On Fri, Apr 1, 2011 at 4:16 AM, Joachim Schipper <joac...@joachimschipper.nl> wrote: > I'm not sure if you were aware of > http://seclists.org/fulldisclosure/2011/Apr/0? In any case, it might be > worth looking into.
Yeah. There are multiple reasons why we're not particularly at risk: 1. We disable IPComp processing by default. 2. Even if IPComp processing is enabled, you need to have an IPComp Association setup in the kernel. 3. We don't have userspace tool support for setting up IPCAs. 4. Our kernel zlib code is broken on 64-bit architectures. Also, the vulnerability is 'just' a DOS, not a potential remote root exploit like on NetBSD/OS X. For the time being, I'd suggest anyone concerned ensure ipcomp processing is disabled; i.e., make sure "sysctl net.inet.ipcomp.enable" is set to 0. (And like I said, it's disabled by default.)
