Nabble - netbsd-announce

nyftp.netbsd.org outage through 2009-09-28

2009-09-25T10:43:36Z

The air conditioning repairs at our facility in New York will extend
through at least 2009-09-27. Consequently the services hosted there
will not be available until 2009-09-28 at the earliest.

We apologize again for the short notice; once again, it's all we had
ourselves.

Thor

nyftp.netbsd.org outage 2009-09-25

2009-09-24T14:55:38Z

Around 00:00 UTC on 2009-09-25, nyftp.netbsd.org will be offline for an
unknown interval of time due to the emergency replacement of a chiller
and other air conditioning equipment at the location where it is hosted.
We expect that the outage should be less than one full day.

We apologize for the short notice.

Thor

change of List-Id: format

2009-09-15T14:02:17Z

Dear all,

the format of the List-Id field in the headers of NetBSD list mail
will change to include a '.NetBSD.org' after the list name.
If you are filtering by this field, please adjust.

regards,
spz

NetBSD Core Team Changes

2009-09-04T13:12:40Z

After almost two years on the NetBSD core team, Quentin Garnier
(cube@...) has decided to step down. The Board of Directors
would like to thank him for doing a difficult job very well -
Quentin's technical acumen is very widely respected, and his ability
to get to the heart of technical issues is a fundamental part of his
effectiveness on core. He will be missed.

The Board of Directors has asked Matt Green (mrg@...) if he
would like to be on the core team, and Matt has kindly accepted. Matt
is well-known throughout the NetBSD community, and has been an active
developer longer than most developers. Most recently, Matt has been
the driving force behind X11 in the base system, and related DRM work.
In the past, Matt has worked on compilers and binutils, but may be
most widely known for his gzip frontend to zlib, and his work on our
pax utility. Some others may automatically associate him with bozohttpd,
as he is the author of that, or with ircII, which Matt maintains. It may
be quicker to just list the areas of the tree which he hasn't written.

Welcome, Matt!

The Board of Directors of The NetBSD Foundation would like to announce
that the new NetBSD core team will consist of:

Alistair Crooks (agc@...)
Matt Green (mrg@...)
Yamamoto Takashi (yamt@...)
Matt Thomas (matt@...)
Christos Zoulas (christos@...)

Alistair Crooks
on behalf of the Board of Directors
The NetBSD Foundation

Planned network outage for netbsd.org servers Sat Aug 8th 16:00 UTC ff

2009-08-06T00:21:23Z

Dear all,

ISC is planning work on a pretty central router that will affect
the NetBSD.org servers hosted at ISC (mail, www, ftp, anoncvs, blog etc).

This maintenance is supposed to start around 16:00 UTC on Sat Aug 8th,
and will take a few hours. Connectivity will likely not be down the
entire time, but don't expect it to be stable or plentiful.
Please use mirrors where available.

regards,
spz

Announcing NetBSD 5.0.1

2009-08-02T13:48:30Z

On behalf of the NetBSD developers, I am pleased to announce that
NetBSD 5.0.1 is now available for download. NetBSD 5.0.1 is the first
security/critical update of the NetBSD 5.0 release branch. It represents
a selected subset of fixes deemed critical in nature for security or
stability reasons. All users are encouraged to upgrade.

Please note that due to changes in pkg_install, users upgrading from
previous releases are strongly encouraged to run "pkg_admin rebuild"
after the upgrade is complete.

For full details, please see the release notes at:

http://www.NetBSD.org/releases/formal-5/NetBSD-5.0.1.html

ISO images can be downloaded using BitTorrent, and we encourage users
who wish to install via ISO images to take advantage of this, as the
images are well seeded.

http://www.NetBSD.org/mirrors/torrents/

Complete source and binaries for NetBSD 5.0.1 are available for download
at many sites around the world. A list of download sites providing FTP,
AnonCVS, and other services may be found at:

http://www.NetBSD.org/mirrors/

We are very grateful to all of those who donated during the 2007 fund
drive, which brought us many of the great advances made in the last two
years. We would like to remind everyone that we are in the middle of
a fund drive with a target of 60,000 USD by the end of the year. For
more information on how you can help NetBSD reach this goal, see

http://www.NetBSD.org/donations/

The NetBSD Foundation would like to thank all those who have
contributed code, hardware, documentation, funds, colocation for our
servers, web pages and other documentation, release engineering, and
other resources over the years. More information on the people who
make NetBSD happen is available at:

http://www.NetBSD.org/people/

We would like to especially thank the University of California at
Berkeley and the GNU Project for particularly large subsets of code
that we use. We would also like to thank the Internet Systems
Consortium Inc., the Network Security Lab at Columbia University's
Computer Science Department, and Ludd (Luleaa Academic Computer
Society) computer society at Luleaa University of Technology for
current colocation services.

NetBSD Security Advisory 2009-013: BIND named dynamic update Denial of Service vulnerability

2009-07-29T00:30:07Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2009-013
=================================

Topic: BIND named dynamic update Denial of Service vulnerability

Version: NetBSD-current: affected prior to 2009-07-29
NetBSD 5.0: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected
pkgsrc: bind package prior to 9.5.1pl3 and 9.6.1pl1

Severity: Denial of Service

Fixed: NetBSD-current: July 28, 2009 21:13 UTC
NetBSD-5-0 branch: July 28, 2009 22:26 UTC
NetBSD-5 branch: July 28, 2009 22:26 UTC
NetBSD-4-0 branch: July 28, 2009 22:19 UTC
NetBSD-4 branch: July 28, 2009 22:19 UTC
pkgsrc 2009Q2: bind-9.5.1pl3 and bind-9.6.1pl1 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

An assertion failure in the Berkeley Internet Name Domain server
software shipped in NetBSD can be used by a remote attacker to
cause the server process to crash by sending specially crafted
dynamic update messages.

This vulnerability has been assigned CVE-2009-0696 and CERT
Vulnerability Note VU#725188.

Technical Details
=================

An error handling dynamic DNS update packets with the record data
type being set to "ANY" will cause an assertion in the
dns_db_findrdataset() function to trigger, causing the name server
to exit. This requires at least one of the record set entries
specified in the update to exist on the local server.

The assertion triggered will typically cause the following message:

db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure).

Note that this assertion will be triggered even if dynamic DNS
updates are disabled.

Solutions and Workarounds
=========================

In order to avoid this vulnerability, either filter incoming dynamic
DNS update requests using a firewall or upgrade your bind software
to a non-vulnerable version.

The following instructions describe how to upgrade your bind binaries
by updating your source tree and rebuilding and installing a new
version of bind.

* NetBSD-current:

Systems running NetBSD-current dated from before 2009-07-28
21:13 UTC should be upgraded to NetBSD-current dated
2009-07-28 21:13 UTC or later.

The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
external/bsd/bind/dist

To update from CVS, re-build, and re-install bind:
# cd src
# cvs update -d -P external/bsd/bind/dist
# cd external/bsd/bind/bin/named
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 5.*:

Systems running NetBSD 5.* sources dated from before
2009-07-28 22:26 UTC should be upgraded from NetBSD 5.*
sources dated 2009-07-28 22:26 UTC or later.

The following files/directories need to be updated from the
netbsd-5 or netbsd-5-0 branches:
dist/bind/bin/named/update.c

To update from CVS, re-build, and re-install bind:

# cd src
# cvs update -r <branch_name> -d -P dist/bind/bin/named/update.c
# cd usr.sbin/bind/named
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 4.*:

Systems running NetBSD 4.* sources dated from before
2009-07-28 22:19 UTC should be upgraded from NetBSD 4.* sources
dated 2009-07-28 22:19 UTC or later.

The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
dist/bind/bin/named/update.c

To update from CVS, re-build, and re-install bind:

# cd src
# cvs update -r <branch_name> -d -P dist/bind/bin/named/update.c
# cd usr.sbin/bind/named
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

Thanks To
=========

Matthias Urlichs for finding and reporting this bug and Christos Zoulas
for fixing it in NetBSD.

Revision History
================

2009-07-29 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-013.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-013.txt,v 1.1 2009/07/29 06:54:37 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKb/JnAAoJEAZJc6xMSnBu9+UP+gJmgL1T1NkLAkecNDH/i5ST
sHSY3ifMoEDaMnEIYe+h/LtdiQx6BFOhUbtVuT8trInjjvSmwfw0j/gF7WnHoKxO
9BgR4Z0BoTL2N+g5+opZHnn/m3JI7Q3X7oVw3YSAVT3OzAhSANT8bijhs/XlvCIu
A1B6gjxfRb1A5oiD94qlBT072WLakDj9C42kTqyt1H5Bf5zLbD7V6E9HZVW6kRI4
YiYDTTXgOrHpRxKprFYszn7r0bb8JeJeDnMq7M/u2ZcnNGjz3VB9PXU7Qbotytc2
Or2bDpGanpnn0/9ARS+GAEfmVR7v8bG7Q32IUyV+o1RbGcdH4Z66d9nnopjrC6Fp
OfAzQHR00QOgMibuvuvV1bzIgsDoJ7lZ97ptFHEZM+nMx4j6p/exCowZIlLv1OGD
myREoE2tHxstvQpXBd7mszcYBdr+9BzE6tRSY/TtzFHj4uMzt2/nOo8iCq7ac6U1
XXLzTmAMG7+sRHgEpv9TAn2of0azUXkwGYhNX8ibJyQXdalVowpCti99+bzJjUSF
OTPOT0CGrAU0URnYZfsF+03Uj0REccmRqR5WZBpegmSBy8AoUtG0BjREABDifB3m
PDi12xUawr8xdbNHTTTfiKzyAXbmfcg4NrTqw3o1OvtIVueNu6+56apMZyk7oUAY
OZwSsME+s8EkcORvH8ks
=05bL
-----END PGP SIGNATURE-----

NetBSD Security Advisory 2009-012: SHA2 implementation potential buffer overflow

2009-07-28T14:52:35Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2009-012
=================================

Topic: SHA2 implementation potential buffer overflow

Version: NetBSD-current: affected prior to 2009-05-26
NetBSD 5.0: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected

Severity: Denial of Service

Fixed: NetBSD-current: May 26, 2009
NetBSD-5-0 branch: Jul 11, 2009
NetBSD-5 branch: Jul 11, 2009
NetBSD-4-0 branch: Jul 22, 2009
NetBSD-4 branch: Jul 22, 2009

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

An error initializing a SHA2 context causes vulnerable applications using
libcrypto to suffer from a 4- or 8-byte buffer overflow (for SHA256 and
SHA512 correspondingly) with fixed content, potentially causing
applications to crash.

Technical Details
=================

A program using the SHA2 implementation from sys/sha2.h in NetBSD and
linking against libcrypto is vulnerable to a 4- or 8-byte buffer
overflow (for SHA256 and SHA512 correspondingly) with fixed content.

The overflow occurs at the time the hash init function is called (e.g.
SHA256_Init). The init functions then pass the wrong size for the
context as an argument to the memset function which then overwrites
4 bytes of the memory buffer located after the one holding the context.

In the NetBSD base system, this affects the libssh library as well as
the pkg_install framework. In libssh, the overflow occurs on the heap
of the program using it, in pkg_install a stack overflow occurs.

Solutions and Workarounds
=========================

A workaround for this issue for programs in the NetBSD base system
is to disable SHA256 as a HMAC for the secure shell and to avoid
using the audit facility as well as signed packages.

To determine whether or not a package is signed, run the command

% tar tzf package.tgz

on the package. If the first file of the package is +PKG_HASH,
then the package is signed.

The following instructions describe how to upgrade your libcrypto
and libc binaries by updating your source tree and rebuilding and
installing a new version of the three facilities.

