Re: list
On Thu, 10 Oct 2002, John Bacalle wrote: * Dries Schellekens [EMAIL PROTECTED] [20021010 10:40]: [ pf mailing list /raison d'etre/ ] Perhaps this mailing list should be mentioned on www.openbsd.org/mail.html So that people can email PF specific questions to this list. The man page is the best place to mention a mailing list for a component of OBSD. And, or the component's official Website. This is done for the other mailing lists. FYI, googling for `pf firewall homepage' doesn't render a hit on http://www.benzedrine.cx/pf.html---not in the top 10 hits---using `pf firewall home page' does. Orthography counts, apparently. 8) Try openbsd pf The first hit is http://www.benzedrine.cx/pf.html Cheers, Dries -- Dries Schellekens email: [EMAIL PROTECTED]
refrag.diff security update
First, this only affects you if you applied the refrag.diff to an OpenBSD 3.1-stable system. The bridge refragmentation code that was added in OpenBSD 3.1-current introduced two new bugs which can lead to the following kind of kernel panics: panic: m_copym0: m == 0 and not COPYALL panic: m_copydata: null muf These occur only on pf bridges when scrub is enabled. While the bugs obviously affect stability, it's uncertain whether they can be exploited. The relevant code (which was itself a bugfix) was not commited to the 3.1 stable branch (due to its size), but a patch against 3.1-stable (refrag.diff) was provided and recommended to solve the initial bridge problem. The bugs are now fixed in 3.2-current, but if you're running 3.1-stable with the refrag.diff patch applied, you should revert to 3.1-stable and apply the updated patch: To revert the effects of the original refrag.diff $ cd /usr/src/sys $ rm netinet/ip_var.h netinet/ip_output.c net/if_bridge.c net/pf.c $ cvs -d $CVSROOT -q checkout -rOPENBSD_3_1 netinet/ip_var.h netinet/ip_output.c net/if_bridge.c net/pf.c To apply the updated refrag.diff: $ cd /usr/src $ patch refrag.diff Rebuild kernel and reboot. The updated refrag.diff can be found on http://www.benzedrine.cx/refrag.diff MD5 (refrag.diff) = 04bb3ff4fab6e160fb738b22674bfced PGP keyID 6A3A7409 fingerprint 13 7E 9A F3 36 82 09 FE FD 57 B8 5C 2B 81 7E 1F -BEGIN PGP MESSAGE- Version: 2.6.3ia iQCVAwUAPacnEtQ9cYxqOnQJAQENTAP9Hz8JGiih5Ddme1gb8Q31fCP/dAHh3/0L oq5iyHwlkt20usINvei8aUtevl5oK4QszHYhRJobpI0Vl877jLpqz1JCIbfNtQa1 ME3+4WDBE0Vah1t30VNMgMtrbES6s9PMlA2dxk8u/VIwbJHNm5ZtdAcYss4DHihn 2QM6H8tFeAQ= =zGj+ -END PGP MESSAGE- Alternatively, you can update to 3.2-current (which I recommend). I apologize for the inconvenience caused. Daniel
Re: refrag.diff security update
On Fri, Oct 11, 2002 at 09:45:45PM +0100, Stephen Marley wrote: Will 3.2-stable get the bug fix once 3.2 is officially released? I've already upgraded my bridge to 3.2 (as tagged in cvs) but I am not following -current on that box. I guess I should manually apply the -current diffs to this machine for now. Yes, the patch will go into 3.2-stable as soon as 3.2 is released. You can manually backport it from 3.2-current, it's currently the most recent change in sys/net/bridge.c and sys/netinet/ip_output.c. Daniel
Re: refrag.diff security update
On Fri, Oct 11, 2002 at 09:45:45PM +0100, Stephen Marley wrote: Daniel Hartmeier [mailto:daniel;benzedrine.cx] writes: First, this only affects you if you applied the refrag.diff to an OpenBSD 3.1-stable system. Will 3.2-stable get the bug fix once 3.2 is officially released? yes. I've already upgraded my bridge to 3.2 oh? 3.2 isn't released. thus, unsupported yet. sorry, there's reasons for the release date.