Subject: Multiple NetBSD Security Advisories Released/Updated
To: None <>
From: NetBSD Security Officer <>
List: netbsd-announce
Date: 09/17/2002 11:31:01

With the release of NetBSD 1.6, the NetBSD project is publishing a
batch of Security Advisories (some of which are updates), as follows:

*   2002-006    buffer overrun in libc/libresolv DNS resolver
 x  2002-007    Repeated TIOCSCTTY ioctl can corrupt session hold counts
*x  2002-009    Multiple vulnerabilities in OpenSSL code
*x  2002-010    symlink race in pppd
*x  2002-011	Sun RPC XDR decoder contains buffer overflow
 x  2002-012    buffer overrun in setlocale
 x  2002-013    Bug in NFS server code allows remote denial of service
 x  2002-014    fd_set overrun in mbone tools and pppd
 x  2002-017    shutdown(s, SHUT_RD) on TCP socket does not work as intended
 x+ 2002-018    Multiple security isses with kfd daemon

    (*) reissue   (x) affects 1.5.3   (+) affects 1.6

These advisories involve bugs in libc (affecting static binaries), as
well as the kernel.  A full system rebuild is recommended to
collectively address all of these issues, but please make sure to read
through all of the advisories in case specific issues affect your

Because of the extensive rebuild required, the NetBSD 1.6 release was
delayed in order to include fixes for as many of these issues as
possible, so as to provide binary release users with an easy upgrade

Readers will note that there are some gaps in the above numbering.
These pending advisories involve third parties, and are awaiting
disclosure co-ordination, so we cannot publish them at this time.
However, they *are* fixed in NetBSD 1.6.

Unfortunately, the recent 1.5.3 release was affected by most of these
issues. Unlike NetBSD 1.6, the 1.5 branch cannot be automatically
cross-built to release, and so any updated binary release from the 1.5
tree will take considerable time and developer effort.


 * The recommended cumulative fix for pre-1.6 systems is to upgrade to
   NetBSD 1.6. 

 * Users who cannot upgrade to 1.6 are recommended to update to the
   most recent sources on the NetBSD-1.5 branch, via anoncvs, and
   rebuild from there.

 * Users of NetBSD-current should upgrade to source more recent than
   September 11, 2002, and rebuild the kernel and all userland.

Having updated the base NetBSD distribution via one of the above, the
following steps are necessary for *all* users:

 * Recompile statically-linked binaries from pkgsrc, or custom builds (for
 * Remove any shared libraries with older major numbers. (2002-006)
 * Remove any shared libraries for OS emulation under /emul, unless you 
   are sure it has no security vulnerabilities. (2002-006)
 * Follow instructions in 2002-018

Version: 2.6.3ia
Charset: noconv