* NetBSD-current:

Systems running NetBSD-current dated from before 2009-05-26
should be upgraded to NetBSD-current dated 2009-05-27 or later.

The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
common/lib/libc/hash/sha2
distrib/sets/lists
lib/libc
lib/libcrypto
sys/sys

To update from CVS, re-build, and re-install lorem:
# cd src
# cvs update -d -P common/lib/libc/hash/sha2
# cvs update -d -P distrib/sets/lists
# cvs update -d -P lib/libc
# cvs update -d -P lib/libcrypto
# cvs update -d -P sys/sys
# cd sys/sys
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# cd ../../lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 5.*:

Systems running NetBSD 5.* sources dated from before
2009-07-11 should be upgraded from NetBSD 5.* sources dated
2009-07-12 or later.

The following files/directories need to be updated from the
netbsd-5 or netbsd-5-0 branches:
common/lib/libc/hash/sha2
distrib/sets/lists
lib/libc
lib/libcrypto
sys/sys

To update from CVS, re-build, and re-install libc and libcrypto:

# cd src
# cvs update -r <branch_name> -d -P common/lib/libc/hash/sha2
# cvs update -r <branch_name> -d -P distrib/sets/lists
# cvs update -r <branch_name> -d -P lib/libc
# cvs update -r <branch_name> -d -P lib/libcrypto
# cvs update -r <branch_name> -d -P sys/sys
# cd sys/sys
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# cd ../../lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 4.*:

Systems running NetBSD 4.* sources dated from before
2009-07-22 should be upgraded from NetBSD 4.* sources dated
2009-07-23 or later.

The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
common/lib/libc/hash/sha2
distrib/sets/lists
lib/libc
lib/libcrypto
sys/sys

To update from CVS, re-build, and re-install libc and libcrypto:

# cd src
# cvs update -r <branch_name> -d -P common/lib/libc/hash/sha2
# cvs update -r <branch_name> -d -P distrib/sets/lists
# cvs update -r <branch_name> -d -P lib/libc
# cvs update -r <branch_name> -d -P lib/libcrypto
# cvs update -r <branch_name> -d -P sys/sys
# cd sys/sys
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# cd ../../lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

Thanks To
=========

Joerg Sonnenberger for finding, reporting and fixing the issue.

Revision History
================

2009-07-28 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-012.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-012.txt,v 1.1 2009/07/28 18:29:29 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKb0ijAAoJEAZJc6xMSnBuBEEP+wa1ybcKmHkq16evmfBdGIpM
9Z7fVSvx5fDHMvUDGKL5tST/CIoRU379yiBIj/VS0tlUV9TLo1TPdrLO9XON0ara
CaIP3DK766+hjya0PwuVuy8yVhUQ6Dz2rKTBjSpmz38qv8RfvR4G6iwF3W6YNvNu
pF3vjEJIbQdT6Fen3pzb4D9aiQ6SvEZdknGGR2HmebY2ig4un+bsIJc3x+Iv87Iw
qpuJ6KQSnfLxx5qFVO5Sax8SNdL3VmQQcFhVgO3tg/ddcFUVwngXS2Wg9ChczQWt
7wM7OVwXOL1Vr0s2NcRlsIppHXvKRQxu54CuEQM6gsPcleJhsBVFo9/AbeSw4SAx
rLiR/jQ6vsC9/28ZpKGQkrtnf5fxP2R7uQIN2nylCiB+s5UDmAHAYTt1tSTMt4ou
+xgCX0OnE9iB68FoJYq1YjHMc3n4GclJz3lijXsRBzgGaSHZJc3ywYtO6puS8yUI
mXKWPdGthCDVXWiKUOBZYcuS4dv7RoA+VhI3Q1P/kwFQ9xXqb9XWSQYmLycxleA8
BjjSEuIlw5tdAnufDJA8ZRXl4gP0qhrKfPtyYkLUj6pezcyPU1QD61yK0euMr3sq
lO97lYhYqtc2gMJaOgVYoHUqbsemuRNEOdHMBeqIoC8MYYH5La6Tuub26Dwz7eDV
Mxw6htX0zEm1S/1ld7ne
=GZuc
-----END PGP SIGNATURE-----

NetBSD Security Advisory 2009-011: ISC DHCP server Denial of Service vulnerability

2009-07-28T14:51:56Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2009-011
=================================

Topic: ISC DHCP server Denial of Service vulnerability

Version: NetBSD-current: affected prior to 2009-07-16
NetBSD 5.0: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected
pkgsrc: isc-dhcpd package prior to 3.1.1p1

Severity: Denial of Service

Fixed: NetBSD-current: Jul 16, 2009
NetBSD-5-0 branch: Jul 17, 2009
NetBSD-5 branch: Jul 17, 2009
NetBSD-4-0 branch: Jul 17, 2009
NetBSD-4 branch: Jul 17, 2009
pkgsrc 2009Q2: isc-dhcpd-3.1.1p1 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A reference counting error in dhcpd allows a remote attacker to cause
a daemon crash by submitting requests with the same client ID on
different interfaces served by the same daemon.

This vulnerability has been assigned CVE-2009-1892.

Technical Details
=================

A reference counting error in dhcpd allows a remote attacker to cause
a daemon crash by submitting requests with the same client ID on
different interfaces served by the same daemon.

This requires that client ID based configurations are mixed in the
configuration file with hardware address based configurations.

Solutions and Workarounds
=========================

In order to fix the vulnerability on your local machine, either
make sure that only client-id based statements or hardware ethernet
statements are used, or upgrade to a non-vulnerable version of
dhcpd.

The following instructions describe how to upgrade your dhcpd
binaries by updating your source tree and rebuilding and
installing a new version of dhcpd.

* NetBSD-current:

Systems running NetBSD-current dated from before 2009-07-16
should be upgraded to NetBSD-current dated 2009-07-17 or later.

The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
dist/dhcp/server

To update from CVS, re-build, and re-install lorem:
# cd src
# cvs update -d -P dist/dhcp/server
# cd usr.sbin/dhcp
# make USETOOLS=no cleandir dependall
# cd server
# make USETOOLS=no install

* NetBSD 5.*:

Systems running NetBSD 5.* sources dated from before
2009-07-17 should be upgraded from NetBSD 5.* sources dated
2009-07-18 or later.

The following files/directories need to be updated from the
netbsd-5 or netbsd-5-0 branches:
dist/dhcp/server

To update from CVS, re-build, and re-install dhcpd:

# cd src
# cvs update -r <branch_name> -d -P dist/dhcp/server
# cd usr.sbin/dhcp
# make USETOOLS=no cleandir dependall
# cd server
# make USETOOLS=no install

* NetBSD 4.*:

Systems running NetBSD 4.* sources dated from before
2009-07-17 should be upgraded from NetBSD 4.* sources dated
2009-07-18 or later.

The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
dist/dhcp/server

To update from CVS, re-build, and re-install dhcpd:

# cd src
# cvs update -r <branch_name> -d -P dist/dhcp/server
# cd usr.sbin/dhcp
# make USETOOLS=no cleandir dependall
# cd server
# make USETOOLS=no install

Thanks To
=========

Christoph Biedl for discovering and reporting the issue, and Florian
Weimer for the fix.

Revision History
================

2009-07-28 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-011.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-011.txt,v 1.1 2009/07/28 18:29:29 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKb0iQAAoJEAZJc6xMSnBujKAP/14r5KM5VfyEfsLgrId7XiKY
Ms28lQ5i7gUI+0hfNPh7QbADIGCim0Gdn3XVybgVNWZcFWNOQWwQfRu+/2Zv9JeG
SLBUp+xJ7eqWxM66oZYvPK4csB18L/qZSWouHdDxA1z64+S8Qsn9pz6Y1hih/eoh
b1WWa9ZcE/7JxYINVCH4RKQIn7TRPWqLex1MWf3jGJafAH3XRpgfCWUbgkTB4CTU
xNahopXzt3Xpdmd8j9kRPzLnP7UEUOwQapcQAJ88tlMISNh5zbRuuxWHJGDwxM3l
pBm65TvItT2N+D2Z/4CkduK8Z1U7nM0pXR/amJOrrotK0kllLMhH+sYZ5lROLx8R
DFHuaDYxPQ0xOySVRc3rnPguatm27TB/BgSiFC/vEU030OXB90dboTDsnQhRn0WI
5jAfC1iKzq/fN6rMsKKaZ718En5lLV8Qcew29IGJUMS8vC5+PZ3yDHOSVXZiFjp0
r8RZj1EucuzJKYT5veqZ2SSSK14elvczclpyBir+GyhEuh9RLS71k/Td9DlsPrMR
XhE3V3/ygyQcBZJ69xn0QGlXHInMPc1aRNDxObg+511i8ugvpb6V71VFQOeF81/7
M7qqAl2W3ojMzHTISXUHRSICB3dyJ8jy9y9GFRpw6UkvUyskuGttYYhA85EuPexi
WVkLaq9xsgfSYqB9+71X
=PW6s
-----END PGP SIGNATURE-----

More brief outages of ftp.netbsd.org TODAY, 2009-07-23

2009-07-23T10:08:48Z

At or after 18:00UTC today, July 23, 2009, there will be one or more
brief outages of ftp.netbsd.org as we prepare to rearrange services
using new and upgraded hardware.

Thor

NetBSD Security Advisory 2009-005: Plaintext Recovery Attack Against SSH

2009-07-14T14:33:52Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2009-005
=================================

Topic: Plaintext Recovery Attack Against SSH

Version: NetBSD-current: source prior to June 8, 2009
NetBSD 5.0: source prior to June 30, 2009
NetBSD 4.0.1: source prior to June 30, 2009
NetBSD 4.0: source prior to June 30, 2009
pkgsrc: openssh packages prior to 5.2

Severity: Information leakage from SSH sessions

Fixed: NetBSD-current: June 8, 2009
NetBSD-5 branch: June 30, 2009 (5.0.1 will include the fix)
NetBSD-4 branch: June 30, 2009 (4.1 will include the fix)
NetBSD-4-0 branch: June 30, 2009 (4.0.2 will include the fix)
pkgsrc 2009Q1: openssh-5.2 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A defect exists in SSH protocol that allows active attackers to
recover plaintext from an SSH session if a CBC mode cipher is in
use. Updated versions of OpenSSH mitigate this problem.

http://secunia.com/advisories/32760/
http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
http://www.kb.cert.org/vuls/id/958563

Technical Details
=================

The CBC cipher mode of the SSH protocol allows a remote attacker
to recover up to 32 bits of plaintext data from an existing SSH
session by sending specially crafted packets. This can be mitigated
either through changes of the sshd_config and ssh_config files or
by updating to the latest version of OpenSSH.

http://secunia.com/advisories/32760/
http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
http://www.kb.cert.org/vuls/id/958563

Solutions and Workarounds
=========================

The problem can be mitigated by disabling the CBC mode ciphers
using the following directive in sshd_config and ssh_config:

Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc

This makes the CBC ciphers most unlikely to be selected, reducing
the likelyhood of exposure.

In order to fix the underlying problem, users should upgrade their
SSH clients and servers. The information leak vulnerability requires
an active attack and is not easy to exploit, but is potentially
dangerous.

The following instructions describe how to upgrade your SSH
binaries by updating your source tree and rebuilding and
installing a new version of SSH.

* NetBSD-current:

Systems running NetBSD-current dated from before 2009-06-08
should be upgraded to NetBSD-current dated 2009-06-09 or later.

The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
crypto/external/bsd/openssh/dist

To update from CVS, re-build, and re-install SSH:
# cd src
# cvs update -d -P crypto/external/bsd/openssh/dist
# cd usr.bin/ssh

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 5.0:

The binary distribution of NetBSD 5.0 is vulnerable.

