Date: Tue, 17 Sep 2002 11:38:42 +1000
From: NetBSD Security Officer <security-officer@netbsd.org.>
To: [email protected]Subject: Multiple NetBSD Security Advisories Released/Updated
-----BEGIN PGP SIGNED MESSAGE-----
With the release of NetBSD 1.6, the NetBSD project is publishing a
batch of Security Advisories (some of which are updates), as follows:
* 2002-006 buffer overrun in libc/libresolv DNS resolver
x 2002-007 Repeated TIOCSCTTY ioctl can corrupt session hold counts
*x 2002-009 Multiple vulnerabilities in OpenSSL code
*x 2002-010 symlink race in pppd
*x 2002-011 Sun RPC XDR decoder contains buffer overflow
x 2002-012 buffer overrun in setlocale
x 2002-013 Bug in NFS server code allows remote denial of service
x 2002-014 fd_set overrun in mbone tools and pppd
x 2002-017 shutdown(s, SHUT_RD) on TCP socket does not work as intended
x+ 2002-018 Multiple security isses with kfd daemon
(*) reissue (x) affects 1.5.3 (+) affects 1.6
These advisories involve bugs in libc (affecting static binaries), as
well as the kernel. A full system rebuild is recommended to
collectively address all of these issues, but please make sure to read
through all of the advisories in case specific issues affect your
system.
Because of the extensive rebuild required, the NetBSD 1.6 release was
delayed in order to include fixes for as many of these issues as
possible, so as to provide binary release users with an easy upgrade
path.
Readers will note that there are some gaps in the above numbering.
These pending advisories involve third parties, and are awaiting
disclosure co-ordination, so we cannot publish them at this time.
However, they *are* fixed in NetBSD 1.6.
Unfortunately, the recent 1.5.3 release was affected by most of these
issues. Unlike NetBSD 1.6, the 1.5 branch cannot be automatically
cross-built to release, and so any updated binary release from the 1.5
tree will take considerable time and developer effort.
Therefore:
* The recommended cumulative fix for pre-1.6 systems is to upgrade to
NetBSD 1.6.
* Users who cannot upgrade to 1.6 are recommended to update to the
most recent sources on the NetBSD-1.5 branch, via anoncvs, and
rebuild from there.
* Users of NetBSD-current should upgrade to source more recent than
September 11, 2002, and rebuild the kernel and all userland.
Having updated the base NetBSD distribution via one of the above, the
following steps are necessary for *all* users:
* Recompile statically-linked binaries from pkgsrc, or custom builds (for
2002-006)
* Remove any shared libraries with older major numbers. (2002-006)
* Remove any shared libraries for OS emulation under /emul, unless you
are sure it has no security vulnerabilities. (2002-006)
* Follow instructions in 2002-018
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYZwhj5Ru2/4N2IFAQFkQwP+OtnCO0JZ2BWi/YgaDrfU7DBZrDDsQpW7
dXW/PtVvcOyvbpqgKREQ7CHi7jzolysRHX9VRXwgOS/tgo2fSmNaLyXjdbJhxzT2
xw6LEdaqC4YHHf3EuZ3GsF0UY/VGCDNg3WNf04CfTV1Jp61VnvTTjDMmOqegMxOI
/NTVURE2fV8=
=YBq6
-----END PGP SIGNATURE-----