severity 559107 normal thanks On Thu, Dec 03, 2009 at 02:01:06PM +0100, Petr Salinger wrote: > severity 559107 important > -- > > >But the status of CVE-2008-114[678] is still open. Do they affect the > >KFreeBSD port? What's the position of the FreeBSD kernel developers on > >these issues? > > I used as description this > > http://www.trusteer.com/docs/OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf > > The GNU/kFreeBSD (kfreebsd-?) is not affected by CVE-2008-1146 and > CVE-2008-1148 at all.
Thanks, fixed in the Debian Security Tracker. > For CVE-2008-1147 holds: > > Exploitations of the predictability of the IP fragmentation ID were made > public almost a decade ago. > NetBSD, FreeBSD and DragonFlyBSD do not randomize IP fragmentation ID > field at all by default, and provide a kernel flag > (net.inet.ip.random_id) that enables randomization through the weak > algorithm. > > The weak algorithm have been replaced by upstream commit (Feb 6 2008) > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_id.c?rev=1.10;contenttype= > > Replace the random IP ID generation code we > obtained from OpenBSD with an algorithm suggested > by Amit Klein. The OpenBSD algorithm has a few > flaws; see Amit's paper for more information. > > For a description of how this algorithm works, > please see the comments within the code. > > Note that this commit does not yet enable random IP ID > generation by default. There are still some concerns > that doing so will adversely affect performance. > > This commit have not been MFC-ed to STABLE-7. > The default value for net.inet.ip.random_id is 0 even in HEAD, > > The FreeBSD developers/security_team did publish no "security > advisory", no "errata notice", they did not include it in next > release (7.1 - January 2009). If I understand it correctly, this means that the fix is present in kfreebsd-8, but not kfreebsd-7? Not having it enabled by default seems good enough to me. Will Squeeze use kfreebsd-7 or -8 or both? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