Systems running NetBSD 5.0 sources dated from before
2009-06-29 23:00 UTC should be upgraded from NetBSD 5.0
sources dated 2009-06-30 or later.

NetBSD 5.0.1 and 5.1 will include the fix.

The following directories need to be updated from the
netbsd-5-0 CVS branch:
crypto/dist/ssh

To update from CVS, re-build, and re-install SSH:

# cd src
# cvs update -d -P -r netbsd-5-0 crypto/dist/ssh
# cd usr.bin/ssh

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

Alternatively, apply the following patch (with potential offset
differences):
ftp://ftp.NetBSD.org/pub/NetBSD/security/patches/SA2009-005-openssh-nb5.patch

To patch, re-build and re-install SSH:

# cd src/crypto/dist/ssh
# patch < /path/to/SA2009-005-openssh-nb5.patch

# cd ../../../usr.bin/ssh
# make cleandir dependall
# make install

* NetBSD 4.0, 4.0.1:

The binary distributions of NetBSD 4.0 and 4.0.1 are vulnerable.

Systems running NetBSD 4.0 sources dated from before
2009-06-30 01:00 UTC should be upgraded from NetBSD 4.0
sources dated 2009-06-30 or later.

NetBSD 4.1 and 4.0.2 will include the fix.

The following directories need to be updated from the
netbsd-4-0 CVS branch:
crypto/dist/ssh

To update from CVS, re-build, and re-install SSH:

# cd src
# cvs update -d -P -r netbsd-4-0 crypto/dist/ssh
# cd usr.bin/ssh

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

Alternatively, apply the following patch (with potential offset
differences):
ftp://ftp.NetBSD.org/pub/NetBSD/security/patches/SA2009-005-openssh-nb4.patch

To patch, re-build and re-install SSH:

# cd src/dist/ssh
# patch < /path/to/SA2009-005-openssh-nb4.patch

# cd ../../../usr.bin/ssh
# make cleandir dependall
# make install

Thanks To
=========

Martin Albrecht, Kenny Paterson and Gaven Watson from the
Information Security Group at Royal Holloway, University of
London for finding and reporting the issue.

Revision History
================

2009-06-30 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-005.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-005.txt,v 1.1 2009/06/30 00:32:25 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKSl6UAAoJEAZJc6xMSnBuspkQALQuPHnJla8/j0MF5jvPZJoy
7+Y9XbmLOMux/c80lqGINX4aRCj+H9JZ8IWkIU7iTnKri6tn4AurhfE6LI4Mta84
OQ/VFz5t8QCYfuhuBZeAUnW6CLShnwdVBoLBitpAeQEavTHTiyz3BMEQpXFlWsya
VtFsiKF8GnkcQNI3f6/iNCwMSrloiMiTTCaovG0Kt0iITBAl5kO4EKf1y2us/KcI
KpPd7rKR0hdyK1hPt/ZRh0s981rwm+/ZjIzPfjgEj9cSWHn0mCbAqycqrqdEjeOK
i3UW0JtRjE/EFcFKJLOTA86mlU9oTK1J5Z4mk/o/AB/3BVtntRLgv56VLE72aYBc
ZPbEGMIGAmwhKk67u+jwdGtOE+C8Dge3F+GWzLy51fW7kHPmDlKpiKSmg1Qo0SdB
8qwiCwuDWOvqaGeIMaKqgM2wrQxlY+bjz4eiYBrDPH+bazcQfrwXRGRXlEDhWi43
pEd7XbCKz0KJSx16ZxRqXDeVvjtAEGucfDeakMYzAFjq832RlE+jAoJ3z69sDALZ
goRqvSO//VrOaAuIaUJwE8A4SraJWD3tCzGxk2niZW2ZYwMYoJnaIO0fHbsZ45yN
G5SzqPTUKtjKX5d3swdnNbPVaXi5jUKZtggzfyu286r9gziSUN2yqhEXQYcTzvK1
/ujYOT/k3khhYjG9CbVh
=rKrv
-----END PGP SIGNATURE-----

NetBSD Security Advisory 2009-010: ISC dhclient subnet-mask flag stack overflow

2009-07-14T14:31:46Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2009-010
=================================

Topic: ISC dhclient subnet-mask flag stack overflow

Version: NetBSD-current: affected before June 24, 2009
NetBSD 5.0: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected
pkgsrc: isc-dhclient package prior to
4.1.0p1, 4.0.1p1, or 3.1.2p1

Severity: Arbitrary Code Execution

Fixed: NetBSD-current: June 24, 2009
NetBSD-5-0 branch: July 14, 2009 20:00 UTC
NetBSD-5 branch: July 14, 2009 20:00 UTC
NetBSD-4-0 branch: July 14, 2009 20:00 UTC
NetBSD-4 branch: July 14, 2009 20:00 UTC
pkgsrc 2009Q2: isc-dhclient-4.1.0p1, 4.0.1p1 and
3.1.2p1 correct the issue

Abstract
========

A stack overflow vulnerability in ISC dhclient allows an attacker
operating a rogue DHCP server to execute arbitrary code with root
privileges on the affected system by supplying a specially crafted
subnet-mask parameter.

This vulnerability has been assigned CVE-2009-0692 and CERT
Vulnerability Note VU#410676.

Technical Details
=================

The script_write_params() function in ISC dhclient version 4.1.0 and
earlier, 4.0.1 and earlier as well as 3.1.2 and earlier fails to
properly verify the subnet-mask parameter while copying it into
the internal state.

This can be exploited to overwrite the stack frame pointer and execute
arbitrary code in the context of the dhclient process. The size of the
injected code is thereby limited to the MTU of the interface dhclient
is listening on.

For more details, please see CVE-2009-0692.

Solutions and Workarounds
=========================

As a temporary workaround, disable dhclient(8) from the base OS and
use either the fixed dhclient packages from pkgsrc, or alternatively
the program dhcpcd(8) from the base system.

The following instructions describe how to upgrade your dhclient
binaries by updating your source tree and rebuilding and
installing a new version of dhclient.

* NetBSD-current:

Systems running NetBSD-current dated from before 2009-06-24
should be upgraded to NetBSD-current dated 2009-06-25 or later.

The following file needs to be updated from the netbsd-current
CVS branch (aka HEAD):
dist/dhcp/client/dhclient.c

To update from CVS, re-build, and re-install dhclient:
# cd src
# cvs update -d -P dist/dhcp/client/dhclient.c
# cd usr.sbin/dhcp
# make USETOOLS=no cleandir dependall
# cd client
# make USETOOLS=no install

* NetBSD 5.*:

Systems running NetBSD 5.* sources dated from before
2009-07-14 20:00 UTC should be upgraded from NetBSD 5.*
sources dated 2009-07-14 20:00 UTC or later.

The following file needs to be updated from the netbsd-5 or
netbsd-5-0 branches:
dist/dhcp/client/dhclient.c

To update from CVS, re-build, and re-install dhclient:

# cd src
# cvs update -r <branch_name> -d -P dist/dhcp/client/dhclient.c
# cd usr.sbin/dhcp
# make USETOOLS=no cleandir dependall
# cd client
# make USETOOLS=no install

Alternatively, apply the following patch (with potential offset
differences):
http://ftp.NetBSD.org/pub/NetBSD/security/patches/SA2009-010-dhclient.patch

To patch, re-build and re-install SSH:

# cd dist/dhcp/client
# patch -p0 < /path/to/SA2009-010-dhclient.patch

# cd ../../../usr.sbin/dhcp
# make USETOOLS=no cleandir dependall
# cd client
# make USETOOLS=no install

* NetBSD 4.*:

Systems running NetBSD 4.* sources dated from before
2009-07-14 20:00 UTC should be upgraded from NetBSD 4.*
sources dated 2009-07-14 20:00 UTC or later.

The following file needs to be updated from the netbsd-4 or
netbsd-4-0 branches:
dist/dhcp/client/dhclient.c

To update from CVS, re-build, and re-install dhclient:

# cd src
# cvs update -r <branch_name> -d -P dist/dhcp/client/dhclient.c
# cd usr.sbin/dhcp
# make USETOOLS=no cleandir dependall
# cd client
# make USETOOLS=no install

Alternatively, apply the following patch (with potential offset
differences):
http://ftp.NetBSD.org/pub/NetBSD/security/patches/SA2009-010-dhclient.patch

To patch, re-build and re-install SSH:

# cd dist/dhcp/client
# patch -p0 < /path/to/SA2009-010-dhclient.patch

# cd ../../../usr.sbin/dhcp
# make USETOOLS=no cleandir dependall
# cd client
# make USETOOLS=no install

Thanks To
=========

The Mandriva Linux Engineering Team and for discovering and reporting
the software flaw and Christos Zoulas for providing a fix.

Revision History
================

2009-07-14 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-010.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-010.txt,v 1.2 2009/07/14 20:40:33 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKXO1UAAoJEAZJc6xMSnBudBkQAJPPZ55nwsFZOp5V8tOIhuki
a+YKDE5zaa9AvIrvpzZqUIE9F9/FR92Ke7Sh5Ol7zxpnBJXwsEYIJfdKBW47Bx8y
drZ7KPvOyga8dqDE8OQWRzCWfpbzYGSIp706TlO0ONBzZLUN4JCy60kbZtAwXt83
oM50DTA9DhtIxy+MOJyStnHArZLQZYH4VTNBdQb3UmJR+/LjQIY2oxvLBwN/QKOB
mfFfyxHwgZXkY9dUXSB+wsdEtgLOToVUhDsrcNvzYYH9Dxs2unBpXdTFCy4BYcAZ
o5FiSEW5lHReDCiql5PZ+6AfiehzabmPC3rZLTD9QgjE3cPlrVA7XZsmnZnsxAF1
4O1/w8Pz4pl+X+84+JsbQCSkhMRX4zlkZ2lUtTtF9FZ73wHPih3oK1MN8ssW414c
Pms36xxKgmop/xw58/SGtlmaFD+0sUm6fSZBAlD5BDuSwqvWVUIvHXxEoAuN2Vbc
j65njdgvrpZ5VG0bX4CxE1rbxhjCJ0wwRgU3MgH36Pv6bFV3TBWqriGHIr9VmDbt
qGyQJdLlejW4cUjVhz8ZProbWhsvpoObtuAetysyhwRke6Ie/ssvon+0iLz4QikO
Nh2eaVdqQqJZRFOPGyxPoYjT1KU27+C7Xos+2D+VT/rnk/lnKcOG1ye+v0B7HNgc
eNYsWmC3rp8NPDDc6N18
=Jf/4
-----END PGP SIGNATURE-----

Brief outage of ftp.netbsd.org TODAY, 2009-07-14 02:45 UTC

2009-07-13T17:35:58Z

At or around 02:45:00 UTC today, ftp.netbsd.org will be unavailable for
a brief interval expected to be less than two hours, for a CPU and memory
upgrade. This is the first step of a major round of upgrades planned for
the NetBSD Foundation servers, and should provide better performance and
more reliable service for our users.

Apologies for the short notice. We hope the outage will actually be so
short it will be invisible to most of the users of ftp.netbsd.org.

