In article <Pine.LNX.4.43.0303241128130.21019-100000@pilchuck.reedmedia.net>,
Jeremy C. Reed <reed@reedmedia.net> wrote:
>On Wed, 19 Mar 2003, CERT Advisory wrote:
>
>> NetBSD
>>
>>    The  length  types  of  the  various xdr*_getbytes functions were made
>>    consistent somewhere back in 1997 (all u_int), so we're not vulnerable
>>    in that area.
>
>Does this mean NetBSD is not vulernable at all to this CERT Advisory
>CA-2003-10 Integer overflow in Sun RPC XDR library routines?

We were vulnerable, but in a slightly different attack. All fixes have
been applied to current, and pulled up to 1.6.x and 1.5.x.

christos