLH6WlTHgmhKAGouPSc5ejm 6X6f+m1DjItyBEnm6GLTk/9ErWZyelH1YVxL/bslCmayTDlYCfetYsK9MIPg/59c ZdqCyX7ZXF0tx7if+h7UJHxuHGZ/tdoGsSP2oUtKupSx8WhS3B2yGQsdcJNgdiZz 3YKV04CIA8DRtbmk0OfR1PrzVM7bc3dLXHepsDSaXEQcd9ZIA6mqNW/GAkzJ5c/5 q9sq+Ak56gTHrmqReyWRoV9Yn4tTnMPEOihcv2/W0lkci9utPTiBiy2kcqdeDlQl vceuW1gb1EZAbgnCzk2KkdZ78NlStFSE7sSfBjSpy0LX0cNWeuM+/+2Fxcobil6y 5hkc1l9hur8Ea0/HsP4v =ITT6 -----END PGP SIGNATURE----- </pre> NetBSD Security Officer 2011-04-07T13:58:31 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.os.netbsd.announce