Thor

NetBSD Security Advisory 2009-009: OpenSSL DTLS Memory Exhaustion and DSA signature verification vulnerabilities

2009-07-07T21:46:03Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2009-009
=================================

Topic: OpenSSL DTLS Memory Exhaustion and DSA signature
verification vulnerabilities

Version: NetBSD-current: affected prior to 2009-07-04
NetBSD 5.0: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected
pkgsrc: openssl package prior to 0.9.8j

Severity: Denial of Service, DSA signature spoofing

Fixed: NetBSD-current: July 4, 2009
NetBSD-5-0 branch: July 4, 2009 (NetBSD 5.0.1 will include the fix)
NetBSD-5 branch: July 4, 2009 (NetBSD 5.1 will include the fix)
NetBSD-4-0 branch: July 4, 2009 (NetBSD 4.0.2 will include the fix)
NetBSD-4 branch: July 4, 2009 (NetBSD 4.1 will include the fix)
pkgsrc 2009Q1: openssl-0.9.8j corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

Two range check errors in the DTLS code allow a remote attacker
to exhaust memory by executing too many out of sequence handshakes
or by sending DTLS packets with a future epoch.

A mistake in handling return codes allows a remote attacker to spoof
DSA signatures on data or certificates.

These vulnerabilities have been assigned CVE-2009-1377, CVE-2009-1378,
CVE-2009-1379, CVE-2009-1386 and CVE-2009-1387.

Technical Details
=================

The OpenSSL library does not limit the number of buffered DTLS records
tagged with a future epoch. If a large amount of such packages is
received, the DTLS records will occupy large amounts of memory, causing
exhaustion. Also, no limit is imposed on the number of out-of-sequence
handshake messages received, which can also be used to exhaust all
available memory.

A different error is caused by the functions validating DSA and ECDSA
keys. These functions do not handle the return code of
EVP_VerifyFinal() properly, causing some types of signature verification
errors to be ignored. This can be used to spoof DSA signatures on
data or certificates.

Solutions and Workarounds
=========================

No workaround to the problem is currently known. Users are advised
to either restrict access to OpenSSL services to trusted users only
or to apply the patches as described below.

The following instructions describe how to upgrade your OpenSSL
binaries by updating your source tree and rebuilding and
installing a new version of OpenSSL.

* NetBSD-current:

Systems running NetBSD-current dated from before 2009-07-04
should be upgraded to NetBSD-current dated 2009-07-05 or later.

The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
crypto/dist/openssl

To update from CVS, re-build, and re-install OpenSSL:
# cd src
# cvs update -d -P crypto/dist/openssl
# cd lib/libcrypt
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libssl
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../../usr.bin/openssl
# make USETOOLS=no cleandir
# make USETOOLS=no dependall install

If you use the patented libcrypto extensions,
you will also want to execute the following commands:

# cd ../../lib/libcrypto_idea
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto_mdc2
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto_rc5
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install

* NetBSD 5.*:

Systems running NetBSD 5.* sources dated from before
2009-07-04 should be upgraded from NetBSD 5.* sources dated
2009-07-05 or later.

NetBSD 5.1 and 5.0.1 will include the fix.

The following files/directories need to be updated from the
netbsd-5 or netbsd-5-0 branches:
crypto/dist/openssl

To update from CVS, re-build, and re-install OpenSSL:

# cd src
# cvs update -r <branch_name> -d -P crypto/dist/openssl
# cd lib/libcrypt
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libssl
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../../usr.bin/openssl
# make USETOOLS=no cleandir
# make USETOOLS=no dependall install

If you use the patented libcrypto extensions,
you will also want to execute the following commands:

# cd ../../lib/libcrypto_idea
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto_mdc2
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto_rc5
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install

* NetBSD 4.*:

Systems running NetBSD 4.* sources dated from before
2009-07-04 should be upgraded from NetBSD 4.* sources dated
2009-07-05 or later.

NetBSD 4.1 and 4.0.2 will include the fix.

The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
crypto/dist/openssl

To update from CVS, re-build, and re-install OpenSSL:

# cd src
# cvs update -r <branch_name> -d -P crypto/dist/openssl
# cd lib/libcrypt
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libssl
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../../usr.bin/openssl
# make USETOOLS=no cleandir
# make USETOOLS=no dependall install

If you use the patented libcrypto extensions,
you will also want to execute the following commands:

# cd ../../lib/libcrypto_idea
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto_mdc2
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto_rc5
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install

Thanks To
=========

Daniel Mentz and the Google Security Team for discovering the vulnerabilities
and reporting them to the vendor.

Revision History
================

2009-07-07 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-009.txt,v 1.1 2009/07/07 21:57:15 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKU8fzAAoJEAZJc6xMSnBuUZAQAKtILf4tYU6tpRvYaoWqA4+2
Co7wT+h0ihGJDgK2vRSXd+gG+rAhh3vi0b4nfuJY/zHotVC1l5Y50jLB4BSP/ZbR
STP2oBx87C1qmufqRW6fpe8rifelE9O3qmixSvogupro/zQXXaVrwnhNJPSjZ+o0
uZ1SWZr78UGBcyFgtOKhBD6p9wXpNl5R7by7V4qjxB+Q0a/tPwJ6Qb2mjWYE3Aj8
BfedB/5z2eP5rsmA89yk6m9cmm15n3OEtq/lqYDyRdnZTz8QnNvWEm/byVmjqDwu
lMVtSq4QmGkS97NVCrkkb9mAYm6rqaTaxlMVKQRoWVf1CSy3ZYTDjJNmp0kCWLct
gN9AXi+9TqL9/H1tuvqpzEHHVFJh+KSxB8bayzAz4ODPbcXeSv+mNKwQF7ryO+Kk
VenqjcD/0JSmX66hDwC4RfDTmYoqcKVOpRKhHmHLsrQ53Gv56gX+5z8r4Lcz4hH5
3a6oo6GG2jzJJaz6W9C+k1G4WQklgc4CpL3t9qJsnJ2947Dc7qELj2C20iEXSNcR
VcwlSYK4Niyf7IwNjcNZaXexzIfYDByEBLWtXCbSrBEwAI3TdSstlEafHYsBVXa3
+xWJpqjFsb+2CPlFwRDIdA2Mhp7MojHFaPvsdj4Y6EfN5KVLsLmhzMpmtP0XeCsm
Iosoo4fBPrIeYefwxcNs
=64Ku
-----END PGP SIGNATURE-----

NetBSD Security Advisory 2009-008: OpenSSL ASN1 parsing denial of service and CMS signature verification weakness

2009-07-07T21:45:29Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2009-008
=================================

Topic: OpenSSL ASN1 parsing denial of service and CMS
signature verification weakness

Version: NetBSD-current: affected prior to 2009-03-27
NetBSD 5.0: not affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected
pkgsrc: openssl package prior to 0.9.8k

Severity: Denial of Service, Forgery of CMS signatures

Fixed: NetBSD-current: May 27, 2009
NetBSD-4 branch: July 4, 2009 (4.1 will include the fix)
NetBSD-4-0 branch: July 4, 2009 (4.0.2 will include the fix)
pkgsrc 2009Q1: openssl-0.9.8k corrects this issue

Please note that NetBSD releases prior to 4.0, as well as the pre-release
versions of NetBSD 5.0, are no longer supported. It is recommended that
all users upgrade to a supported release.

Abstract
========

A handling error in the ASN1 parser functions can cause an
application linked against libcrypto to crash. Another
vulnerability in the CMS signature verification algorithm
allows an attacker to modify the CMS attributes of a signed
certificate.

This vulnerability has been assigned CVE-2009-0590,
CVE-2009-0591 and CVE-2009-0789.

Technical Details
=================

The function ASN1_STRING_print_ex() when used to print a BMPString
or UniversalString will crash with an invalid memory access if the
encoded length of the string is illegal.

An error calculating the length of ASN1 structure members can be
exploit to cause a memory access violation in the error path on
architectures where sizeof(long) < sizeof(void *), causing an
application linked against a vulnerable version of libcrypto to
crash.

The function CMS_verify() does not correctly handle an error
condition involving malformed signed attributes. This will cause an
invalid set of signed attributes to appear valid and content
digests will not be checked.

Solutions and Workarounds
=========================

Currently, no workaround to this problem is known. Users must
either upgrade their OpenSSL version to include the fix, or
to restrict access to affected applications to trusted users
only.

The following instructions describe how to upgrade your OpenSSL
binaries by updating your source tree and rebuilding and
installing a new version of OpenSSL.

* NetBSD-current:

Systems running NetBSD-current dated from before 2009-03-27
should be upgraded to NetBSD-current dated 2009-03-28 or later.

The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
crypto/dist/openssl

To update from CVS, re-build, and re-install OpenSSL:
# cd src
# cvs update -d -P crypto/dist/openssl
# cd lib/libcrypto
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libssl
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../../usr.bin/openssl
# make USETOOLS=no cleandir
# make USETOOLS=no dependall install

If you use the patented libcrypto extensions,
you will also want to execute the following commands:

# cd ../../lib/libcrypto_idea
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto_mdc2
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto_rc5
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install

* NetBSD 4.*:

Systems running NetBSD 4.* sources dated from before
2009-07-04 should be upgraded from NetBSD 4.* sources dated
2009-07-05 or later.

NetBSD 4.1 and 4.0.2 will include the fix.

The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
crypto/dist/openssl

To update from CVS, re-build, and re-install OpenSSL:

# cd src
# cvs update -r <branch_name> -d -P crypto/dist/openssl
# cd lib/libcrypto
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libssl
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../../usr.bin/openssl
# make USETOOLS=no cleandir
# make USETOOLS=no dependall install

If you use the patented libcrypto extensions,
you will also want to execute the following commands:

# cd ../../lib/libcrypto_idea
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto_mdc2
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install
# cd ../libcrypto_rc5
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# make USETOOLS=no dependall install

Thanks To
=========

Ivan Nestlerode of IBM and Paolo Ganci for discovering and reporting
these issues.

Revision History
================

2009-07-07 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-008.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-008.txt,v 1.1 2009/07/07 21:57:15 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKU8fnAAoJEAZJc6xMSnBu3tQP/A27N0vjPgawbMJ2ugtw8bVR
oRi95Vl0Qgvn3dAge37LIUd7xCYo7RuPcvJn23ua0DcTmObkc0HO0kiaucn/O7BQ
He794oEwtEzDv8oQYhKuRLGZQV9bzWfjHebmHWBH35FZtqZ5ujV1Anrf7cSmjKEY
wTmrUUws+/v3rdZ4HgXOzNiqyie17oN5QoX3iLmtQILTecLH15R6pv9SgBV003dz
/zy8ypKkshSfBXczLpHemOmlFh5wCH7vvsAnIgyXLKYCQ580zyyc6GQEOUBCw0uh
Id7A2DuksbB4/jtq0cZBqXa7kWjM4Ypufoxa/G5cbQMRTWeVdfDidc5Qismis6q+
gqAl6+7R7ZS4Txzp2Ve3bvN+dgXTyjYscWE59It8br1RnMY7sM/Ad8PlwCRbrLGs
0AA+tvF4yemQjgoSIbV2FBi8ZYyOkQH3mxgnuS/p7AXQLtEuz3wLmSuHFKnfHK7A
ikijnSOkj3u1Rrk0AqTYOsUQifzwdn7wkzyTSGWsIYYpUURJEmRFlmizM2tGRciR
411ND8lPOB3eI6FonbeWPfFrd3nAOfsI9+3IcA8Ez3wWTYD0X/dw36cJT1m66dou
SqEN6ibFeR70grJo6nuO4sH8G7e/9QkFesdccJhaRFgJ7D0Fc28WwLQohx9H9tnG
7Bnl8Q6GvEzktaYZeqOw
=eMbN
-----END PGP SIGNATURE-----

NetBSD Security Advisory 2009-007: Buffer overflows in hack(6)

2009-06-30T14:52:12Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2009-007
=================================

Topic: Buffer overflows in hack(6)

Version: NetBSD-current: source prior to June 30, 2009
NetBSD 5.0: affected
NetBSD 4.0.1: affected
NetBSD 4.0: affected

Severity: Unprivileged local users can gain access to "games" group

Fixed: NetBSD-current: June 29, 2009
NetBSD-5 branch: June 29, 2009
(5.1 will include the fix)
NetBSD-5-0 branch: June 29, 2009
(5.0.1 will include the fix)
NetBSD-4 branch: June 29, 2009
(4.1 will include the fix)
NetBSD-4-0 branch: June 29, 2009
(4.0.2 will include the fix)

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

Hack, a "rogue-like" game, is installed setgid to the "games" group
to allow access to shared data and high scores and allow saved games
to be stored where they cannot be tampered with. Buffer handling
shortcomings allow arbitrary code execution with the privilege of the
"games" group, which can then be used to attack other users playing
games.

