Re: inet6 buffer overflow
On 3/16/07, Karel Kulhavy <[EMAIL PROTECTED]> wrote: On Thu, Mar 15, 2007 at 11:52:44AM +0100, Claudio Jeker wrote: > On Thu, Mar 15, 2007 at 10:26:23AM +, Gaby Vanhegan wrote: > > Hi, > > > > Reading the security advisory for the ipv6 buffer issue, the > > workaround is to block inet6 traffic in pf.conf. My default block > > line is actually: > > > > block in on $ext_if > > > > Where $ext_if is the net connection (the only network connection the > > machine is plugged into). Is the rule: > > > > block in inet6 I have put block in inet6 into my /etc/pf.conf. Do I need to do anything else (turn something on somewhere else) or does it already protect against the overflow? To be sure, you could apply the patch. Then you're protected even if you inadvertently futz your ruleset, or disable PF or that filter rule somehow. How can I test that the protection really works? Is there somewhere a Linux program I can run to test if I can log in remotely into an OpenBSD machine as the root? A PoC exploit has been released which you *may* be able to use to test your exposure. IMHO you're better patching and having complete assurance. DS
Re: inet6 buffer overflow
On Fri, Mar 16, 2007 at 09:48:19AM +0100, Karel Kulhavy wrote: > I have put block in inet6 into my /etc/pf.conf. Do I need to do anything > else (turn something on somewhere else) or does it already protect against > the overflow? How can I test that the protection really works? Is there > somewhere a Linux program I can run to test if I can log in remotely into > an OpenBSD machine as the root? You need to enable pf (obvious, but still). There is sample code available in the Core advisory. Joachim
Re: inet6 buffer overflow
On Thu, Mar 15, 2007 at 11:52:44AM +0100, Claudio Jeker wrote: > On Thu, Mar 15, 2007 at 10:26:23AM +, Gaby Vanhegan wrote: > > Hi, > > > > Reading the security advisory for the ipv6 buffer issue, the > > workaround is to block inet6 traffic in pf.conf. My default block > > line is actually: > > > > block in on $ext_if > > > > Where $ext_if is the net connection (the only network connection the > > machine is plugged into). Is the rule: > > > > block in inet6 I have put block in inet6 into my /etc/pf.conf. Do I need to do anything else (turn something on somewhere else) or does it already protect against the overflow? How can I test that the protection really works? Is there somewhere a Linux program I can run to test if I can log in remotely into an OpenBSD machine as the root? CL<
Re: inet6 buffer overflow
On Thu, Mar 15, 2007 at 10:26:23AM +, Gaby Vanhegan wrote: > Hi, > > Reading the security advisory for the ipv6 buffer issue, the > workaround is to block inet6 traffic in pf.conf. My default block > line is actually: > > block in on $ext_if > > Where $ext_if is the net connection (the only network connection the > machine is plugged into). Is the rule: > > block in inet6 > > Redundant in this case, or should it still be added? > You need to make sure that all your pass rules are for inet only. block in quick inet6 at the beginning of the rules should do the trick. But remeber that localhost is resolved as ::1. -- :wq Claudio
inet6 buffer overflow
Hi, Reading the security advisory for the ipv6 buffer issue, the workaround is to block inet6 traffic in pf.conf. My default block line is actually: block in on $ext_if Where $ext_if is the net connection (the only network connection the machine is plugged into). Is the rule: block in inet6 Redundant in this case, or should it still be added? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/