On Mon, 12 Mar 2001, Cameron Kaiser wrote:

> > By all means, try 1.4.3. Much of userland (sendmail, dhcp, bind) is at
> > the same level as 1.5, which came out at about the same time, the
> > chief difference being that the old kernel source base has gotten a
> > lot more testing. It was supposed to beat 1.5 out by months, but there
> > were "last-minute" security fixes that delayed 1.4.3 time after time.
> > Therefore, anything older presumably has gaping holes.
>
> Ugh. Since I'm on 1.4.2, want to give a for-instance or a place I can look
> these up?

See <http://www.netbsd.org/Security/>, and especially
<http://www.netbsd.org/Security/patches-1.4.2.html>.

"gcc" for 1.4.3 and 1.5 also grew some new options to check format
strings in printf() and others, with an eye to preventing buffer
overrun exploits. Evidently, in the absence of a published exploit,
every commit didn't rate a security advisory, but see

<ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-1.4.3/CHANGES-1.4.3>

and do a "find" on "format string" or "buffer".


Frederick