Technical Details
=================

The gethdate() function contains a stack-based buffer overflow
vulnerability that can be exploited by setting the PATH environment
variable.

The main() function contains a data-segment-based buffer overflow bug
attackable in wizard mode by the GENOCIDED environment variable; this
may be exploitable via function pointers elsewhere in the data segment.

Multiple other string handling weaknesses exist that may or may not be
attackable and may or may not be exploitable.

Solutions and Workarounds
=========================

Removing the setgid bit from /usr/games/hack is a simple and effective
workaround, although hack will not work properly without it.

For all affected NetBSD versions, the proper fix requires obtaining
updated sources, and rebuilding and installing hack. Fixed sources may
be obtained from the NetBSD CVS repository.

* NetBSD-current:

Systems running NetBSD-current dated from before 2009-06-30
should be upgraded to NetBSD-current dated 2009-06-30 or later.

* NetBSD 5.0_STABLE and 5.0.0_PATCH:

The binary distribution of NetBSD 5.0 is vulnerable.

Systems running NetBSD 5.0 sources dated from before
2009-06-30 should be upgraded from NetBSD 5.0 sources
dated 2009-06-30 or later.

NetBSD 5.0.1 and 5.1 will include the fix.

* NetBSD 4.0_STABLE and 4.0.1_PATCH:

The binary distribution of NetBSD 4.0 is vulnerable.

Systems running NetBSD 4.0 sources dated from before
2009-06-30 should be upgraded from NetBSD 4.0 sources
dated 2009-06-30 or later.

NetBSD 4.0.2 and 4.1 will include the fix.

* For all releases:

The following directories need to be updated from the
appropriate CVS branch:
games/hack

To update from CVS, re-build, and re-install hack:
# cd src
# cvs update -d -P games/hack
# cd games/hack

# make USETOOLS=no cleandir obj
# make USETOOLS=no dependall install

This will select the fixes for the branch you have already
checked out in your source tree.

For more information on building (oriented towards rebuilding the
entire system, however) see:

http://www.netbsd.org/guide/en/chap-build.html

Thanks To
=========

David A. Holland found and fixed the problems.

Revision History
================

2009-06-30 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-007.txt,v 1.1 2009/06/30 18:48:33 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKSl6pAAoJEAZJc6xMSnBuvToP+gJN7pXD5M1Sd8/lG+bM5DQr
nxSAlOzww0gzIJPxvvkYNWooQM3wW2OdvqTrIiN6UMTtAXsuw4UFsnbiwUorj8rZ
XexgNO8hK5MyqebpsCwzH7Ofcip5yozBspBcE5bOVXQZcRKrUprvS+Zk9Q141ObV
NZ6qY2y9NjRE4lKzXMsxTLQHhFPMVTC+nG4rke4RrFIur11xdT1xIW59iuJExVTs
5eqFE/yOgmVondPCaln830beho3wHIha4obYXYq0+C2xbFzNvNu0+mAIKxkNhxel
902vLMHolzp664mSrKNxJwV2es3ii0NMMGlnGGecIsz+RedvizG2wcdEWCTumLEw
jIJY448FsI1a2GKHbOH5N/TieidHbEq81v8H0k2Kkw5B0GlwARsW8iCDVNeGpmKr
0F5Zqy2M0EvNfGykPw+Rd+vU7soid4JFJVlnGoEFt2BbhtMz7XlT8xovy4I4Sgp0
1klYEwB8Y8quipJnN9tmyAX3eVH73s0ycA4mjlSFtsvMZDTU0xr0znC1gaCcWtia
gfq1pLgyH1BNgg2TuAon2kGwON2T/FzSoJySSjujWq9LXLKj3ZEhqCRTmQ9m+cHr
jpI0Lx4gSxixKlH+ROv6Y/6bmc8+W0JUtHkUIkEtj/PeJ/GBVCBjEOzShCkvep6t
qYfYnSqAMzMWrCl6ARb5
=7nGK
-----END PGP SIGNATURE-----

NetBSD Security Advisory 2009-006: Buffer overflows in ntp

2009-06-30T14:51:34Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2009-006
=================================

Topic: Buffer overflows in ntp

Version: NetBSD-current: source prior to May 21, 2009
NetBSD 5.0: source prior to May 27, 2009
NetBSD 4.0.1: source prior to May 27, 2009
NetBSD 4.0: source prior to May 27, 2009

Severity: Potential remote arbitrary code execution

Fixed: NetBSD-current: May 20, 2009
NetBSD-5 branch: May 27, 2008 (5.0.1 will include the fix)
NetBSD-4 branch: May 27, 2008 (4.1 will include the fix)
NetBSD-4-0 branch: May 27, 2008 (4.0.2 will include the fix)

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

Two remote buffer overflow vulnerabilities have been found in the ntp
(Network Time Protocol) code.

The first, in ntpq, potentially allows arbitrary code execution (as
the user running ntpq) if a hostile ntp daemon is contacted.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159

The second, in ntpd itself, allows remote arbitrary code execution as
the system ntp user if cryptographic authentication is enabled, which
is not the default. If ntpd is configured to run in a chroot area
(which is not the default) the arbitrary code execution should be
contained within the chroot.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252

The second of these vulnerabilities makes the first considerably more
dangerous than it would be on its own.

Technical Details
=================

1. The cookedprint() function contains a stack-based buffer overflow
vulnerability that can be exploited by sending a properly crafted
response to ntpq.

2. The crypto_recv() function contains a stack-based buffer overflow
vulnerability that can be exploited by sending a properly crafted
packet to ntpd.

Solutions and Workarounds
=========================

Workarounds:

1. Avoid running ntpq until a fixed version has been installed.

2. Disable cryptographic authentication until a fixed version has been
installed. Or, disable ntpd entirely until a fixed version has been
installed. Either of these approaches is probably undesirable; it is
better to update immediately.

Enabling the rc.conf(5) option to run ntpd under chroot may mitigate
the impact of an attack but does not qualify as a real workaround.

Solutions:

For all affected NetBSD versions, obtain updated sources, and
rebuild and reinstall the ntp daemon and tools. If ntpd is running, be
sure to stop and restart it.

The fixed sources may be obtained from the NetBSD CVS repository.

The following instructions briefly summarize how to update and
recompile your ntp binaries by updating your source tree and rebuilding
a new version of ntp.

* NetBSD-current:

Systems running NetBSD-current dated from before 2009-05-20
should be upgraded to NetBSD-current dated 2009-05-21 or later.

The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
dist/ntp/ntpd
dist/ntp/ntpq

To update from CVS, re-build, and re-install ntp:
# cd src
# cvs update -d -P dist/ntp/ntpd
# cvs update -d -P dist/ntp/ntpq
# cd usr.sbin/ntp

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# /etc/rc.d/ntpd stop
# /etc/rc.d/ntpd start

* NetBSD 5.0:

The binary distribution of NetBSD 5.0 is vulnerable.

Systems running NetBSD 5.0 sources dated from before
2009-05-27 should be upgraded from NetBSD 5.0 sources
dated 2009-05-28 or later.

NetBSD 5.0.1 and 5.1 will include the fix.

The following directories need to be updated from the
netbsd-5-0 CVS branch:
dist/ntp/ntpd
dist/ntp/ntpq

To update from CVS, re-build, and re-install ntp:

# cd src
# cvs update -d -P -r netbsd-5-0 dist/ntp/ntpd
# cvs update -d -P -r netbsd-5-0 dist/ntp/ntpq
# cd usr.sbin/ntp

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# /etc/rc.d/ntpd stop
# /etc/rc.d/ntpd start

* NetBSD 4.0, 4.0.1:

The binary distributions of NetBSD 4.0 and 4.0.1 are vulnerable.

Systems running NetBSD 4.0 sources dated from before
2009-05-27 should be upgraded from NetBSD 4.0 sources dated
2009-05-28 or later.

NetBSD 4.1 and 4.0.2 will include the fix.

The following directories need to be updated from the
netbsd-4-0 CVS branch:
dist/ntp/ntpd
dist/ntp/ntpq

To update from CVS, re-build, and re-install ntp:

# cd src
# cvs update -d -P -r netbsd-4-0 dist/ntp/ntpd
# cvs update -d -P -r netbsd-4-0 dist/ntp/ntpq
# cd usr.sbin/ntp

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# /etc/rc.d/ntpd stop
# /etc/rc.d/ntpd start

Thanks To
=========

Christos Zoulas for providing the fixes.

Revision History
================

2009-06-30 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-006.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-006.txt,v 1.2 2009/06/30 18:30:27 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKSl6gAAoJEAZJc6xMSnBux40QALdvcTyn12pJ22i72eLn1aEh
UcXNvekD0yQFXF3xQ/2klcVCmUvFelSlkvelZ2csDxzetvNSRVY6SBgp3F6NdWC3
YxDAiDF/GeZyQi2hWdCqLVsW2kfDih8Bl+sL/51oxuIkzaSQzkQAhXCF3ggWl259
oLMeuR/Vdre6jqJpfXjq12vhNu7g/XvLyhH7b7WAMxqT/+7rEqmlPua5epjr43b2
RMt4zCRFga+NlU+iO78YvzEAUhk/kvFhDkXiPMQZ0puY4akuRAMYS1Il8YkK0o8K
rktvX9dMChnIFyh826vuiUpeUpN/UxHRUYTIkUhO8A4WoM6ffs3GuJ0IXZUQPmoV
mZ/ybpJWjRmAQnwK2vw/RJAhPQnojzZ0ZqFYry1zvlw8Ec59ShNO8XUXXMnxCeK6
kZsJ1pWuHc+m6aQ0lkItuV6zBnx4xjTSJ8bzE1qIkX9v0kFYkny8hzxNWRHrhZhu
qm4acnPdzWivfo1C9panMSI3oL8z0wAG6s5gkBJDglbdwtyaM+W3r3EAHvyaKmSV
1uubeTGTh8pqkTNsPAL8+OkFRCAlU2NQZWjbkjwJQfbHaRzdD/BJzO/9JFJ0aYhX
H0Eo0fBotfCcUhl5jzo5r4EnsFuSmeaLDLExVY7NNcqYylrlUnj31MUJh6TL/Gan
3vWY3qzD4Z2V7lwVgzwX
=zdxv
-----END PGP SIGNATURE-----

Changing the NetBSD Security Officer PGP key

2009-06-23T15:41:54Z

Dear NetBSD users, dear followers of the NetBSD security community,

Please note that from now on, the NetBSD Security Officer will
use a new PGP key to sign announcements and other types of
communication. The old PGP key will be unenrolled over the next
time:

pub 1024R/F8376205 1997-07-01
uid security-officer@...

It will be superseeded by the following key which is larger
and offers a better security margin:

pub 4096R/4C4A706E 2009-06-23 [expires: 2019-06-21]
uid NetBSD Security Officer <security-officer@...>
sub 4096R/DF2CE620 2009-06-23 [expires: 2019-06-21]

The key will be rotated on a regular basis in the future, for
better security of our users. Please update your processes to
make use of this new key in the future.

