Latest news
* 2002-006 buffer overrun in libc/libresolv DNS resolver
x 2002-007 Repeated TIOCSCTTY ioctl can corrupt session hold counts
*x 2002-009 Multiple vulnerabilities in OpenSSL code
*x 2002-010 symlink race in pppd
*x 2002-011 Sun RPC XDR decoder contains buffer overflow
x 2002-012 buffer overrun in setlocale
x 2002-013 Bug in NFS server code allows remote denial of service
x 2002-014 fd_set overrun in mbone tools and pppd
x 2002-017 shutdown(s, SHUT_RD) on TCP socket does not work as intended
x+ 2002-018 Multiple security isses with kfd daemon
(*) reissue
(x) affects 1.5.3
(+) affects 1.6
As noted by NetBSD Security Officer (security-officer@netbsd.org):
These advisories involve bugs in libc (affecting static binaries), as well as the kernel. A full system rebuild is recommended to collectively address all of these issues, but please make sure to read through all of the advisories in case specific issues affect your system.
Because of the extensive rebuild required, the NetBSD 1.6 release was delayed in order to include fixes for as many of these issues as possible, so as to provide binary release users with an easy upgrade path.
Readers will note that there are some gaps in the above numbering. These pending advisories involve third parties, and are awaiting disclosure co-ordination, so we cannot publish them at this time. However, they *are* fixed in NetBSD 1.6.
Unfortunately, the recent 1.5.3 release was affected by most of these issues. Unlike NetBSD 1.6, the 1.5 branch cannot be automatically cross-built to release, and so any updated binary release from the 1.5 tree will take considerable time and developer effort.
Therefore:
* The recommended cumulative fix for pre-1.6 systems is to upgrade to NetBSD 1.6.
* Users who cannot upgrade to 1.6 are recommended to update to the most recent sources on the NetBSD-1.5 branch, via anoncvs, and rebuild from there.
* Users of NetBSD-current should upgrade to source more recent than September 11, 2002, and rebuild the kernel and all userland.
Spotlight
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
Application vulnerabilities still a top security concern
Posted on 16 May 2013. | Respondents to a new (ISC)2 study identified application vulnerabilities as their top security concern. A significant gap persists between software developers’ priorities and security professionals’ concerns.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
