login
Search
Some of you who follow netbsd-bugs@ may noticed that over the past two days we closed around 270 PRs (problem reports). That's quite a lot, and I thought I might as well tell you what lead to that... A few developers and myself had an idea to give a shot to something we called a NetBSD Bugathon -- we figured if we could combine efforts together, we could address some of the thousands of PRs we managed to get open in the 13 or so years of NetBSD action so far. So we did... we got on IRC (#NetBSD-code on irc.freenode.net if you're interested) and started looking for PRs we knew how to deal with; slowly more people came aboard, and we ended up brainstorming solutions to various problems, solving them as we went. The word spread quite fast and we suddenly had a few users helping us with the work as well. All in all it's been fun, and the results are quite amazing; with about 30 developers and 20 users we managed to get the number of "open" PRs to below 4000 -- we started with almost 4200! -- in fact, the results were so surprising given the short notice (if "meet you on IRC in 12 hours" is a notice :), that we decided to let you know about this, so you could take part the next time we do it. Which is why I am going to ask you to reserve the October 7-8 weekend, for that's when we'll be holding the next NetBSD Bugathon (oh, yeah, "Reloaded!" ;) -- you are all welcome to join us, to help with the bug hunting and fixing, or just to enjoy the atmosphere. Keep in mind it'll be a great time to discuss live about features you want to see, stuff that you'd like changed, problems you're seeing, etc., or even your own set of "pet PRs" you'd *finally* like to see resolved! More information is available online: http://www.NetBSD.org/hackathon/ And if someone wants to see how the netbsd-bugs@ mailing list looks like after 2 days of non-stop work: http://mail-index.netbsd.org/netbsd-bugs/2006/09/ (scroll down to 09/23/2006 and 09/24/2006... yeah, we should do something ...
-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2004-003 ================================= Topic: OpenSSL 0.9.6 ASN.1 parser vulnerability Version: NetBSD-current: sources prior to 2003/07/24 NetBSD 1.6.1: affected NetBSD 1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected pkgsrc: packages prior to (including) 0.9.6k Severity: possible remote denial-of-service Fixed: NetBSD-current: July 24, 2003 NetBSD-1.6 branch: November 8, 2003 (1.6.2 will include the fix) NetBSD-1.5 branch: November 7, 2003 pkgsrc: openssl-0.9.6l corrects this issue Abstract ======== OpenSSL 0.9.6k ASN.1 parser had a possible denial-of-service vulnerability. This vulnerability is different from 2003-017. OpenSSL 0.9.7 is not affected. Technical Details ================= http://www.kb.cert.org/vuls/id/412478 http://www.openssl.org/news/secadv_20031104.txt Solutions and Workarounds ========================= Release of NetBSD 1.6.2 is imminent. This is a reminder to consider upgrading when they are available, if you are running anything older than NetBSD 1.6 Many security-related improvements have been made. NetBSD 1.6.2 may be considered a binary patch for this advisory. * Rebuilding from source: libcrypto and libssl have to be rebuilt. The following instructions describe how to upgrade your libcrypto and libssl binaries by updating your source tree and rebuilding and installing a new version of libcrypto and libssl. * NetBSD-current: NetBSD-current has included the OpenSSL 0.9.7 series since July 24, 2003, therefore upgrading to sources after July 24, 2003 is required. * NetBSD 1.6, 1.6.1: The binary distributions of NetBSD 1.6 and 1.6.1 are vulnerable. Systems running NetBSD 1.6 sources dated from before 2003-11-07 should be upgraded from NetBSD 1.6 sources dated 2003-11-08 or later. NetBSD 1.6.2 will include the fix. The ...
