This news is a couple of weeks old and has been covered elsewhere, but I thought I'd mention it here too, as I saw someone running the 4.0 release kernel yesterday. OpenBSD just had its 'second remote hole in 10 years' found in the ipv6 stack. It's been fixed in the -stable branch, but if you're running any release version of OpenBSD with ipv6 support, you're vulnerable to a remote root exploit.
The quick fix is adding a 'block in quick inet6 all' early in your pf.conf. The proper fix, of course, is to compile yourself a new kernel. The OpenBSD FAQ covers it pretty well. Look for the "how to compile the system from source" section. I'm not sure how serious this is on the Internet, as I don't know how easy it is to get ipv6 packets routed to a destination of one's choosing, but most OpenBSD boxes are crackable from a LAN at the moment. If you're running the NET4801 (or, presumably, the NET4501) kernel from flashdist, you're not vulnerable; that config leaves out ipv6 support. [/PSA] _______________________________________________ Soekris-tech mailing list [email protected] http://lists.soekris.com/mailman/listinfo/soekris-tech
