headers
S.P.Zeidler | 1 Jun 2009 14:18
Picon

planned network maintenance June 4th, 0100-0400 UTC

Dear all,

ISC has announced a maintenance window for the connectivity of:

	mail.NetBSD.org
	www.NetBSD.org (aka gnats.NetBSD.org, aka releng.NetBSD.org)
	ftp.NetBSD.org
	anoncvs.NetBSD.org

June 4th, 0100-0400 UTC. This maintenance window also affects other
services hosted at ISC in San Francisco and Redwood City.

We totally disinterestedly ( ;-) ) wish ISC the best of luck and success
with their planned work.

regards,
	spz
Permalink | Reply | 0 comments |
headers
NetBSD Security Officer | 23 Jun 2009 22:50
Picon

NetBSD Security Advisory 2009-001: PF firewall remote Denial Of Service attack


		 NetBSD Security Advisory 2009-001
		 =================================

Topic:		PF firewall remote Denial Of Service attack

Version:	NetBSD-current:		affected
		NetBSD 5.0:		not affected
		NetBSD 4.0.*:		not affected
		NetBSD 4.0:		not affected
		NetBSD 3.1.*:		not affected
		NetBSD 3.1:		not affected
		NetBSD 3.0.*:		not affected
		NetBSD 3.0:		not affected

Severity:	Denial of service

Fixed:		NetBSD-current:		April 14, 2009
		NetBSD-5 branch:	April 14, 2009
			(5.0 includes the fix)

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

PF firewalls suffer from a remote denial of service attack (system
panic) due to mishandling of some ICMP and ICMPV6 packets.
(Continue reading)

Permalink | Reply | 0 comments |
headers
NetBSD Security Officer | 23 Jun 2009 22:59
Picon

NetBSD Security Advisory 2009-002: tcpdump multiple denial of service and arbitrary code execution issues


		 NetBSD Security Advisory 2009-002
		 =================================

Topic:		tcpdump multiple denial of service and arbitrary code
		execution issues

Version:	NetBSD-current:		affected before July 20, 2007
		NetBSD 5.0:		not affected
		NetBSD 4.0.*:		not affected
		NetBSD 4.0:		affected

Severity:	Denial of Service, Arbitrary Code Execution

Fixed:		NetBSD-current:		July 20, 2007
		NetBSD-4-0 branch:	July 21, 2008
			(4.0.2 will include the fix)
		NetBSD-4 branch:	July 21, 2008
			(4.1 will include the fix)
		pkgsrc:			tcpdump-3.9.7 corrects the issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A number of issuses exist in the version of tcpdump(1) shipped with
NetBSD 4.0 allowing a remote attacker to hang or crash the
application and to execute arbitrary code via specially crafted
(Continue reading)

Permalink | Reply | 0 comments |
headers
NetBSD Security Officer | 23 Jun 2009 23:00
Picon

NetBSD Security Advisory 2009-003: proplib crashes on reading bad XML data


		 NetBSD Security Advisory 2009-003
		 =================================

Topic:		proplib crashes on reading bad XML data

Version:	NetBSD-current:		affected prior to March 30, 2009
		NetBSD 5.0:		not affected
		NetBSD 4.0.1:		affected
		NetBSD 4.0:		affected

Severity:	Denial of service

Fixed:		NetBSD-current:		March 30, 2009
		NetBSD-5 branch:	March 30, 2009
			(5.0 includes the fix)
		NetBSD-4-0 branch:	March 31, 2009
			(4.0.2 will include the fix)
		NetBSD-4 branch:	March 31, 2009
			(4.1 will include the fix)

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

The proplib library can crash if a badly formatted externalized plist
is presented for import. The crash will happen during the
transformation of the text XML form into a binary list. This bug can
(Continue reading)

Permalink | Reply | 0 comments |
headers
NetBSD Security Officer | 23 Jun 2009 23:01
Picon

NetBSD Security Advisory 2009-004: NetBSD OpenPAM passwd(1) changing weakness


		 NetBSD Security Advisory 2009-004
		 =================================

Topic:		NetBSD OpenPAM passwd(1) changing weakness

Version:	NetBSD-current:		affected before June 14, 2009
		NetBSD 5.0:		affected
		NetBSD 4.0.1:		affected
		NetBSD 4.0:		affected