* Announcing NetBSD and the Google "Summer of Code" Projects 2006
The Google ``Summer of Code'' is designed to introduce students to the
world of open source software development, to create new Open Source
programs and to help currently established projects. NetBSD is one of
the projects participating as mentoring organisation in the Summer of
Code for the second time this year, and after evaluating over seventy
distinct applications, the NetBSD Foundation is now pleased to
announce the list of projects that have been chosen:
1. Project: Support for journaling for FFS
Student: Kirill Kuvaldin
Mentor: Manuel BOUYER
Mentor: Thor Lancelot Simon
2. Project: Support for MIPS64 ISA
Student: LIU Qi
Mentor: Garrett D'Amore
Mentor: Simon Burge
3. Project: PowerPC G5 support in NetBSD
Student: Yevgeny Binder
Mentor: Allen Briggs
Mentor: Garrett D'Amore
4. Project: Improved Writing to FileSystem Using Congestion Control
Student: Sumantra R. Kundu
Mentor: Bill Studenmund
Mentor: Thor Lancelot Simon
5. Project: TCP ECN support
Student: Rui Paulo
Mentor: Kentaro A. Kurahone
Mentor: Allen Briggs
Mentor: Matt Thomas
6. Project: Fast_ipsec and ipv6
Student: Degroote Arnaud
Mentor: Sam Leffler
Mentor: Christos Zoulas
Mentor: Thor Lancelot Simon
7. Project: pkg_install rewrite for pkgsrc
Student: Joerg Sonnenberger
Mentor: Dieter Baron
Mentor: Johnny C. Lam
Mentor: Alistair Crooks
Mentor: Thomas Klausner
8. Project: Improving the mbuf API and implementation
Student: Pavel Cahyna
Mentor: Martin Husemann
Mentor: Matt Thomas
In each accepted project, the student will work closely together with
the entire NetBSD community under the supervision of at least one
senior NetBSD developer, who will guide the student and introduce them
into the world of Open Source Software Development.
Hubert Feyrer, vice ...-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2005-006 ================================= Topic: Multiple vulnerabilities in CVS Version: NetBSD-current: source prior to August 26, 2005 NetBSD 2.1: not affected NetBSD 2.0.3: not affected NetBSD 2.0.2: affected NetBSD 2.0: affected NetBSD 1.6.2: affected NetBSD 1.6.1: affected NetBSD 1.6: affected pkgsrc: CVS packages prior to 1.11.20nb2 Severity: Remote execution of arbitrary code, denial of service and local privilege escalation Fixed: NetBSD-current: August 26, 2005 NetBSD-3 branch: August 26, 2005 (3.0 will include the fix) NetBSD-2.0 branch: August 26, 2005 (2.0.3 includes the fix) NetBSD-2 branch: August 26, 2005 (2.1 includes the fix) NetBSD-1.6 branch: August 26, 2005 (1.6.3 will include the fix) pkgsrc: cvs-1.11.20nb2 or higher correct the issues Abstract ======== CVS has multiple vulnerabilities, ranging from remote execution of arbitrary code to denial of service. Most of the issues are when the CVS server is running in pserver mode. Technical Details ================= There are multiple issues, summarised in the following list: * A heap overflow is present in the handling of "Entry" lines for CVS servers running in pserver mode. An attacker would require write access to the repository to exploit this. * Problem handling malformed "Entry" lines and empty data lines, which could lead to a denial of service (crash), modification of critical program data or arbitrary code execution. * Double-free vulnerability in "error_prog_name" string leading to remote execution of arbitrary code. * Integer overflow in the "Max-dotdot" CVS protocol command resulting in denial of service. * The "serve_notify" function does not correctly handle empty data lines. Using a crafted request an attacker could potentially execute arbitrary system commands. * An ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2008-006 ================================= Topic: Integer overflow in strfmon(3) function Version: NetBSD-current: affected NetBSD 4.0: affected NetBSD 3.1.*: unaffected NetBSD 3.1: unaffected NetBSD 3.0: unaffected NetBSD 3.0.*: unaffected Severity: Local user may be able to execute arbitrary code Fixed: NetBSD-current: March 18, 2008 NetBSD-4 branch: March 19, 2008 (4.1 will include the fix) NetBSD-4-0 branch: March 19, 2008 (4.0.1 will include the fix) Abstract ======== The strfmon() function contains multiple integer overflows which can be exploited by a local attacker to cause a crash or potentially execute arbitrary code. Technical Details ================= The vulnerability exists in strfmon() because of the use of the GET_NUMBER() macro. This macro does not check for integer overflow, and its value is passed as an argument to the memmove() and memset() functions, which can result in a crash or possibly the execution of arbitrary code. This issue has been assigned CVE reference CVE-2008-1391. Solutions and Workarounds ========================= The following instructions describe how to upgrade your libc binaries by updating your source tree and rebuilding and installing a new version of libc. * NetBSD-current: Systems running NetBSD-current dated from before 2008-03-18 should be upgraded to NetBSD-current dated 2008-03-19 or later. The following files need to be updated from the netbsd-current CVS branch (aka HEAD): lib/libc/stdlib/strfmon.c To update from CVS, re-build, and re-install libc: # cd src # cvs update lib/libc/stdlib/strfmon.c # cd lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 4.*: Systems running NetBSD 4.* sources dated from before 2008-03-19 should be upgraded from NetBSD 4.* source dated 2008-03-20 or later. The following ...
