Hi, On 19/10/12 20:34, Moritz Muehlenhoff wrote: > Two security issues were found in the kfreebsd network stack: > http://www.openwall.com/lists/oss-security/2012/10/10/8
> Issue #1 was assigned CVE-2012-5363 > Issue #2 was assigned CVE-2012-5365 Thank you for mentioning it. Issue #2 seems similar to CVE-2011-2393, which I assumed was only relevant where we'd set net.inet6.ip6.accept_rtadv=1, which isn't the upstream FreeBSD default. Issue #1 however might affect any FreeBSD system acting as an IPv6 router. If this can actually be confirmed, then the worst case I can imagine, is if a FreeBSD box acts as an IPv6 router for multiple interfaces, perhaps serving different users; any one of them might flood with Neighbour Solicitations on their local link and create a DoS affecting other interfaces. I found some code committed to OpenBSD (in 2008, uh-oh), supposedly from KAME (but I can't find it in their repository?), implementing per-interface and global limits on the number of prefixes/routes accepted via RA. I imagine that's the best way to avoid some or all of these issues. > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6_proto.c?sortby=date#rev1.56 Just recently it seems this was also committed to NetBSD HEAD: "4 new sysctls to avoid ipv6 DoS attacks from OpenBSD". I don't know of an easier way to link to a whole CVS commit, but here are (hopefully all) the changes to individual files: > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ip6_input.c.diff?r1=1.138&r2=1.139&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ip6_var.h.diff?r1=1.58&r2=1.59&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6.c.diff?r1=1.142&r2=1.143&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6.h.diff?r1=1.56&r2=1.57&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/icmp6.c.diff?r1=1.160&r2=1.161&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6.c.diff?r1=1.160&r2=1.161&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6_proto.c.diff?r1=1.96&r2=1.97&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6_var.h.diff?r1=1.64&r2=1.65&sortby=date&only_with_tag=MAIN > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6_rtr.c.diff?r1=1.82&r2=1.83&sortby=date&only_with_tag=MAIN Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5081cd71.2050...@pyro.eu.org