Severity:	Change root password as normal user

Fixed:		NetBSD-current:		June 14, 2009
		NetBSD-5-0 branch:	June 18, 2009
			(5.0.1 will include the fix)
		NetBSD-5 branch:	June 18, 2009
			(5.1 will include the fix)
		NetBSD-4-0 branch:	June 18, 2009
			(4.0.2 will include the fix)
		NetBSD-4 branch:	June 18, 2009
			(4.1 will include the fix)

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A verification weakness in the pam_unix module allows an authenticated
(Continue reading)

Permalink | Reply | 0 comments |
headers
NetBSD Security Officer | 24 Jun 2009 00:41
Picon

Changing the NetBSD Security Officer PGP key

Dear NetBSD users, dear followers of the NetBSD security community,

Please note that from now on, the NetBSD Security Officer will
use a new PGP key to sign announcements and other types of
communication. The old PGP key will be unenrolled over the next
time:

pub   1024R/F8376205 1997-07-01
uid                  security-officer <at> netbsd.org

It will be superseeded by the following key which is larger
and offers a better security margin:

pub   4096R/4C4A706E 2009-06-23 [expires: 2019-06-21]
uid                  NetBSD Security Officer <security-officer <at> NetBSD.org>
sub   4096R/DF2CE620 2009-06-23 [expires: 2019-06-21]

The key will be rotated on a regular basis in the future, for
better security of our users. Please update your processes to
make use of this new key in the future.

To testify this migration, this mail contains the new security-officer
PGP key below and, appended, a signature of the text part generated
with the old and the new key, correspondingly.

Thank you for your continued trust in NetBSD,

			The NetBSD Security Officers

-----BEGIN PGP PUBLIC KEY BLOCK-----
(Continue reading)

Permalink | Reply | 0 comments |
headers
NetBSD Security Officer | 30 Jun 2009 23:51
Picon

NetBSD Security Advisory 2009-006: Buffer overflows in ntp


		 NetBSD Security Advisory 2009-006
		 =================================

Topic:		Buffer overflows in ntp

Version:	NetBSD-current:	source prior to May 21, 2009
		NetBSD 5.0:		source prior to May 27, 2009
		NetBSD 4.0.1:		source prior to May 27, 2009
		NetBSD 4.0:		source prior to May 27, 2009

Severity:	Potential remote arbitrary code execution

Fixed:		NetBSD-current:		May 20, 2009
		NetBSD-5 branch:	May 27, 2008 (5.0.1 will include the fix)
		NetBSD-4 branch:	May 27, 2008 (4.1 will include the fix)
		NetBSD-4-0 branch:	May 27, 2008 (4.0.2 will include the fix)

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

Two remote buffer overflow vulnerabilities have been found in the ntp
(Network Time Protocol) code.

The first, in ntpq, potentially allows arbitrary code execution (as
the user running ntpq) if a hostile ntp daemon is contacted.
(Continue reading)

Permalink | Reply | 0 comments |
headers
NetBSD Security Officer | 30 Jun 2009 23:52
Picon

NetBSD Security Advisory 2009-007: Buffer overflows in hack(6)


		 NetBSD Security Advisory 2009-007
		 =================================

Topic:		Buffer overflows in hack(6)

Version:	NetBSD-current:	source prior to June 30, 2009
		NetBSD 5.0:		affected
		NetBSD 4.0.1:		affected
		NetBSD 4.0:		affected

Severity:	Unprivileged local users can gain access to "games" group

Fixed:		NetBSD-current:		June 29, 2009
		NetBSD-5 branch:	June 29, 2009
			(5.1 will include the fix)
		NetBSD-5-0 branch:	June 29, 2009
			(5.0.1 will include the fix)
		NetBSD-4 branch:	June 29, 2009
			(4.1 will include the fix)
		NetBSD-4-0 branch:	June 29, 2009
			(4.0.2 will include the fix)

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

Hack, a "rogue-like" game, is installed setgid to the "games" group
(Continue reading)

Permalink | Reply | 0 comments |

Gmane