-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2003-001 ================================= Topic: Encryption weakness in OpenSSL code Version: NetBSD-current: source prior to February 21, 2003 NetBSD-1.6.1: not affected NetBSD-1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4*: not affected pkgsrc: prior to openssl-0.9.6gnb1 Severity: Cryptographic keys can be compromised. Fixed: NetBSD-current: February 21, 2003 NetBSD-1.6 branch: February 21, 2003 (1.6.1 includes the fix) NetBSD-1.5 branch: February 27, 2003 pkgsrc: openssl-0.9.6gnb1 (or later) Abstract ======== Block cipher padding errors and MAC verification errors were handled differently in the SSL/TLS parts of the OpenSSL library. This leaks information in the case of incorrect SSL streams and allows for an adaptive timing attack. No services using SSL/TLS are enabled by default in NetBSD, however, by enabling services built with these libraries, a system could become vulnerable to the compromise of cryptographic keys. Technical Details ================= http://www.openssl.org/news/secadv_20030219.txt Solutions and Workarounds ========================= The following instructions describe how to upgrade your libssl binaries by updating your source tree and rebuilding and installing a new version of libssl. Be sure to restart running instances of programs that use the libssl library after upgrading. If you have any statically-linked binaries that linked against a vulnerable libssl, you need to recompile them. * NetBSD-current: Systems running NetBSD-current dated from before 2003-02-21 should be upgraded to NetBSD-current dated 2003-02-21 or later. The following file needs to be updated from the netbsd-current CVS branch (aka HEAD): crypto/dist/openssl/ssl/s3_pkt.c To update from CVS, re-build, and re-install libssl: # cd src # cvs ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2008-014 ================================= Topic: Cross-site request forgery in ftpd(8) Version: NetBSD-current: affected NetBSD 4.0.*: not affected NetBSD 4.0: affected NetBSD 3.1.*: affected NetBSD 3.1: affected NetBSD 3.0.*: affected NetBSD 3.0: affected Severity: Cross-site request forgery Fixed: NetBSD-current: September 13, 2008 NetBSD-4-0 branch: September 18, 2008 (4.0.1 includes the fix) NetBSD-4 branch: September 18, 2008 (4.1 will include the fix) NetBSD-3-1 branch: September 18, 2008 (3.1.2 will include the fix) NetBSD-3-0 branch: September 18, 2008 (3.0.4 will include the fix) NetBSD-3 branch: September 18, 2008 (3.2 will include the fix) pkgsrc: tnftpd-20081009 corrects the issue Abstract ======== When accessing NetBSD servers running ftpd(8) certain commands can aide attackers in executing CSRF attacks when e.g. using a web browser to access ftp servers. This vulnerability has been assigned CVE-2008-4247. Technical Details ================= When accessing NetBSD servers running ftpd(8) long commands are split into multiple requests which can result in CSRF attacks. Solutions and Workarounds ========================= Only NetBSD systems with ftpd(8) enabled may be vulnerable to this issue. ftpd(8) is not enabled by default in NetBSD generic installations. As a temporary workaround disable ftpd(8) from the base OS and use the tnftpd-20081009 package from pkgsrc which contains a fix. The following instructions describe how to upgrade your ftpd binaries by updating your source tree and rebuilding and installing a new version of ftpd. * NetBSD-current: Systems running NetBSD-current dated from before 2008-09-13 should be upgraded to NetBSD-current dated 2008-09-14 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka ...
