Operating System:



15 October 2008

Protect yourself against future threats.

Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                         ESB-2008.0980 -- [NetBSD]
         NetBSD 4.0.1 released incorporating previous and upcoming
                         security advisory patches
                              15 October 2008


        AusCERT Security Bulletin Summary

Product:              NetBSD
Publisher:            NetBSD
Operating System:     NetBSD
Impact:               Execute Arbitrary Code/Commands
                      Cross-site Request Forgery
                      Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-4247 CVE-2008-3652 CVE-2008-3651
                      CVE-2008-3584 CVE-2008-3530 CVE-2008-2476
                      CVE-2008-2464 CVE-2008-1657 CVE-2008-1483
                      CVE-2008-1447 CVE-2008-1391 CVE-2008-1372
                      CVE-2008-0006 CVE-2007-3798 CVE-2007-3108
                      CVE-2007-1218 CVE-2006-2362 CVE-2005-0953

Ref:                  ESB-2008.0819

Original Bulletin:    http://netbsd.org/releases/formal-4/NetBSD-4.0.1.html

Comment: Out of the upcoming security advisories, only NetBSD-SA2008-013 and
         NetBSD-SA2008-014 are remote access.

- --------------------------BEGIN INCLUDED TEXT--------------------

                          Announcing NetBSD 4.0.1

About the NetBSD 4.0.1 Release

   The NetBSD Project is pleased to announce that update 4.0.1 of the
   NetBSD operating system is now available. NetBSD 4.0.1 is the first
   security/critical update of the NetBSD 4.0 release branch. This
   represents a selected subset of fixes deemed critical in nature for
   stability or security reasons, no new features have been added.

   NetBSD 4.0.1 runs on 54 different system architectures featuring 17
   machine architectures across 17 distinct CPU families, and is being
   ported to more. The NetBSD 4.0.1 release contains complete binary
   releases for 51 different machine types, with the platforms amigappc,
   bebox and ews4800mips released in source form only. Complete source
   and binaries for NetBSD 4.0.1 are available for download at many sites
   around the world. A list of download sites providing FTP, AnonCVS,
   SUP, and other services is provided at the end of this announcement;
   the latest list of available download sites may also be found at
   http://www.NetBSD.org/mirrors/. We encourage users who wish to install
   via a CD-ROM ISO image to download via BitTorrent by using the torrent
   files supplied in the ISO image area. A list of hashes for the NetBSD
   4.0.1 distribution has been signed with the well-connected PGP key for
   the NetBSD Security Officer:

   Please note that all fixes in security/critical updates (i.e., NetBSD
   4.0.1, 4.0.2, etc) are cumulative, so the latest update contains all
   such fixes since the corresponding minor release. These fixes will
   also appear in future minor releases (i.e., NetBSD 4.1, 4.2, etc),
   together with other less-critical fixes and feature enhancements.

   NetBSD is free. All of the code is under non-restrictive licenses, and
   may be used without paying royalties to anyone. Free support services
   are available via our mailing lists and website. Commercial support is
   available from a variety of sources; some are listed at
   http://www.NetBSD.org/gallery/consultants.html. More extensive
   information on NetBSD is available from our website:


Changes Between 4.0 and 4.0.1 update

   The complete list of changes can be found in the CHANGES-4.0.1
   file in the top level directory of the NetBSD 4.0.1 release tree
   A shortened list is as follows:

  Security Advisories Fixes

     o NetBSD-SA2008-004, multiple issues (CVE-2008-1372 and
       CVE-2005-0953), has been fixed by upgrading to bzip2 to 1.0.5
     o NetBSD-SA2008-005, OpenSSH Multiple issues (CVE-2008-1483 and
       CVE-2008-1657), has been fixed by applying patches from upstream.
     o NetBSD-SA2008-006, integer overflow in strfmon(3) function
       (CVE-2008-1391), has been fixed.
     o NetBSD-SA2008-008, OpenSSL Montgomery multiplication
       (CVE-2007-3108), has been fixed.
     o NetBSD-SA2008-009, BIND cache poisoning (CVE-2008-1447 and CERT
       VU#800113), has been fixed by updating BIND to 9.4.2-P2. Note
       there are two related changes to this advisory:
          o The default behavior of ipfilter's Port Address Translation
            has been changed to using random port allocation rather than
            sequential mappings, to avoid decreasing the randomness of
            source ports used for DNS queries which affects the BIND
            cache poisoning problem.
          o A `query-source' statement, which could allow the BIND cache
            poisoning attack, has been commented out in the default
            named.conf(5) file.
     o NetBSD-SA2008-010, malicious PPPoE discovery packet can overrun a
       kernel buffer (CVE-2008-3584), has been fixed.
     o NetBSD-SA2008-011, ICMPv6 MLD query (CVE-2008-2464), has been
     o NetBSD-SA2008-012, Denial of Service issues in racoon(8)
       (CVE-2008-3652), has been fixed by upgrading ipsec-tools to
       release 0.7.1. Note this also fixes CVE-2008-3651.
     o upcoming NetBSD-SA2008-013, IPv6 Neighbor Discovery Protocol
       routing vulnerability (CVE-2008-2476), has been fixed.
     o upcoming NetBSD-SA2008-014, remote cross-site request forgery
       attack issue in ftpd(8) (CVE-2008-4247), has been fixed.
     o upcoming NetBSD-SA2008-015, remove kernel panics on IPv6
       connections (CVE-2008-3530), has been fixed.

