|
Reliability Fix: kernel NULL pointer dereference in getsockopt()
|
Contributed by weerd on Thu Oct 29 07:13:33 2009 (GMT)
from the evil-ipsec dept.
A bug has been found in the IPsec parts of ip_output.c that can lead to NULL pointer dereference in getsockopt(). On kernels from before 4.4, this could lead to a local privilege escalation on certain architectures. The currently supported releases, however, protect against this by no longer allowing userland to map the NULL page in the kernel, reducing the attack to a local Denial of Service by panicking the kernel.
Patches are available for OpenBSD 4.6 (patch, errata), OpenBSD 4.5 (patch, errata) and OpenBSD 4.4 (patch, errata). Of course, the patches are already available in -current, the commit message for the IPv4 case can be found below, the IPv6 commit is nearly identical. This issue affects all architectures.
Date: Wed, 28 Oct 2009 12:02:01 -0600 (MDT)
From: Theo de Raadt
To: source-changes@cvs.openbsd.org
Subject: CVS: cvs.openbsd.org: src
CVSROOT: /cvs
Module name: src
Changes by: deraadt@cvs.openbsd.org 2009/10/28 12:02:00
Modified files:
sys/netinet : ip_output.c
Log message:
*NULL store in IP_AUTH_LEVEL, IP_ESP_TRANS_LEVEL, IP_ESP_NETWORK_LEVEL,
IP_IPCOMP_LEVEL found by Clement LECIGNE, localhost root exploitable on
userland/kernel shared vm machines (ie. i386, amd64, arm, sparc (but not
sparc64), sh, ...) on OpenBSD 4.3 or older
ok claudio
Please update your systems at your earliest convenience.
|
|
[ 4 comments 1d4:33 ago ] (flat) (expanded)
|
Tunnelling out of corporate networks (Part 2)
|
Contributed by sean on Sun Oct 25 01:07:37 2009 (GMT)
from the slackmaster dept.
Mark Uemura (mtu@) writes in:
Malware tunnelling out of corporate networks
This next part is about the proliferation of malware, the failure of end-point security add-ons and why we need a security paradigm shift to help prevent the spread of malware and protect unauthorised access to private and confidential data. I will talk about the problem space and how we need a very different approach to protecting sensitive information.
|
|
Read on to find out more about malware and end-point security failure:
Read more...
|
|
[ 6 comments 5d9:59 ago ] (flat) (expanded)
|
The -stable Ports Tree for 4.6
|
Contributed by maxime on Thu Oct 22 15:04:58 2009 (GMT)
from the porting-the-future dept.
William Yodlowsky (william@) announced on the announce@ mailing list that the OpenBSD project will shortly be providing -stable updates for the 4.6 ports tree:
From: William Yodlowsky
To: announce@openbsd.org
Subject: 4.6-stable ports
Date: Wed, 21 Oct 2009 23:05:37 -0400
We are happy to announce that 4.6-stable ports will soon be receiving
security updates and fixes.
Please note that this also marks the end of updates to 4.5-stable
ports, as we are supporting the presently-available release only.
Thanks, William, for your work on -stable ports!
|
|
[ 5 comments 5d16:35 ago ] (flat) (expanded)
|
OpenBSD 4.6 released
|
Contributed by weerd on Sun Oct 18 15:53:56 2009 (GMT)
from the friendly-frog-delivery dept.
The OpenBSD team is pleased to announce the release of OpenBSD 4.6.
See the announcement for more information.
Place an order
worldwide or order
it from the shop closest to you, or if you only download from FTP then make
a donation.
If you do FTP your release, be sure to use a local mirror and not the main ftp server:
• ftp.eu.openbsd.org |
| Europe (Sweden) |
• obsd.cec.mtu.edu |
| MI, USA |
• anga.funkfeuer.at |
| Austria |
• ftp3.usa.openbsd.org |
| CO, USA |
• ftp.wu-wien.ac.at |
| Austria |
• ftp5.usa.openbsd.org |
| CA, USA |
Highlights of OpenBSD 4.6 are listed below.
Read more...
|
|
[ 4 comments 10d9:09 ago ] (flat) (expanded)
|
New Ports of The Week (October 12)
|
Contributed by maxime on Sat Oct 17 15:02:47 2009 (GMT)
from the hackathon-tracking dept.
There were 23 new ports for the week of October 5 to October 11:
- audio:
- devel:
- p5-aliased
- p5-Params-Coerce
- p5-SUPER
- p5-AutoXS-Header
- p5-Class-XSAccessor
- rsvndump
- openmpi
- ethos
- education:
- games:
- lostpixels
- egoboo
- jbrickshooter
- snipe2d
- graphics:
- net:
- productivity:
- www:
- cntlm
- blogsum
- drupal6/draft
- x11:
Some ports had updates that users should be aware of; 2 ports were removed.
Read more...
|
|
[ 0 comments ] (flat) (expanded)
|
Heads up! Gilles Chehade comments recent OpenSMTPD changes
|
Contributed by johan on Tue Oct 13 12:23:24 2009 (GMT)
from the you-got-mail dept.
Gilles Chehade (gilles@) commented on one of his own commits on the source-changes mailing list asking users of OpenSMTPD to submit information about any issues detected after the recent separation of virtual domains and aliases resolution code and instructions how to best make the transition.
Please see below for the comment:
Read more...
|
|
[ 2 comments 8d18:06 ago ] (flat) (expanded)
|
Developer Blog: MIDI on OpenBSD
|
Contributed by weerd on Mon Oct 12 15:04:01 2009 (GMT)
from the sounds-like-midi dept.