[For a full listing of the changes, please refer to the current-users mailing list - agc] Summary of Changes to the NetBSD Packages Collection in July 2003 ================================================================= By my calculations, at the end of July 2003, there were 3892 packages in the NetBSD Packages Collection, up from 3820 the previous month, a rise of 72. Notable additions include: ap-auth-pgsql, ap2-ruby, asc, avr-binutils, avr-gcc, avr-gdb, avr-libc, avrdude, awstats, bbdate, bitlbee, bkedit, brs, buildtool-doc, conglomerate, cpuid, dbench, device-driver-doc-de, dirdiff, djbfft, dnstracer, eric3, expatobjc, fspanel, gmencoder, gqmpeg-skins, GridSim, gtksee, gtkwave, jdk-openjit, KoboDeluxe, kopete, libffi, libggigcp, libggiwmh, libid3tag, libkver, libmad, mad123, madplay, multi-aterm, openpbs, openssh+gssapi, pag, paragui, pari-galdata, physfs, pkg_filecheck, proj-doc, psi-ssl, pure-ftpd, py-adns, py-kjbuckets, py-m2crypto, py-pqueue, py-qt3-base, py-qt3-modules, py-qt3-qscintilla, py-sybase, py-zconfig, re2c, ruby-borges, ruby-installpkg, ruby-webrick, SDL-arts, SDL-esound, SDL-nas, spider, tcptraceroute, tnftp, xlog, xmms-arts, xmms-blursk, xmms-esound, and xorp. Notable updates include: abcde, adom, algae, ap-ssl, ap2-subversion, apache, apache2, apla, arts, asc, aspell, ast-ksh, atari800, audacity, automake, avi-xmms, avifile, avifile-devel, avr-gdb, balsa2, battalion, bbmail, bidwatcher, biew, bind8, bins, binutils, bkpupsd, blender, bluefish, bmake, bogofilter, bomberclone, bozohttpd, buildtool, canna-server-bin, ccache, cfs, cgoban-java, clisp, cpuflags, crimsonfields, criticalmass, cscope, cue, curl, cvs, cvsync, dbh, dctc, dc_gui2, delegate, devtodo, dhid, dinotrace, disc-cover, distcc, docbook-xsl, dopewars, dosbox, dovecot, dynipclient, easytag, eawpatches, ekg, emacs, eog2, ethereal, falcons-eye, fetchmail, fetchmailconf, fftw, fire, fix4SA110rev2, fluxbox, fontconfig, freeradius, gabber, gaim, galeon, gcalctool, gcc, gcc3, ...
Hello, on behalf of the NetBSD Release Engineering team, I am happy to announce the availability of NetBSD 4.0 Release Candidate 3. Binaries and ISOs are available from ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-4.0_RC3 The list of changes from the 3.0 release is available in the release notes, online at ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-4.0_RC3/i386/INSTALL.html#Changes%20Between%20T... This release candidate has several bug fixes and other changes since the previous release candidate - RC2. The most important ones are: - build of the 32-bit sparc64 kernel is fixed, allowing the sparc release to be built. - many fixes to nfe(4) and bge(4) drivers. - fixed PR 37037 - kernel memory corruption due to ipnat. - support for the HP ML110 G2 / Adaptec 2610SA SATA RAID added to aac(4). - fix of an off-by-one error in openssl. - avoid kernel crashes in signal handling (PR 37004) and linux emulation (PR 36920). - fix ACPI related interrupt storms due to differences between IOAPIC and classic interrupt routing. Should correct a regression introduced in RC2 on some machines. The complete description is found in the CHANGES-4.0 file in the release tree, online at ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-4.0_RC3/CHANGES-4.0 (Scroll down to the end of the file and see the entries between the RC2 and RC3 ones.) We have also provided several ISO images missing from previous release candidates. There are now ISO images for acorn32, hpcmips and the three multi-arch ISO images. The ISO image for macppc should now be bootable. If you want to build NetBSD 4.0_RC3 from source, cvs up your source tree to "netbsd-4-0-RC3", or just along the "netbsd-4" branch. Alternatively, you can download the source sets from the URL above, under the source/ directory. Please help us test this release candidate as much as possible to make NetBSD 4.0 a solid release. Thanks, the NetBSD Release Engineering team.
