Subject: Multiple NetBSD Security Advisories Released/Updated
To: None <netbsd-announce@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: netbsd-announce
Date: 09/17/2002 11:31:01
-----BEGIN PGP SIGNED MESSAGE-----


With the release of NetBSD 1.6, the NetBSD project is publishing a
batch of Security Advisories (some of which are updates), as follows:

*   2002-006    buffer overrun in libc/libresolv DNS resolver
 x  2002-007    Repeated TIOCSCTTY ioctl can corrupt session hold counts
*x  2002-009    Multiple vulnerabilities in OpenSSL code
*x  2002-010    symlink race in pppd
*x  2002-011	Sun RPC XDR decoder contains buffer overflow
 x  2002-012    buffer overrun in setlocale
 x  2002-013    Bug in NFS server code allows remote denial of service
 x  2002-014    fd_set overrun in mbone tools and pppd
 x  2002-017    shutdown(s, SHUT_RD) on TCP socket does not work as intended
 x+ 2002-018    Multiple security isses with kfd daemon

    (*) reissue   (x) affects 1.5.3   (+) affects 1.6

These advisories involve bugs in libc (affecting static binaries), as
well as the kernel.  A full system rebuild is recommended to
collectively address all of these issues, but please make sure to read
through all of the advisories in case specific issues affect your
system.

Because of the extensive rebuild required, the NetBSD 1.6 release was
delayed in order to include fixes for as many of these issues as
possible, so as to provide binary release users with an easy upgrade
path.

Readers will note that there are some gaps in the above numbering.
These pending advisories involve third parties, and are awaiting
disclosure co-ordination, so we cannot publish them at this time.
However, they *are* fixed in NetBSD 1.6.

Unfortunately, the recent 1.5.3 release was affected by most of these
issues. Unlike NetBSD 1.6, the 1.5 branch cannot be automatically
cross-built to release, and so any updated binary release from the 1.5
tree will take considerable time and developer effort.

Therefore:

 * The recommended cumulative fix for pre-1.6 systems is to upgrade to
   NetBSD 1.6. 

 * Users who cannot upgrade to 1.6 are recommended to update to the
   most recent sources on the NetBSD-1.5 branch, via anoncvs, and
   rebuild from there.

 * Users of NetBSD-current should upgrade to source more recent than
   September 11, 2002, and rebuild the kernel and all userland.

Having updated the base NetBSD distribution via one of the above, the
following steps are necessary for *all* users:

 * Recompile statically-linked binaries from pkgsrc, or custom builds (for
   2002-006)
 * Remove any shared libraries with older major numbers. (2002-006)
 * Remove any shared libraries for OS emulation under /emul, unless you 
   are sure it has no security vulnerabilities. (2002-006)
 * Follow instructions in 2002-018


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYZwhj5Ru2/4N2IFAQFkQwP+OtnCO0JZ2BWi/YgaDrfU7DBZrDDsQpW7
dXW/PtVvcOyvbpqgKREQ7CHi7jzolysRHX9VRXwgOS/tgo2fSmNaLyXjdbJhxzT2
xw6LEdaqC4YHHf3EuZ3GsF0UY/VGCDNg3WNf04CfTV1Jp61VnvTTjDMmOqegMxOI
/NTVURE2fV8=
=YBq6
-----END PGP SIGNATURE-----