Your message dated Fri, 19 Oct 2012 23:00:17 +0100 with message-id <[email protected]> has caused the report #690986, regarding CVE-2012-5363 CVE-2012-5365 to be marked as having been forwarded to the upstream software author(s) [email protected]
(NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 690986: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690986 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Hi, On 19/10/12 20:34, Moritz Muehlenhoff wrote: > Two security issues were found in the kfreebsd network stack: > http://www.openwall.com/lists/oss-security/2012/10/10/8 > Issue #1 was assigned CVE-2012-5363 > Issue #2 was assigned CVE-2012-5365 Thank you for mentioning it. Issue #2 seems similar to CVE-2011-2393, which I assumed was only relevant where we'd set net.inet6.ip6.accept_rtadv=1, which isn't the upstream FreeBSD default. Issue #1 however might affect any FreeBSD system acting as an IPv6 router. If this can actually be confirmed, then the worst case I can imagine, is if a FreeBSD box acts as an IPv6 router for multiple interfaces, perhaps serving different users; any one of them might flood with Neighbour Solicitations on their local link and create a DoS affecting other interfaces. I found some code committed to OpenBSD (in 2008, uh-oh), supposedly from KAME (but I can't find it in their repository?), implementing per-interface and global limits on the number of prefixes/routes accepted via RA. I imagine that's the best way to avoid some or all of these issues. > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6_proto.c?sortby=date#rev1.56 Just recently it seems this was also committed to NetBSD HEAD: "4 new sysctls to avoid ipv6 DoS attacks from OpenBSD". I don't know of an easier way to link to a whole CVS commit, but here are (hopefully all) the changes to individual files: > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ip6_input.c.diff?r1=1.138&r2=1.139&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ip6_var.h.diff?r1=1.58&r2=1.59&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6.c.diff?r1=1.142&r2=1.143&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6.h.diff?r1=1.56&r2=1.57&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/icmp6.c.diff?r1=1.160&r2=1.161&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6.c.diff?r1=1.160&r2=1.161&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6_proto.c.diff?r1=1.96&r2=1.97&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6_var.h.diff?r1=1.64&r2=1.65&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6_rtr.c.diff?r1=1.82&r2=1.83&sortby=date&only_with_tag=MAIN Regards, -- Steven Chamberlain [email protected]
--- End Message ---
