Re: refrag.diff security update
On Fri, Oct 11, 2002 at 10:07:26PM +0100, Stephen Marley wrote: > Heh, I was careful to say 3.2 and not 3.2-stable. which part in "3.2 will be released November, 1" did you not understand?
RE: refrag.diff security update
Henning Brauer [mailto:lists-openbsdtech@;bsws.de] writes: > Will 3.2-stable get the bug fix once 3.2 is officially released? > > yes. > > > I've already upgraded my bridge to 3.2 > > oh? 3.2 isn't released. thus, unsupported yet. Heh, I was careful to say 3.2 and not 3.2-stable. > > sorry, there's reasons for the release date. I appreciate that. I'd expect there to be a greater level of scrutiny of patches for the -stable branch, as well as the need to properly document the changes for public consumption. I'm tracking source-changes so I spotted Daniel's commits and was going to patch these fixes in anyway. I just wasn't sure when they'd be tagged as 3.2. -- [EMAIL PROTECTED],
Re: refrag.diff security update
On Fri, Oct 11, 2002 at 09:45:45PM +0100, Stephen Marley wrote: > Daniel Hartmeier [mailto:daniel@;benzedrine.cx] writes: > > First, this only affects you if you applied the refrag.diff to an > > OpenBSD 3.1-stable system. > > Will 3.2-stable get the bug fix once 3.2 is officially released? yes. > I've already upgraded my bridge to 3.2 oh? 3.2 isn't released. thus, unsupported yet. sorry, there's reasons for the release date.
Re: refrag.diff security update
On Fri, Oct 11, 2002 at 09:45:45PM +0100, Stephen Marley wrote: > Will 3.2-stable get the bug fix once 3.2 is officially released? I've > already upgraded my bridge to 3.2 (as tagged in cvs) but I am not following > -current on that box. I guess I should manually apply the -current diffs to > this machine for now. Yes, the patch will go into 3.2-stable as soon as 3.2 is released. You can manually backport it from 3.2-current, it's currently the most recent change in sys/net/bridge.c and sys/netinet/ip_output.c. Daniel
RE: refrag.diff security update
Daniel Hartmeier [mailto:daniel@;benzedrine.cx] writes: > First, this only affects you if you applied the refrag.diff to an > OpenBSD 3.1-stable system. Will 3.2-stable get the bug fix once 3.2 is officially released? I've already upgraded my bridge to 3.2 (as tagged in cvs) but I am not following -current on that box. I guess I should manually apply the -current diffs to this machine for now. BTW, I haven't had any instability problems with 3.1, 3.1+patch or 3.2 on my little 486 bridge running with scrub in/out all no-df . It just works - thanks! -- [EMAIL PROTECTED]
refrag.diff security update
First, this only affects you if you applied the refrag.diff to an OpenBSD 3.1-stable system. The bridge refragmentation code that was added in OpenBSD 3.1-current introduced two new bugs which can lead to the following kind of kernel panics: panic: m_copym0: m == 0 and not COPYALL panic: m_copydata: null muf These occur only on pf bridges when scrub is enabled. While the bugs obviously affect stability, it's uncertain whether they can be exploited. The relevant code (which was itself a bugfix) was not commited to the 3.1 stable branch (due to its size), but a patch against 3.1-stable (refrag.diff) was provided and recommended to solve the initial bridge problem. The bugs are now fixed in 3.2-current, but if you're running 3.1-stable with the refrag.diff patch applied, you should revert to 3.1-stable and apply the updated patch: To revert the effects of the original refrag.diff $ cd /usr/src/sys $ rm netinet/ip_var.h netinet/ip_output.c net/if_bridge.c net/pf.c $ cvs -d $CVSROOT -q checkout -rOPENBSD_3_1 netinet/ip_var.h netinet/ip_output.c net/if_bridge.c net/pf.c To apply the updated refrag.diff: $ cd /usr/src $ patch < refrag.diff Rebuild kernel and reboot. The updated refrag.diff can be found on http://www.benzedrine.cx/refrag.diff MD5 (refrag.diff) = 04bb3ff4fab6e160fb738b22674bfced PGP keyID 6A3A7409 fingerprint 13 7E 9A F3 36 82 09 FE FD 57 B8 5C 2B 81 7E 1F -BEGIN PGP MESSAGE- Version: 2.6.3ia iQCVAwUAPacnEtQ9cYxqOnQJAQENTAP9Hz8JGiih5Ddme1gb8Q31fCP/dAHh3/0L oq5iyHwlkt20usINvei8aUtevl5oK4QszHYhRJobpI0Vl877jLpqz1JCIbfNtQa1 ME3+4WDBE0Vah1t30VNMgMtrbES6s9PMlA2dxk8u/VIwbJHNm5ZtdAcYss4DHihn 2QM6H8tFeAQ= =zGj+ -END PGP MESSAGE- Alternatively, you can update to 3.2-current (which I recommend). I apologize for the inconvenience caused. Daniel