   Note: NetBSD-SA2008-007 and advisories prior to NetBSD-SA2008-004
   don't affect NetBSD 4.0.

  Other Security Fixes

     o Fix a buffer overrun which could crash a FAST_IPSEC kernel.
     o tcpdump(8): fix CVE-2007-1218, CVE-2007-3798 and CAN-2005-1278 in
     o Fix a buffer overflow of PCF font parser in X11 libXfont library
     o Fix a buffer overflow of Tektronix Hex Format support in binutils
     o machfb(4) and voodoofb(4): introduce two missing
       KAUTH_GENERIC_ISSUSER checks in the mmap(2) code.


     o Update root.cache to 2008020400 version.
     o Fix IP packet forwarding code to make sure to send a reasonable
       fragment size when IPsec is configured.
     o Fix a bug in TCP SACK code which causes data corruption.
     o Fix an rc.d(8) script for amd(8) not to shutdown gracefully since
       it seems to cause problems for more people than the old (also
       broken) behavior.
     o ftpd(8): fix and reorganize PAM support.


     o Pthread support of BIND has been disabled for future binary
       compatibility after removal of the scheduler activations.
     o Fix coredump of gdtoa (conversion between binary floating-point
       and ASCII string) functions on out of memory conditions.


     o fxp(4): fix random pool corruption and hangup problems.
     o wd(4): handle more LBA48 bug quirks on some Hitachi's SATA/IDE


     o Disable a NULL pointer check in zlib for standalone programs. This
       fixes errors on loading a gzipped kernel (including installation
       kernels) on several ports (news68k etc.) whose kernels are loaded
       at address zero.
     o awk(1): bring back an accidentally removed fix to allow escape of
       a newline in string literals.
     o gcc(1):
          o fix compilation of native sh3 gcc on 64-bit build machines
          o fix an internal compiler error on compiling m68k softfloat or
            m68010 targets on 64-bit build machines.
     o zgrep(1): make `-h' option (suppress filenames on output when
       multiple files are searched) actually work.
     o Fix parallel build failure on building hpcarm, hpcmips and hpcsh

  Platform specific

     o acorn32: fix a bootloader problem on some RiscPCs.
     o cobalt:
          o add a workaround to avoid panic on probing a multi function
            PCI device on Qube's PCI slot
          o fix a bug in the interrupt handler which causes network
            freeze if more than one interfaces are used.
     o hp700: fix potential kernel / userland memory corruption in
       copyinstr(9) and copyoutstr(9).
     o sparc64: fix a bug in locore.s which causes unexpected behavior.
     o sun3: fix a bug which might cause an occasional panic during boot.
     o vax: make syscall handler use proper copyin(9) function on parsing
       syscall args.

System families supported by NetBSD 4.0.1

   The NetBSD 4.0.1 release provides supported binary distributions for
   the following systems:

