On 28/07/13 20:59, Moritz Muehlenhoff via RT wrote: > There're also CVE-2012-5365, CVE-2012-5363 and CVE-2011-2393 open > for kfreebsd-9. Any chance we can fix these along?
It still seems our best option for wheezy is to merely document those issues, as suggested in http://bugs.debian.org/684072#22 - after which I'm not sure if we should mark them as 'fixed' in the security tracker and/or BTS? A reasonably good mitigation is in OpenBSD and NetBSD but hasn't been ported to FreeBSD yet. It looks risky to try doing that ourselves, and in any case would take a while. It is still not a perfect solution and some vendors call it an undefined problem of the IPv6 protocol. Disabling accept_rtadv by default might help in some cases, but that seems too instrusive for a stable/security update, in case hosts are relying on it for their connectivity. It may be more viable for jessie (after some changes to ifupdown) and we should pursue that goal. But then we should still document the risks in case the user re-enables accept_rtadv anyway. Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51f59da1.9000...@pyro.eu.org
