severity 559107 important
--
But the status of CVE-2008-114[678] is still open. Do they affect the
KFreeBSD port? What's the position of the FreeBSD kernel developers on
these issues?
I used as description this
http://www.trusteer.com/docs/OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf
The GNU/kFreeBSD (kfreebsd-?) is not affected by CVE-2008-1146 and
CVE-2008-1148 at all.
For CVE-2008-1147 holds:
Exploitations of the predictability of the IP fragmentation ID were made
public almost a decade ago.
NetBSD, FreeBSD and DragonFlyBSD do not randomize IP fragmentation ID
field at all by default, and provide a kernel flag
(net.inet.ip.random_id) that enables randomization through the weak algorithm.
The weak algorithm have been replaced by upstream commit (Feb 6 2008)
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_id.c?rev=1.10;contenttype=
Replace the random IP ID generation code we
obtained from OpenBSD with an algorithm suggested
by Amit Klein. The OpenBSD algorithm has a few
flaws; see Amit's paper for more information.
For a description of how this algorithm works,
please see the comments within the code.
Note that this commit does not yet enable random IP ID
generation by default. There are still some concerns
that doing so will adversely affect performance.
This commit have not been MFC-ed to STABLE-7.
The default value for net.inet.ip.random_id is 0 even in HEAD,
The FreeBSD developers/security_team did publish no "security advisory",
no "errata notice", they did not include it in next release (7.1 - January 2009).
Petr
--
To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
