> Topic: bsnmpd remote denial of service vulnerability
...
> III. Impact
>
> This issue could be exploited to execute arbitrary code in the context of
> the service daemon, or crash the service daemon, causing a denial-of-service.
The title/topic of this advisory should be changed reflec
Hi -security,
I work at EMC Isilon and one of our developers has found a race in opencyrpto
and provided the attached patch to address it.
The situation as explained to me is that the crypto request queue and dequeue
operate under CRYPTO_Q_LOCK, along with crypto_invoke and thus crypto
process
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
=
FreeBSD-SA-14:03.opensslSecurity Advisory
The FreeBSD Project
Topic:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
=
FreeBSD-SA-14:02.ntpd Security Advisory
The FreeBSD Project
Topic:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
=
FreeBSD-SA-14:04.bind Security Advisory
The FreeBSD Project
Topic:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
=
FreeBSD-SA-14:01.bsnmpd Security Advisory
The FreeBSD Project
Topic:
On 2 Nov 2013, at 20:24, Karl Pielorz wrote:
So as I'd kind of guessed - it's not really vanilla 4.2.4p8 that it's
running, it's based on 4.2.4p8 with additional patches that have been
applied by FreeBSD, to address the applicable notifications?
Yes.
__
On Tue, 14 Jan 2014, Eugene Grosbein wrote:
On 14.01.2014 20:11, Dag-Erling Smørgrav wrote:
Garrett Wollman writes:
For a "pure" client, I would suggest "restrict default ignore" ought
to be the norm. (Followed by entries to unrestrict localhost over v4
and v6.)
Pure clients shouldn't use
According to Cristiano Deana on Tue, Jan 14, 2014 at 09:17:51AM +0100:
> > I think it's better to upgrade the version in base AND to write a security
> > advisory.
>
> I wish we could, but 4.2.7 is a moving target right now.
I think I will stop trying to upgrade to 4.2.6p5 (the one I imported a f
Ferdinand Goldmann writes:
> Dag-Erling Smørgrav writes:
> > Doesn't "restrict noquery" block monlist in 4.2.6?
> I think it should be possible to block it using:
>
> disable monitor
>
> seems to work for me.
That disables monlist across the board, whereas the restrict mechanism
allows you to di
Eugene Grosbein writes:
> That's first time I see a reference to sntp(8) for FreeBSD [...] Is
> it documented somewhere?
It's part of ISC NTP and is included in FreeBSD 10 as well as in the
net/ntp{,-devel,-rc} ports.
DES
--
Dag-Erling Smørgrav - d...@des.no
___
On 14.01.2014, at 14:06, Dag-Erling Smørgrav wrote:
> Cristiano Deana writes:
>> I tried several workaround with config and policy, and ended up you MUST
>> have 4.2.7 to stop these kind of attacks.
>
> Doesn't "restrict noquery" block monlist in 4.2.6?
I think it should be possible to block
On 14.01.2014 20:11, Dag-Erling Smørgrav wrote:
> Garrett Wollman writes:
>> For a "pure" client, I would suggest "restrict default ignore" ought
>> to be the norm. (Followed by entries to unrestrict localhost over v4
>> and v6.)
>
> Pure clients shouldn't use ntpd(8). They should use sntp(8) o
On Tue, Jan 14, 2014 at 2:06 PM, Dag-Erling Smørgrav wrote:
Hi,
> I tried several workaround with config and policy, and ended up you MUST
> > have 4.2.7 to stop these kind of attacks.
>
> Doesn't "restrict noquery" block monlist in 4.2.6?
I didn't try.
Following this document:
https://cert.l
Garrett Wollman writes:
> For a "pure" client, I would suggest "restrict default ignore" ought
> to be the norm. (Followed by entries to unrestrict localhost over v4
> and v6.)
Pure clients shouldn't use ntpd(8). They should use sntp(8) or a
lightweight NTP client like ttsntpd.
DES
--
Dag-Erl
Cristiano Deana writes:
> I tried several workaround with config and policy, and ended up you MUST
> have 4.2.7 to stop these kind of attacks.
Doesn't "restrict noquery" block monlist in 4.2.6?
DES
--
Dag-Erling Smørgrav - d...@des.no
___
freebsd-secu
Le Thu, 09 Jan 2014 21:18:56 -0800,
Xin Li a écrit :
> On 1/9/14, 6:12 AM, Palle Girgensohn wrote:
> >
> > 9 jan 2014 kl. 15:08 skrev Eugene Grosbein :
> >
> >> On 09.01.2014 19:38, Palle Girgensohn wrote:
> >>> They recommend at least 4.2.7. Any thoughts about this?
> >>
> >> Other than updat
On Mon, Jan 13, 2014 at 8:41 PM, Xin Li wrote:
Hi Xin,
Do you have packet captures? If the configuration I have suggested
> didn't stop the attack, you may have a different issue than what we have
> found.
>
Please, take a look here
https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos
18 matches
Mail list logo