To testify this migration, this mail contains the new security-officer
PGP key below and, appended, a signature of the text part generated
with the old and the new key, correspondingly.

Thank you for your continued trust in NetBSD,

The NetBSD Security Officers

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (NetBSD)

mQINBEpBSlIBEADZ07j5C/Gt+frfs/Jj1Sa3Ac5iwathJQQvoA6AAh860juEugdG
yBXtJDRiXRLP/t7MX16BcyYxMRc15WPSnjpolyM7PPnbOHoLcrmlkdWyzjJfTXCR
XMIG2wOYgER4fNjFmf0uD+EcEUQA2ShXUpviQBIs6GLlDLPvzKmtHzX4I1WWKzm4
xe/ik64YcL5pW2Wd/mLNd97FDmxwjRnUm4JEUYNUMbMOleytGGvNzKihpIvyIVCv
MEfZfRfPl1hPXHqKs9H8u2UuNn6DJDWmHN738X95VDOv2YReIG8CwLqpnKv7BCEN
m1/XnbxEC6lExrG2PCfWeyM9xFh3Q4oGZ19qo8m6jRWUlwY3hNQ7eSYoJZNkkjGZ
Ooc09BNTcM/M7oTUgifDBFwORiW64weGSgpICN/BN+vifQUIOgJ6g3LHmi6RXmFk
GbMLBsOni/j0ZHbIJacMoI/82h7XykOl1wZ3xzb9Hj0sNqSO+TeDEA2BVt1JKweH
w0nD23zBa5Md9w+xhigdXaTcDp6JmJOUXb8p4J/uXiwJa2yjIQ0IxSH7Adq76oKK
+ALanhOs07kiDHLy/ZwgjBrynEfvDb8f6LH4hDZNm6QuGrbboAYRxo7B8vvYn7qj
kiNRI53VRxbohFbhu1YUh4EIZgTgBwzos1zXVmkP5SmhSnreOJ3mAPAFEwARAQAB
tDVOZXRCU0QgU2VjdXJpdHkgT2ZmaWNlciA8c2VjdXJpdHktb2ZmaWNlckBOZXRC
U0Qub3JnPokCPQQTAQIAJwUCSkFKUgIbAwUJEswDAAcLCQgHAwIBBBUCCAMEFgID
AQIeAQIXgAAKCRAGSXOsTEpwbpexD/9rdMz3AvYeTF3FexE7LQhKpOTu0vT1qep+
ArEg+LlKhD+2H0lj8e7rQBbOTlJE7kgxNvGmBBqhxgz/fuSk6+GN0FC/A+l4uDum
bAiZVukLDopF/51Hjv10P/AL3pl/OBhKEoRDLVxb/x4vn+sB4qHyEraG/KQgEE6x
ocKVWBbSB5ohRPa5kn/7yQo5+DciJzRYZ9g0g78dMhFeHN20C8oz7nu6MgrJ77vj
StjEhrQlCt2xaXa5HXCq1L9reqqOdiRCXuyxoDL2ZzsLKWbqouM/ejNXZeumvBUF
+zf8n2Y1WQqD1VTHzxZqJoywgpSjyPc7ddzYNaLc/H9RRtBluxb6e+pSIeJOz+sq
SIRsYBGm3qW/AuMTSmp4p6PvKWaOIBTa8IFvGb2aQbqoBZ4q6CqAMkuUMXxUzpoa
OjQ2uA5jVrYDb8VMugRGN94duUxILZa0Ioq8MjqHdtK2Y7kgHG1kybGQJo0ZAsrf
vKLo815OXonUUd2Vjy1Yol5yCZ49A2PIeSFZy7/q4CXAu0xIFscNzKpPlD7CKGjQ
uZ4m+99feJApBPrggS2HecI9Pm4lfkbXEE4UFJ1mnmsDp+LAAADF8odL5VoS5YvU
ent+hrLxnjxSdTQYPj8pezQCTgK5Ra/fUUTQXeJoaktNVmfs5I0P93EgHod6cr6i
uAQlspMm67kCDQRKQUrAARAA8+HXXFhDrtGuM1X2DSWdAJICEyi3nRshwGzSNOSF
29tMv0ADgdyEQQ2pxp6H7FbP8MrLN6dGPUZN0H/2/ziz+VpWT9q64WArTEVo99sb
jnoJELSQQxUl0JL2Kkfdnj3M/irnx0vQKrNiZXcadPp7h9yt8fGMQWjrkLiIENQ5
glCRQTd0JnN9f+MGejMDMdLowrKPSQlPix5YjYgFw8v9zHXacymWsoqDYDxSaPhJ
jAlu6wl/dkDIpuF3GaphrITPQYz4mmg0t1i9MWn8zpuCD/kGKLpNDSC+14SlHRGB
cXL8s0mUH7DhRZkJPplxPoYzMT/oyVeA3/jtMdA4HLDn1+hDzHa1QiodKm3TL7Tv
qEARLjSc91Bh2nqV+WKKlMKZbtrhuxYokva7+IPxhm3fE1ZOp7xJ5lh6oAimjDH4
klgZMNiSz2eh13B6dwhXSBacyXsNUGjuLE9WN+CAZpE3fLCjaRh8dVuaNGq+x41U
VlobM+qvtpPyUHBG/zehH/sy3gnPz4+7dy3zgkM4wDAyxe2B4M78ZGsIZhHm31kH
bO2PjV7LMxESGTOxjz+gqRHuwsczqNHPN6Y1M1yncCm6WRncVTpdHQjgkpvuO4IX
4yTx+ssGPr63yFxONB2CYYCzJ3Ky36qcllNbZA7Aecf9pre3jB9vdmWej5yn4d2X
hSMAEQEAAYkCJQQYAQIADwUCSkFKwAIbDAUJEswDAAAKCRAGSXOsTEpwbs25D/0V
D6I3GYTuvDiI4k/ABbnu4cSlbTbXL3nlEjAOqhpgjHXG0x/3PV48R+7ASpu1PUTh
SUJCx4O0pk/UPI/RPB5NBj7aseHZNwhYrrYqILgm+8zuudXwl7iZ1hE4n/TCuqn+
oDOufeBb0hKE4a66BNmMx9nYkAO10OLpY/hGSlt15CzdDWrXLmENTswbcL3B6na0
IU7iDjqHQqc1j+wMcsRdfcjVGGtLJpv2qvV49CiYIuljTxoTVN137LU7aXCqyvJU
1Nx63omLRhwnp3EzM+2ag7t8Y8zsvuU50vrvm4AIurtgcCzx4gQXO8tNb6ZCPRr6
FcdxwX8ZHvq/BIqrnt3R4ee3fmoIbfsorOT/HFaekCqm5Mgz/lwCrKXMCQGl1xpO
HYQ8JhvGG4zKd8CJslpu7t5Yn1eQZj87J1vbzA7K9wmtEIrLHnPBcyZyHJT/73Ip
q9QVRHqNaotjM0Jsmpwn1uztSS2zmB9ugrRPJrllkoozcnETxaVCiblLBGGixfo0
DAOC2n+WsApGhZJafujVJ4aXxsD3XxTXgrx0QBanOQmiksBdsOytmeuibScbEtyC
lVfAHOTENBr2V3ozhH9ghlbm8Io2kg31/xKQlcqLmtEut5uMbrjqeWz7ICrNBDDl
lZVYSg38QEDQ4fSPkYd00g5aPUrWbQvlW7jeuqXx8A==
=VfLo
-----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUASkFW6D5Ru2/4N2IFAQI7zAP/Z99a6nFpb+eesF4omoaDuUZ85lMDX3gY
p2C8LVQXGIVocTnuXBcUMt3gl94I3FthVAINKL/IW7rQFvi/AfL6PsNxkNuS0BDE
ESUrGJkvquGLucKQufqGgqtxQIMVZmiOclFDeoC16OZlDIM2W9PoheX9oR40K81g
YLLX3MNlpdM=
=mEWT
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAABAgAGBQJKQVcUAAoJEAZJc6xMSnBuRiUP/Re11cPMsfuyVrMUqKrb7tcU
ALJnnf/P4udYNZoNv89giVm6XjmYOSMYdqLSjJ88nkaELFRyjUVdeXRK1rJ2B9Se
z78N2HltWlO9Id49lwnKRBC3+3TAnEoRjZ2QwIZ6qEbrs8Kx1cPZlJG9qmkG/gH5
AsocslJRchM9IVJMvMKRULQS8r1+kQU1f8sOIyRo5m1yfgwlSEoBMpaAvPcQ8fm+
HzRVjTbYSKTIgfIXUdQchDUCxuVrOUmOg7MfUpbnTANGOa2ihS9N00swAhSSamoK
FTtraZDHeZnG1E4i+FJGUjvSRajvUl9DA3oX/8uUH91VFVTjLWvc5QlN745cEr4i
lC1Bl8c4SdCPd7LC+MH/iCy82E6TQTxVcCQg5xzFNJLYAliwGP+TVb7gh5JmhbTn
YWD2T5X5gt5e5Zxomp0/Z5omV2N+GEWWCcgl5DKzqTXuPIzRkGtqsMxM8Kbh8aPT
95BDRgIcNQqSXt9KowO4KdrCCa2oFaknfMguaDpIVz7eedxg+pDsKQg4SZd3oQfy
3RTndqDyMDjTJOD4kzGSsBIRnL5t+kG6M0Aq7qG2SC1JdD1JgFA8RfdDAbXYAT85
g6Z5epEdXdrwe3x3d6JdW604EiKlnVv7XwXQKNXwX3kIfrdCSXSoCsvt3QTQQ+jv
s+hiCG5u1deWcUaaeRus
=T61Y
-----END PGP SIGNATURE-----

NetBSD Security Advisory 2009-004: NetBSD OpenPAM passwd(1) changing weakness

2009-06-23T14:01:38Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2009-004
=================================

Topic: NetBSD OpenPAM passwd(1) changing weakness

Version: NetBSD-current: affected before June 14, 2009
NetBSD 5.0: affected
NetBSD 4.0.1: affected
NetBSD 4.0: affected

Severity: Change root password as normal user

Fixed: NetBSD-current: June 14, 2009
NetBSD-5-0 branch: June 18, 2009
(5.0.1 will include the fix)
NetBSD-5 branch: June 18, 2009
(5.1 will include the fix)
NetBSD-4-0 branch: June 18, 2009
(4.0.2 will include the fix)
NetBSD-4 branch: June 18, 2009
(4.1 will include the fix)

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A verification weakness in the pam_unix module allows an authenticated
attacker with knowledge of the current root password to reset it.

Technical Details
=================

The pam_unix authentication module provided by NetBSD does not verify
the user invoking a password change properly. This allows an
authenticated, unprivileged user to change the root password, given
the old root password.

Authentication as root is typically limited to members of a special
group called "wheel" in order to limit the impact of a leaked root
password. For this reason, the ability of changing the root password
is traditionally limited to users who have already authenticated as
root.

Please note that this only affects systems using normal UNIX password
authentication.

Solutions and Workarounds
=========================

In order to verify if you are affected by the problem, look for a line
in /etc/pam.d/system stating

password required pam_unix.so no_warn try_first_pass

If such a line exists, invoke the command

passwd root

as a regular user. If the command issues the error "Unable to change
auth token: permission denied", the system is not affected.

A temporary workaround is to add the line

password prerequisite pam_group.so no_warn group=wheel fail_safe

before the pam_unix line to /etc/pam.d/system. This allows only members
of the wheel group to change passwords until the issue can be addressed.
Note however that this can increase the time user accounts are
compromised in case of a security incident.

For all NetBSD versions, you need to obtain the fixed NetBSD sources and
rebuild and install the new PAM libraries.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your PAM
libraries by updating your source tree and rebuilding and installing
a new version of them.