Greetings, As some of you may have noticed, the NetBSD mailing lists have been configured to selectively moderate postings originating from the "openbsd.org" domain. This rule was instated to protect the NetBSD mailing lists from abuse or denial of service attacks by an OpenBSD developer (Theo De Raadt), who some time ago threatened to attack the NetBSD project machines. In a reaction to this threat, domains under his control were blackholed and moderation of the mailing lists was activated. Unfortunately this kind of moderation had the unfortunate side effect of impeding communication between OpenBSD and NetBSD developers (unnecessary rejection due to moderator absense, approval delays, etc.). It was not our intent; it was assumed that most OpenBSD developers would not post from their @openbsd.org addresses, just as most NetBSD developers do not use their @netbsd.org addresses to send mail. At this point in time, we have decided that the inconvenience to the OpenBSD developers greatly outweighs the risk of postings in poor taste from a single individual, thus we are removing the selective moderation against the "openbsd.org" domain effective immediately. Please note that the NetBSD mailing lists have always been moderated against spam since they allow postings from non-members. Such moderation will remain in place. We would like to remind our mailing list participants, that they should construct sentences with greater care, refrain from using foul language, and stop using sentences that can be taken as threats or insults. If anyone is found to abuse our mailing lists, we will moderate his postings to the lists and announce the moderation to that individual. Christos Zoulas (for NetBSD core)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2009-002 ================================= Topic: tcpdump multiple denial of service and arbitrary code execution issues Version: NetBSD-current: affected before July 20, 2007 NetBSD 5.0: not affected NetBSD 4.0.*: not affected NetBSD 4.0: affected Severity: Denial of Service, Arbitrary Code Execution Fixed: NetBSD-current: July 20, 2007 NetBSD-4-0 branch: July 21, 2008 (4.0.2 will include the fix) NetBSD-4 branch: July 21, 2008 (4.1 will include the fix) pkgsrc: tcpdump-3.9.7 corrects the issue Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A number of issuses exist in the version of tcpdump(1) shipped with NetBSD 4.0 allowing a remote attacker to hang or crash the application and to execute arbitrary code via specially crafted packages. Technical Details ================= An integer overflow in the BGP dissector allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet. An infinite loop error in the BGP dissector allows remote attackers to cause an application hang by sending an invalid prefix. An off-by-one error in the 802.11 dissector result printing code allows remote attackers to crash the application. An infinite loop error in the ISIS dissector allows remote attackers to cause an application hang using GRE packets of zero length. A length verification error in the RSVP dissector allows remote attackers to crash the application by sending a RSVP packet of length 4. For more details, please see CVE-2007-1218, CVE-2007-3798, CAN-2005-1267, CAN-2005-1278, CAN-2005-1279 and CAN-2005-1280. Solutions and Workarounds ========================= The 4.0.1 release of NetBSD resolves this issue, so a possible solution is to upgrade to NetBSD 4.0.1 or 5.0. As a temporary workaround disable ...
Dear all, ISC is planning work on a pretty central router that will affect the NetBSD.org servers hosted at ISC (mail, www, ftp, anoncvs, blog etc). This maintenance is supposed to start around 16:00 UTC on Sat Aug 8th, and will take a few hours. Connectivity will likely not be down the entire time, but don't expect it to be stable or plentiful. Please use mirrors where available. regards, spz
In keeping with NetBSD's policy of maintaining only the current (2.0) and most recent (1.6) release branches, the release of NetBSD 2.0 marks the end-of-life for NetBSD 1.5. This means that the netbsd-1-5 branch will no longer be actively maintained. For example: - There will be no more pullups to the branch (even for security issues) - There will be no security advisories made for 1.5 - The current 1.5 releases on ftp.netbsd.org will be moved into /pub/NetBSD-archive James
