On 3/16/07, Karel Kulhavy <[EMAIL PROTECTED]> wrote:
On Thu, Mar 15, 2007 at 11:52:44AM +0100, Claudio Jeker wrote:
> On Thu, Mar 15, 2007 at 10:26:23AM +0000, Gaby Vanhegan wrote:
> > Hi,
> >
> > Reading the security advisory for the ipv6 buffer issue, the
> > workaround is to block inet6 traffic in pf.conf. My default block
> > line is actually:
> >
> > block in on $ext_if
> >
> > Where $ext_if is the net connection (the only network connection the
> > machine is plugged into). Is the rule:
> >
> > block in inet6
I have put block in inet6 into my /etc/pf.conf. Do I need to do anything
else (turn something on somewhere else) or does it already protect against
the overflow?
To be sure, you could apply the patch. Then you're protected even if
you inadvertently futz your ruleset, or disable PF or that filter rule
somehow.
How can I test that the protection really works? Is there
somewhere a Linux program I can run to test if I can log in remotely into
an OpenBSD machine as the root?
A PoC exploit has been released which you *may* be able to use to test
your exposure. IMHO you're better patching and having complete
assurance.
DS