headers
itojun | 25 Jun 2002 04:29

upgrade openssh to 3.3, or 3.2.1 + privilege separation

There was recently an annoucement of an openssh security problem.

A full fix will be available next week, and until then, it is
advised that you run the openssh daemon (sshd) with privilege
separation enabled.

Here is some advice for users of various versions of NetBSD:

	1.4/1.5 users - use pkgsrc. ie: pkgsrc/security/openssh/Makefile
					revision 1.73 (openssh-3.3.0.1).
	1.6_BETAx users - openssh shipped with 1.6_BETAx 3.2.1, with
		privilege separation enabled.
	current users - openssh shipped with current is 3.3, with
		privilege separation enabled.

itojun
Permalink | Reply | 0 comments |
headers
NetBSD Security Officer | 27 Jun 2002 19:11
Picon

NetBSD Security Advisory 2002-005: OpenSSH protocol version 2 challenge-response authentication


-----BEGIN PGP SIGNED MESSAGE-----

		 NetBSD Security Advisory 2002-005
		 =================================

Topic:		OpenSSH protocol version 2 challenge-response authentication
		vulnerability

Version:	NetBSD-current:	prior to May 14, 2002
		NetBSD-1.6_BETAx: affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	not affected (does not ship with OpenSSH)
		pkgsrc:		packages prior to openssh-3.3.0.1

Severity:	high, remote root compromise

Workaround:	NetBSD-current:		May 14, 2002
		NetBSD-1.6 branch:	partial by default (priv sep)
		NetBSD-1.5 branch:	instructions below, OpenSSH 3 and later
		pkgsrc:			June 25, 2002 (with openssh-3.3.0.1)

Fixed:		NetBSD-current:		June 26, 2002 (OpenSSH 3.4)
		NetBSD-1.6 branch:	June 26, 2002 (OpenSSH 3.4)
		NetBSD-1.5 branch:	June 26, 2002 (patch on advisory)
		pkgsrc:			June 26, 2002 (with openssh-3.4.0.1)

		Version string "NetBSD_Secure_Shell-20020626" will identify
(Continue reading)

Permalink | Reply | 0 comments |
headers
NetBSD Security Officer | 27 Jun 2002 19:14
Picon

NetBSD Security Advisory 2002-006: buffer overrun in libc DNS resolver


-----BEGIN PGP SIGNED MESSAGE-----

		 NetBSD Security Advisory 2002-006
		 =================================

Topic:		buffer overrun in libc DNS resolver

Version:	NetBSD-current:	source prior to June 26, 2002
		NetBSD-1.6 beta:source prior to June 26, 2002
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected
		All prior NetBSD releases.
		pkgsrc:		net/bind4, bind-4.9.8 and before affected
				net/bind[89] may be vulnerable
				emulators/compat1[234]
				(there could be more)

Severity:	remote buffer overrun on any application that uses DNS,
		possible remote root exploit (not confirmed)

Fixed:		NetBSD-current:		June 26, 2002
		NetBSD-1.6 branch:	June 26, 2002 (1.6 will include the fix)
		NetBSD-1.5 branch:	June 26, 2002 (1.5.3 will include the fix)
		NetBSD-1.4 branch:	June 26, 2002 (1.4.4 will include the fix)
		pkgsrc:			net/bind4, bind-4.9.8nb1

Abstract
(Continue reading)

Permalink | Reply | 0 comments |
headers
Michael Graff | 28 Jun 2002 10:02
Gravatar

ftp.netbsd.org downtime Sat, June 29, 9am Pacific time


We are upgrading the hardware on ftp.netbsd.org on Saturday, June 29,
9am Pacific (12 noon Eastern) to upgrade hardware and its OS revision.

I hope to keep the downtime to less than 4 hours, but it depends
entirely on how fast the data can be copied from the old to the new
machine.  However, I'm planning for a 8 hour window in case something
goes wrong.

Mail will be sent when things return to service.

--Michael
Permalink | Reply | 2 comments |
headers
Jan Schaumann | 1 Jul 2002 23:55
Picon

New Developers

The NetBSD Project is pleased to welcome the following new developers,
who have joined the project since May 2002:

        * Hiroyuki Bessho (bsh <at> netbsd.org), who will be working on the
          arm ports.
        * Tero Kivinen (kivinen <at> netbsd.org), who will be working on
          laptop hardware support.
        * Mattias Karlsson (keihan <at> netbsd.org), who will be working
          helping out with the www <at> netbsd.org mailing list and working
          on the web site
        * Love Hoernquist-Astrand (lha <at> netbsd.org), who will be working
          on debugging support.

As usual, we welcome these new developers to The NetBSD Project!
Permalink | Reply | 0 comments |

Gmane