   NetBSD/acorn26   Acorn Archimedes, A-series and R-series systems       
   NetBSD/acorn32   Acorn RiscPC/A7000, VLSI RC7500                       
   NetBSD/algor     Algorithmics, Ltd. MIPS evaluation boards             
   NetBSD/alpha     Digital/Compaq Alpha (64-bit)                         
   NetBSD/amd64     AMD family processors like Opteron, Athlon64, and     
                    Intel CPUs with EM64T extension                       
   NetBSD/amiga     Commodore Amiga and MacroSystem DraCo                 
   NetBSD/arc       MIPS-based machines following the Advanced RISC       
                    Computing spec                                        
   NetBSD/atari     Atari TT030, Falcon, Hades                            
   NetBSD/cats      Chalice Technology's CATS and Intel's EBSA-285        
                    evaluation boards                                     
   NetBSD/cesfic    CES FIC8234 VME processor board                       
   NetBSD/cobalt    Cobalt Networks' MIPS-based Microservers              
   NetBSD/dreamcast Sega Dreamcast game console                           
   NetBSD/evbarm    Various ARM-based evaluation boards and appliances    
   NetBSD/evbmips   Various MIPS-based evaluation boards and appliances   
   NetBSD/evbppc    Various PowerPC-based evaluation boards and           
   NetBSD/evbsh3    Various Hitachi Super-H SH3 and SH4-based evaluation  
                    boards and appliances                                 
   NetBSD/hp300     Hewlett-Packard 9000/300 and 400 series               
   NetBSD/hp700     Hewlett-Packard 9000 Series 700 workstations          
   NetBSD/hpcarm    StrongARM based Windows CE PDA machines               
   NetBSD/hpcmips   MIPS-based Windows CE PDA machines                    
   NetBSD/hpcsh     Hitachi Super-H based Windows CE PDA machines         
   NetBSD/i386      IBM PCs and PC clones with i386-family processors and 
   NetBSD/ibmnws    IBM Network Station 1000                              
   NetBSD/iyonix    Castle Technology's Iyonix ARM based PCs              
   NetBSD/landisk   SH4 processor based NAS appliances                    
   NetBSD/luna68k   OMRON Tateisi Electric's LUNA series                  
   NetBSD/mac68k    Apple Macintosh with Motorola 68k CPU                 
   NetBSD/macppc    Apple PowerPC-based Macintosh and clones              
   NetBSD/mipsco    MIPS Computer Systems Inc. family of workstations and 
   NetBSD/mmeye     Brains mmEye multimedia server                        
   NetBSD/mvme68k   Motorola MVME 68k Single Board Computers              
   NetBSD/mvmeppc   Motorola PowerPC VME Single Board Computers           
   NetBSD/netwinder StrongARM based NetWinder machines                    
   NetBSD/news68k   Sony's 68k-based "NET WORK STATION" series            
   NetBSD/newsmips  Sony's MIPS-based "NET WORK STATION" series           
   NetBSD/next68k   NeXT 68k "black" hardware                             
   NetBSD/ofppc     OpenFirmware PowerPC machines                         
   NetBSD/pmax      Digital MIPS-based DECstations and DECsystems         
   NetBSD/pmppc     Artesyn's PM/PPC board                                
   NetBSD/prep      PReP (PowerPC Reference Platform) and CHRP machines   
   NetBSD/sandpoint Motorola Sandpoint reference platform                 
   NetBSD/sbmips    Broadcom SiByte evaluation boards                     
   NetBSD/sgimips   Silicon Graphics' MIPS-based workstations             
   NetBSD/shark     Digital DNARD ("shark")                               
   NetBSD/sparc     Sun SPARC (32-bit) and UltraSPARC (in 32-bit mode)    
   NetBSD/sparc64   Sun UltraSPARC (in native 64-bit mode)                
   NetBSD/sun2      Sun Microsystems Sun 2 machines with Motorola 68010   
   NetBSD/sun3      Motorola 68020 and 030 based Sun 3 and 3x machines    
   NetBSD/vax       Digital VAX                                           
   NetBSD/x68k      Sharp X680x0 series                                   
   NetBSD/xen       The Xen virtual machine monitor                       

   Ports available in source form only for this release include the

   NetBSD/amigappc    PowerPC-based Amiga boards           
   NetBSD/bebox       Be Inc's BeBox                       
   NetBSD/ews4800mips NEC's MIPS-based EWS4800 workstation 


   The NetBSD Foundation would like to thank all those who have
   contributed code, hardware, documentation, funds, colocation for our
   servers, web pages and other documentation, release engineering, and
   other resources over the years. More information on the people who
   make NetBSD happen is available at:


   We would like to especially thank the University of California at
   Berkeley and the GNU Project for particularly large subsets of code
   that we use. We would also like to thank the Internet Systems
   Consortium Inc., the Network Security Lab at Columbia University's
   Computer Science Department, and Ludd (Luleaa Academic Computer
   Society) computer society at Luleaa University of Technology for
   current colocation services.

About the NetBSD Foundation

   The NetBSD Foundation was chartered in 1995, with the task of
   overseeing core NetBSD project services, promoting the project within
   industry and the open source community, and holding intellectual
   property rights on much of the NetBSD code base. Day-to-day operations
   of the project are handled by volunteers.

   As a non-profit organization with no commercial backing, The NetBSD
   Foundation depends on donations from its users, and we would like to
   ask you to consider making a donation to the NetBSD Foundation in
   support of continuing production of our fine operating system. Your
   generous donation would be particularly welcome assistance with
   ongoing upgrades and maintenance, as well as with operating expenses
   for The NetBSD Foundation. Please visit:


   Donations can be done via PayPal to <paypal@NetBSD.org> and are fully
   tax-deductible in the US. If you would prefer not to use PayPal, or
   would like to make other arrangements, please contact

NetBSD mirror sites

   Please use a mirror site close to you.

     o FTP		- http://www.NetBSD.org/mirrors/#ftp
     o ISO images	- http://www.NetBSD.org/mirrors/#iso
     o Anonymous CVS	- http://www.NetBSD.org/mirrors/#anoncvs
     o BitTorrent	- http://www.NetBSD.org/mirrors/#bittorrent
     o SUP		- http://www.NetBSD.org/mirrors/#sup
     o CVSup		- http://www.NetBSD.org/mirrors/#cvsup
     o rsync		- http://www.NetBSD.org/mirrors/#rsync
     o AFS		- http://www.NetBSD.org/mirrors/#afs

   Please also note our list of CD-ROM vendors, located at:


[NetBSD(R) is a registered trademark of The NetBSD Foundation, Inc.]
- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967