Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Operating Systems BSD

NetBSD Announces Four New Security Advisories 62

Dan writes "The NetBSD project has announced four new security advisories. NetBSD ships with the racoon(8) IKE (Internet Key Exchange) daemon, a vulnerability was found in the code for packet validation of "informational exchange" messages. Inconsistent IPv6 path MTU discovery handling vulnerability states that a malicious party can cause a remote kernel panic by using ICMPv6 "too big" messages. The OpenSSL 0.9.6 ASN.1 parser vulnerability could lead to a possible denial-of-service. Finally, shmat reference counting bug - programming error in the shmat(2) system call can result in a shared memory segment's reference count being erroneously incremented."
This discussion has been archived. No new comments can be posted.

NetBSD Announces Four New Security Advisories

Comments Filter:
  • by TheLink ( 130905 ) on Friday February 20, 2004 @02:04AM (#8337335) Journal
    ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/ FreeBSD-SA-04:02.shmat.asc
  • by Anonymous Coward
    The patches were issued a rather long time ago...
  • by NEOtaku17 ( 679902 ) on Friday February 20, 2004 @04:36PM (#8343896) Homepage
    If your running an i386 just run this baby and it will get rid of any packages that have been flagged as insecure ftp://ftp.netbsd.org/pub/NetBSD/packages/1.6.2/i38 6/All/audit-packages-1.27.tgz Make sure that you don't need any of the packages it get's rid of before you run it. Too see which vulnerabilities it get's rid of check out this list. Also make sure you don't need anything on this list .ftp://ftp.netbsd.org/pub/NetBSD/packages/distfile s/vulnerabilities
    • by MobyTurbo ( 537363 ) on Saturday February 21, 2004 @08:19PM (#8352890)
      If your running an i386 just run this baby and it will get rid of any packages that have been flagged as insecure ftp://ftp.netbsd.org/pub/NetBSD/packages/1.6.2/i38 6/All/audit-packages-1.27.tgz
      Wrong. This tracks security problems of *packages*, as the name suggests. Problems with the base system, on the other hand, are handled by cvsing the proper source files and recompiling them; as per the advice in the security bulletins. (You *are* a subscriber to the NetBsd security announce list, aren't you? It's not high volume. :-) )
  • Does anyone know if this also affects Panther (OSX 10.3) which also ships with racoon?
  • by sheapshearer ( 746106 ) on Sunday February 22, 2004 @12:41PM (#8356182)
    The OpenSSL 0.9.6 ASN.1 parser vulnerability...

    What is going on? Didn't Microsoft have the same vulnerability recently? How is it that three entirely different operating systems (Linux,Windows,BSD) have the same vulnerability?

    Is this caused by human mistake or laziness?
    • by Anonymous Coward
      M$ is copying code from OpenSSL!
      That's why M$ code also has the ASN.1 bug!

      The truth is out there!!!
    • I'd be willing to bet it's because they're all using the same BSD-licensed code.

      Remember, all three have FreeBSD code in there, I can see it easily feasible that this racoon program has some sort of implementation on all three 'genres' of OS.
      • Actually largely all of them have code all intertwined, FreeBSD and NetBSD don't write their own OpenSSH apps for example, they borroww OpenBSD's, then again so does almost everyone else.

        NetBSD is actually the oldest of the current BSD's derived from BSD Net/2 (4.3BSD Lite), 386BSD was derived from that and FreeBSD is derived from 386BSD, both later got code from 4.4BSD Lite, and shortly after that OpenBSD was derived from NetBSD.

        Sort of like the bible, with "And Aramus begat Aramus Junior, who begat Aram
    • What is going on? Didn't Microsoft have the same vulnerability recently? How is it that three entirely different operating systems (Linux,Windows,BSD) have the same vulnerability?

      More likely the root cause of the problem is that parsing (anything) is an error-prone process, and parsing a complex standard is even more likely to result in problems. Parsers have to try to pull the data that is supposed to be there according to the standard, and have to hope that whoever is writing the data is also readin

    • No Silly, we all got it from SCO's System V

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...