* NetBSD-current:

Systems running NetBSD-current dated from before 2009-06-15
should be upgraded to NetBSD-current dated 2009-06-16 or later.

The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
lib/libpam/modules/pam_unix

To update from CVS, re-build, and re-install pam_unix:
# cd src
# cvs update -d -P lib/libpam/modules/pam_unix
# cd lib/libpam/modules/pam_unix
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 5.*:

Systems running NetBSD 5.* sources dated from before
2009-05-17 should be upgraded from NetBSD 5.* sources dated
2009-05-18 or later.

The following directories need to be updated from the
netbsd-5 or netbsd-5-0 CVS branch:
lib/libpam/modules/pam_unix

To update from CVS, re-build, and re-install pam_unix:

# cd src
# cvs update -d -P -r <branch_name> lib/libpam/modules/pam_unix
# cd lib/libpam/modules/pam_unix
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 4.*:

Systems running NetBSD 4.* sources dated from before
2009-05-17 should be upgraded from NetBSD 4.* sources dated
2009-05-18 or later.

The following directories need to be updated from the
netbsd-4 or netbsd-4-0 CVS branch:
lib/libpam/modules/pam_unix

To update from CVS, re-build, and re-install pam_unix:

# cd src
# cvs update -d -P -r <branch_name> lib/libpam/modules/pam_unix
# cd lib/libpam/modules/pam_unix
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

Thanks To
=========

Thomas Getzke for discovering the vulnerability, Hubert Feyrer for
reporting the vulnerability and testing the patches, and Tonnerre
Lombard for providing the fix.

Revision History
================

2009-06-22 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-004.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-004.txt,v 1.1 2009/06/22 19:31:01 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUBSj/8Sj5Ru2/4N2IFAQJr7AQAmNZG2k3jYrm6OMq2zZLYGv2VIff3ua77
m/1gqntBFOh4djm/eP8AQS9Bqp7qR/f5HgDzRdJ7ib4U+geQdmV2Zco1kxMZ2KW/
nVsjw2b+SOr4e36x33k2NNV5Odl2TSgGzXCGDbKkTv67vg46KPfP/zfJgjhA17kG
cFf7Tt4z/Yg=
=bZF9
-----END PGP SIGNATURE-----

NetBSD Security Advisory 2009-003: proplib crashes on reading bad XML data

2009-06-23T14:00:44Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2009-003
=================================

Topic: proplib crashes on reading bad XML data

Version: NetBSD-current: affected prior to March 30, 2009
NetBSD 5.0: not affected
NetBSD 4.0.1: affected
NetBSD 4.0: affected

Severity: Denial of service

Fixed: NetBSD-current: March 30, 2009
NetBSD-5 branch: March 30, 2009
(5.0 includes the fix)
NetBSD-4-0 branch: March 31, 2009
(4.0.2 will include the fix)
NetBSD-4 branch: March 31, 2009
(4.1 will include the fix)

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

The proplib library can crash if a badly formatted externalized plist
is presented for import. The crash will happen during the
transformation of the text XML form into a binary list. This bug can
lead to a system panic because many drivers use proplib as a
communication channel.

Technical Details
=================

The proplib library can crash if it is presented with a non-defined
element (e.g. <number>) in the external XML form. During internalization
proplib will crash by dereferencing a NULL pointer.

Every driver which uses proplib for user to kernel communication is
vulnerable to this bug, allowing a system to be crashed by an ordinary
user with access to the driver.

Solutions and Workarounds
=========================

For all NetBSD versions, you need to obtain fixed sources, rebuild and
install a new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your
kernel. In these instructions, replace:

ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

# cd src
# cvs update -d -P common/lib/libprop/prop_object.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now

For more information on how to do this, see:

http://www.NetBSD.org/guide/en/chap-kernel.html

Recompiling and reinstalling the userlevel libprop (located in
src/lib/libprop) may be prudent to prevent unexpected crashes of
userland code, but should not be necessary for security purposes.

In order to recompile and reinstall your userlevel libprop:
# cd src/lib/libprop
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

Thanks To
=========

Adam Hamsik for the fix and initial analysis of the issue and for
the first draft of this advisory, and to Soren Jacobsen and David
Holland for assistance with the content of this advisory.

Revision History
================

2009-06-22 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-003.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-003.txt,v 1.1 2009/06/22 19:31:01 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUBSj/8RT5Ru2/4N2IFAQJdvgP/edYmzjp0DlDjo6glc6w8K9diUQQ+92SG
5U42Kmf/hRxnHn0hZLXB7txLSWfks9DFiTVfGWyBXKFtS9h05YfWCjP1flwxvviN
Uv8y8iDB/krAq9lR9M0x3CMlpe7Hfzpje04fXRLxUloLA427EWGCXA2noyNhPpnu
OKn8ivX4VUs=
=setc
-----END PGP SIGNATURE-----

NetBSD Security Advisory 2009-002: tcpdump multiple denial of service and arbitrary code execution issues

2009-06-23T13:59:43Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2009-002
=================================

Topic: tcpdump multiple denial of service and arbitrary code
execution issues

Version: NetBSD-current: affected before July 20, 2007
NetBSD 5.0: not affected
NetBSD 4.0.*: not affected
NetBSD 4.0: affected

Severity: Denial of Service, Arbitrary Code Execution

Fixed: NetBSD-current: July 20, 2007
NetBSD-4-0 branch: July 21, 2008
(4.0.2 will include the fix)
NetBSD-4 branch: July 21, 2008
(4.1 will include the fix)
pkgsrc: tcpdump-3.9.7 corrects the issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A number of issuses exist in the version of tcpdump(1) shipped with
NetBSD 4.0 allowing a remote attacker to hang or crash the
application and to execute arbitrary code via specially crafted
packages.

Technical Details
=================

An integer overflow in the BGP dissector allows remote attackers
to execute arbitrary code via crafted TLVs in a BGP packet.

An infinite loop error in the BGP dissector allows remote attackers
to cause an application hang by sending an invalid prefix.

An off-by-one error in the 802.11 dissector result printing code
allows remote attackers to crash the application.

An infinite loop error in the ISIS dissector allows remote attackers
to cause an application hang using GRE packets of zero length.

A length verification error in the RSVP dissector allows remote
attackers to crash the application by sending a RSVP packet of
length 4.

For more details, please see CVE-2007-1218, CVE-2007-3798,
CAN-2005-1267, CAN-2005-1278, CAN-2005-1279 and CAN-2005-1280.

Solutions and Workarounds
=========================

The 4.0.1 release of NetBSD resolves this issue, so a possible
solution is to upgrade to NetBSD 4.0.1 or 5.0.
As a temporary workaround disable tcpdump(1) from the base OS and use the
tcpdump-3.9.7 package from pkgsrc which contains a fix.

The following instructions describe how to upgrade your tcpdump
binaries by updating your source tree and rebuilding and
installing a new version of tcpdump.

* NetBSD-current:

Systems running NetBSD-current dated from before 2007-07-20
should be upgraded to NetBSD-current dated 2007-07-21 or later.

The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
dist/tcpdump

To update from CVS, re-build, and re-install tcpdump:
# cd src
# cvs update -d -P dist/tcpdump
# cd usr.sbin/tcpdump

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 4.0:

The binary distribution of NetBSD 4.0 is vulnerable.

Systems running NetBSD 4.0 sources dated from before
2008-07-21 should be upgraded from NetBSD 4.0 sources dated
2008-07-22 or later.

The following directories need to be updated from the
netbsd-4 CVS branch:
dist/tcpdump

To update from CVS, re-build, and re-install tcpdump:

# cd src
# cvs update -d -P -r netbsd-4-0 dist/tcpdump
# cd usr.sbin/tcpdump

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

Thanks To
=========

Moritz Jodeit, mu-b of digit-labs.org and Vade79 for finding and
reporting the issue.

Revision History
================

2009-06-22 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-002.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-002.txt,v 1.1 2009/06/22 19:31:01 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUBSj/8Pz5Ru2/4N2IFAQJwAgQArhKtjrbCGGk0s4bygOqxt5LsNqguTHFZ
YTPmU51AFQnxMRyzwnOxW9zgTlIyaR6vMDjyCyNm+ewARvlGpfkiZjg6CwCesRV5
/cAooLhV8gjAe37y/2IEmPViuXRDwa0WngjHxDr8uVeMKcWLIQ8naoI//6DZDBz/
ft2GwdxEIi4=
=jtOE
-----END PGP SIGNATURE-----

NetBSD Security Advisory 2009-001: PF firewall remote Denial Of Service attack

2009-06-23T13:50:27Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2009-001
=================================

Topic: PF firewall remote Denial Of Service attack

Version: NetBSD-current: affected
NetBSD 5.0: not affected
NetBSD 4.0.*: not affected
NetBSD 4.0: not affected
NetBSD 3.1.*: not affected
NetBSD 3.1: not affected
NetBSD 3.0.*: not affected
NetBSD 3.0: not affected

Severity: Denial of service

Fixed: NetBSD-current: April 14, 2009
NetBSD-5 branch: April 14, 2009
(5.0 includes the fix)

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

PF firewalls suffer from a remote denial of service attack (system
panic) due to mishandling of some ICMP and ICMPV6 packets.

Technical Details
=================

When a PF firewall using nat or rdr receives a specially crafted
packet, a null pointer dereference causes a kernel panic.

In pf_test_rule() ICMP logic was implied for IPv6 packets and ICMPv6 logic
was implied for IPv4 packets. The wrong ICMP header length is used and an
assertion fails due to the attempt to access unallocated memory.

See also:
http://www.securityfocus.com/archive/1/502634
http://www.helith.net/txt/multiple_vendor-PF_null_pointer_dereference.txt

Solutions and Workarounds
=========================

Only kernels compiled with the following option are vulnerable to this issue:

pseudo-device pf

As a temporary workaround recompile the kernel with the above option
commented out. The default NetBSD GENERIC kernels do not have this
option enabled. In addition to this the system must be running
with nat and/or rdr rules present in the active ruleset.

An additional workaround can be to add the following rules to your
/etc/pf.conf configuration file:

nat/rdr ... inet proto { tcp udp icmp } ...
nat/rdr ... inet6 proto { tcp udp icmp6 } ...

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your
kernel. In these instructions, replace:

ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

# cd src
# cvs update -d -P sys/dist/pf/net/pf.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now

For more information on how to do this, see:

http://www.NetBSD.org/guide/en/chap-kernel.html

Thanks To
=========

"Rembrandt" is credited with the discovery of this issue.
Christos Zoulas for applying the OpenBSD fix.

Revision History
================

2009-03-15 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-001.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-001.txt,v 1.1 2009/06/22 19:31:01 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUBSj/8Cj5Ru2/4N2IFAQJlDwP9Eggc2LerlYb8vqLDBxP5hP2nQSZmW4Go
sUdsUTVif28lroTl4JA7Jk5pws65KaD9ST9hMgALk7w0g6G0xm17yJwBQxobzmpw
mY87797lDxFGWAyTBbY00ChyrSKSnsq6hTeMjt3/45hlkClIMk0nnL6oJ9DvkzMr
sg759/2biBo=
=vrEJ
-----END PGP SIGNATURE-----

planned network maintenance June 4th, 0100-0400 UTC

2009-06-01T05:18:32Z

Dear all,

ISC has announced a maintenance window for the connectivity of:

mail.NetBSD.org
www.NetBSD.org (aka gnats.NetBSD.org, aka releng.NetBSD.org)
ftp.NetBSD.org
anoncvs.NetBSD.org

June 4th, 0100-0400 UTC. This maintenance window also affects other
services hosted at ISC in San Francisco and Redwood City.