Some time ago, there was a huge MIDI-related commit from Alexandre Ratchov (ratchov@). He has summarized his work in a new installment of OpenBSD Journal's developer blog.
MIDI is for electronic musical instruments what Ethernet is for
computers. It is a slow (3125 bytes/s) unidirectional point-to-point
serial link between keyboards, synthesizers, hardware multitrackers and
so on. MIDI is aimed to allow one piece of equipment to control another one, possibly
making all of them cooperate on the same (typically music-related)
project. For instance, MIDI keyboards can send notes to
play to a synthesizer in real-time; or a hardware multitracker can send clock ticks
to a drum machine to stay in sync. The protocol is real-time, which
simply means that messages have to be executed as soon as they are
received, there are no timestamps involved.
Please read on for the rest of Alexandre's story:
Read more...
|
|
[ 9 comments 17d23:49 ago ] (flat) (expanded)
|
Ports Hackathon p2k9 in Budapest, Hungary
|
Contributed by weerd on Sun Oct 11 18:31:03 2009 (GMT)
from the porting-at-the-danube dept.
Robert Nagy (robert@) wrote a quick note to the ports@ and tech@ mailing lists about the p2k9 hackathon that is currently in progress:
From: Robert Nagy
To: tech@openbsd.org
Cc: ports@openbsd.org
Date: Sun, 11 Oct 2009 16:56:00 +0200
Subject: Thank you for making p2k9 possible!
Hello
p2k9 (the ports hackathon in Budapest) is on since Friday. People
are working on different things like GNOME, GCC4, BluRay support or
even ACPI.
I would like to thank everyone who donated money to the project because
the individual donors made it possible to organize this event.
So ... BIG THANKS GOES TO OUR USERS, to people supporting the project
even at these times.
I'd also like to thank NIIF and Sun Microsystems Hungary for lending
us a nice hackroom and hardware for the hackathon.
The results of the hackathon can already be seen by the massive amount of commits to the ports tree of the last few days. Events like these developers get together to work on parts of the tree together really help to make lots of progress in a short amount of time. So, thanks to all those guys in Budapest who are working hard to get us those easily installable third party software packages !
|
|
[ 3 comments 20d23:44 ago ] (flat) (expanded)
|
OpenSSH celebrates 10th anniversary with release of 5.3
|
Contributed by weerd on Sun Oct 4 13:27:07 2009 (GMT)
from the 10-years-of-security dept.
On October 1st, Damien Miller posted an announcement to the announce@openbsd.org mailing list, informing the world about the release of OpenSSH 5.3. This marks the 10th anniversary of OpenSSH, one of the most widely used software packages around.
OpenSSH has come a long way since the fork of the once free ssh distribution. Today, it is the pillar of remote management everywhere. It is often used for secure file transfer, tunneling X11 clients and generic TCP sessions. OpenSSH is found in just about every OS out there (and if it's not in yours by default, chances are good you can install the portable version) and is even used on a variety of network devices such as routers, switches and load-balancers.
It's safe to say that millions rely on the security and confidentiality provided by this ubiquitous piece of software. It is a great example of high quality open source code. Please celebrate the 10 year anniversary by showing your appreciation with a donation to the project producing this excellent piece of software that is undoubtedly also part of the infrastructure at your company.
|
|
[ 4 comments 23d22:56 ago ] (flat) (expanded)
|
|
|
|
|
Donate!
|
Donate to OpenBSD
|
|
Features
|
We are constantly on the lookout for stories of how you put OpenBSD to work.
Please submit any informative articles on how OpenBSD is helping your company.
|
|
Older Stuff
|
Friday, October 02
|
20:08
|
First shipments of 4.6 arriving (10)
|
Friday, September 18
|
01:43
|
OpenBSD 4.6 Postponed to November 1 (3)
|
Thursday, September 17
|
17:33
|
Security in Your Pocket: OpenBSD on ARM (3)
|
Tuesday, September 15
|
11:38
|
Slackathon 2009 (8)
|
Saturday, September 12
|
22:46
|
The f2k9 file system mini-hackathon (20)
|
Wednesday, September 09
|
21:10
|
4.6 Release Song - Planet of the Users (9)
|
08:21
|
Call for donations - Nick lays down the law (35)
|
Tuesday, September 08
|
15:12
|
Call for testers - improving ACPI (1)
|
08:02
|
Heads up! OpenPorts.se suffered a server failure - needs help (3)
|
Older Stuff...
Yesterday's Edition...
|
|
|
OpenBSD Errata
|
2009-10-28 | 003 RELIABILITY getsockopt(2) with any of IP_AUTH_LEVEL, IP_ESP_TRANS_LEVEL, IP_ESP_NETWORK_LEVEL, IP_IPCOMP_LEVEL will crash the system.
|
2009-10-05 | 002 RELIABILITY XMM exceptions are not correctly handled resulting in a kernel panic.
|
2009-07-29 | 001 RELIABILITY A vulnerability has been found in BIND's named server (CVE-2009-0696). An attacker could crash a server with a specially crafted dynamic update message to a zone for which the server is master.
|
|
|
|
OpenBSD Resources
|
- OpenBSD Ports Tracker
- OpenBSD News *Swedish*
- Portuguese OpenBSD user group
- OReilly BSD DevCenter
- bsdzine.org - Polish BSD news
- OpenBSD discussions
- Hungarian OpenBSD news
- Polish OpenBSD news
- Romanian OpenBSD Discussions
- open.bsd.com.br
- Russian OpenBSD community
|
|
XML/RSS/RDF
|
Users wishing RSS/RDF summary files of OpenBSD Journal,
can retrieve:
|
|
|
|
|