We totally disinterestedly ( ;-) ) wish ISC the best of luck and success
with their planned work.

regards,
spz

End of life for 3.x

2009-05-29T23:56:02Z

In keeping with NetBSD's policy of supporting only the current (5.x) and
next most recent (4.x) release branches, the release of 5.0 marks the end
of life for the 3.x branches. We have provided an extra month of support
for 3.x in order to give people time to migrate their machines to a newer
release, and this one month period will be part of our support policy in
the future.

The following branches will no longer be maintained:
netbsd-3-0
netbsd-3-1
netbsd-3

This means:
- There will be no more pullups to the branches (even for security issues)
- There will be no security advisories made for any of the 3.x releases
- The existing 3.x releases on ftp.NetBSD.org will be moved into
/pub/NetBSD-archive/

Soren

Thread scheduling and related interfaces in NetBSD 5.0

2009-05-03T13:45:56Z

Dear All,

A lot of new features were implemented in the NetBSD 5.0 release, and many
improvements were made in the areas of scheduling and threading. Please
find the PDF document which shortly reviews new scheduling interfaces.

"Thread scheduling and related interfaces in NetBSD 5.0"

http://www.netbsd.org/~rmind/pub/netbsd_5_scheduling_apis.pdf

Thank you.

--
Mindaugas

NetBSD 5.0: an overview

2009-04-29T14:51:51Z

With the release of NetBSD 5.0, I have prepared a short presentation giving
an overview of the new features and performance improvements that 5.0
provides. The slides can be found at the URLs below for your perusal.

Many thanks,
Andrew

http://www.netbsd.org/~ad/50/ (HTML format, browseable)
http://www.netbsd.org/~ad/50.pdf (Adobe PDF, printable)

Announcing NetBSD 5.0

2009-04-29T14:49:50Z

On behalf of the NetBSD developers, I am proud to announce that
NetBSD 5.0, the thirteenth release of the NetBSD operating system,
is now available.

NetBSD 5.0 features greatly improved performance and scalability on
modern multiprocessor (SMP) and multi-core systems. Multi-threaded
applications can now efficiently make use of more than one CPU or core,
and system performance is much better under I/O and network load.

This improved performance is the result of a rewritten threading
subsystem based on a 1:1 threading model, new kernel synchronization
primitives, kernel preemption, a rewritten scheduler implementation,
real-time scheduling extensions, processor sets, and dynamic CPU sets
for thread affinity. Almost all core kernel subsystems, like virtual
memory, memory allocators, file system frameworks for major file
systems, and others were audited and overhauled to make use of highly
concurrent algorithms.

In addition to scalability and performance improvements, a significant
number of major features have been added. Some highlights are: a preview
of metadata journaling for FFS file systems (known as WAPBL, Write
Ahead Physical Block Logging), the 'jemalloc' memory allocator, the
X.Org X11 distribution instead of XFree86 on a number of ports, the
Power Management Framework, ACPI suspend/resume support on many
laptops, write support for UDF file systems, the Automated Testing
Framework, the Runnable Userspace Meta Program framework, Xen 3.3
support for both i386 and amd64, POSIX message queues and
asynchronous I/O, and many new hardware device drivers.

For full details, please see the release notes at:

http://www.NetBSD.org/releases/formal-5/NetBSD-5.0.html

ISO images can be downloaded using BitTorrent, and we encourage users
who wish to install via ISO images to take advantage of this, as the
images are very well seeded.

http://www.NetBSD.org/mirrors/torrents/

Complete source and binaries for NetBSD 5.0 are available for download
at many sites around the world. A list of download sites providing FTP,
AnonCVS, and other services may be found at:

http://www.NetBSD.org/mirrors/

We are very grateful to all of those who donated during the 2007 fund
drive, which brought us many of the great advances found in 5.0. For
more information on how you can help NetBSD, see

http://www.NetBSD.org/donations/

The NetBSD Foundation would like to thank all those who have
contributed code, hardware, documentation, funds, colocation for our
servers, web pages and other documentation, release engineering, and
other resources over the years. More information on the people who
make NetBSD happen is available at:

http://www.NetBSD.org/people/

We would like to especially thank the University of California at
Berkeley and the GNU Project for particularly large subsets of code
that we use. We would also like to thank the Internet Systems
Consortium Inc., the Network Security Lab at Columbia University's
Computer Science Department, and Ludd (Luleaa Academic Computer
Society) computer society at Luleaa University of Technology for
current colocation services.

Announcing the NetBSD Project Blog

2009-04-26T15:09:47Z

It is with great pleasure that I am able to officially announce the new
NetBSD Project Blog:

http://blog.NetBSD.org

The NetBSD Project Blog allows us to let you, the community, know about
new developments in NetBSD and pkgsrc. The blog supplements our existing
netbsd-announce mailing list and the "Recent Changes and News" webpage.
We hope it will provide you with greater insight into the future of
NetBSD.

For those that tweet - so do we - http://www.twitter.com/NetBSD

Mark Weinem
on behalf of the NetBSD Marketing Team

Summer of Code projects selected

2009-04-20T19:44:23Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For the fifth consecutive year, the NetBSD Project is proud to
participate in Google's Summer of Code program[1] as a mentoring
organization and we're pleased to announce the list of projects[2] that
have been accepted for this summer. This year's selected students
include a number of NetBSD developers, returning SoC alumni and a few
freshmen. We're very excited to have projects ranging from the areas of
filesystems over install automation to userland tools and we expect the
entire NetBSD community to benefit tremendously.

In the coming weeks, you will see our students engage the NetBSD
community for support with their projects; please give them a warm
welcome and help our developers, students and mentors lead all these
projects to success!

[1] http://code.google.com/soc/
[2] http://www.NetBSD.org/foundation/press/soc2009.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iD8DBQFJ7TLYfFtkr68iakwRAoS/AJwJFAKjFYK1eB6Fw7dMlN+0Ei1NpQCg9vb+
Jaowkpoc3Lig2x7+MxM7ZQc=
=ghvZ
-----END PGP SIGNATURE-----

IPv6 Prefix change for the NetBSD servers at ISC

2009-04-17T15:47:00Z

Dear all,

just in case somebody has actual IPv6 addresses in use somewhere
instead of DNS names:

The IPv6 prefix for the NetBSD servers at ISC renumbers from
2001:4f8:4:7::/64 to 2001:4f8:3:7::/64.

best regards,
spz
--
spz@... (S.P.Zeidler)

NetBSD 5.0_RC4 binaries available for download

2009-04-16T12:46:39Z

In the immortal words of Dr. Zoidberg, "Hooray!"

Today, we have two things to be happy about. First, the fourth release
candidate of NetBSD 5.0 is available for download. Second, this
announcement, like RC3's, coincides with an important birthday: that of
Billy West.

Below are some highlighted changes since RC3:
- Added the RLIMIT_AS resource, which limits the total address space
available to processes.
- Improved NFS server stability
- FFS improvements
- A fix for a pf(4) DoS
- re(4) now works with the RealTek 8111C, which is found on many current
motherboards with Intel chipsets

As usual, src/doc/CHANGES-5.0 has the full details.

Binaries of 5.0_RC4 are available for download at

ftp://ftp.NetBSD.org/pub/NetBSD-daily/netbsd-5-0-RC4/

Those of you tracking by source can either continue following the netbsd-5
branch or use the netbsd-5-0-RC4 tag.

As always, we want your feedback. This time, we are especially
interested in hearing from people who are using NFS.

Soren

NetBSD to participate again in Google's Summer of Code

2009-03-21T19:27:09Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For the fifth year in a row, the NetBSD Project has been selected as a
mentoring organization in Google's Summer of Code[1]. As in previous
years, this provides a great opportunity for students to get paid to
hack on NetBSD, learn about contributing to a major open source project
and to become part of an exciting community.

Students interested in applying should now start to outline their
project proposals and initiate contact with possible mentors and the
community at large. A list of project suggestions is available at
http://www.NetBSD.org/contrib/soc-projects.html, though students may
also wish to review our general projects page[2].

Our NetBSD Project Application/Proposal HowTo[3] should be a good
resource to help students develop their best proposal and the answers to
those questions will help us to rank all applications.

[1] http://code.google.com/soc/
[2] http://www.NetBSD.org/contrib/projects.html
[3] http://www.NetBSD.org/contrib/soc-application.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iD8DBQFJxaGlfFtkr68iakwRAuSqAKCWu/qfV2mlXKUvYrrsxKBiLQologCfdamd
HIXmkXL17Gjkkir0X5PfVCo=
=qKvN
-----END PGP SIGNATURE-----

NetBSD 5.0_RC3 binaries available for download

2009-03-21T13:49:36Z

Today, on the 16th birthday of NetBSD, I have the pleasure of announcing
the availability of NetBSD 5.0_RC3.

Below are some highlighted changes since RC2:
- Considerable improvements to WAPBL.
- Further X.Org refinements, including switching sgimips to X.Org.
- Scheduler Activations support is now disabled by default in sysctl.conf.
- ddb.onpanic is now set to 1 in the kernel by default, but 0 in
sysctl.conf. This avoids trying to dump if a crash occurs during the
install phase.
- puffs is now enabled by default on amd64, i386, macppc, and sparc64.
- SSP kernels should work again.
- A handful of assorted stability improvements.

As always, see src/doc/CHANGES-5.0 for full details.

Binaries of 5.0_RC3 are available for download at

ftp://ftp.NetBSD.org/pub/NetBSD-daily/netbsd-5-0-RC3/

Those of you tracking by source can either continue following the netbsd-5
branch or use the netbsd-5-0-RC3 tag.

Thanks for all the help and feedback so far. Please keep it up!

Soren

NetBSD 5.0_RC2 binaries available for download

2009-02-10T19:43:06Z

On behalf of the NetBSD Release Engineering team, I am proud to announce
that the second release candidate of NetBSD 5.0 is now available for
download.

Since RC1, 103 tickets were pulled up. Interested readers can find the
details of these tickets in src/doc/CHANGES-5.0. RC2 represents a great
deal of progress over RC1, but with that amount of change, increased
time for testing is required. To put it bluntly, there will definitely
be a third release candidate. We are aware of a number of
release-blocking issues, but it is important that we get a jump on
testing the many changes made since RC1.

Binaries of RC2 can be downloaded from

ftp://ftp.NetBSD.org/pub/NetBSD-daily/netbsd-5-0-RC2/

Of course, those already tracking the netbsd-5 branch by source should
continue to to so, and the netbsd-5-0-RC2 tag is available if you prefer
to check out the RC2 sources specifically.

I'd like to thank all those who have helped so far in testing and
providing feedback. Please keep up the good work, it is very much
appreciated!

Enjoy,
Soren

Preparing for Summer of Code 2009

2009-02-02T08:17:34Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Recently, Google announced that there will be another instance of their
popular ``Summer of Code'' program in 2009. The NetBSD Project has
participated in this program as a mentoring organization since its
conception in 2005 [1], and hopes again to be fortunate enough to take
part in this year's iteration.

As part of our preparation for the Summer of Code 2009, we have begun
reviewing and updating our list of suggested projects[2] and would like to
invite all interested students to likewise begin their research and start
discussions with the possible mentors as well as on our public mailing
lists.

Stay tuned for further updates!

[1] For a detailed summary of NetBSD's participation in 2008, please see
http://www.netbsd.org/foundation/press/soc2008-summary.html

[2] http://www.NetBSD.org/contrib/soc-projects.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iD8DBQFJhxxvfFtkr68iakwRAmtSAJ9Nfpu7SObYfdeKbdxnMiujC9SMbwCgq82a
b4GbxkLmgZWvZcWJUB1PtzY=
=tjEc
-----END PGP SIGNATURE-----