Four New Security Advisories Released for NetBSD

Posted by michael on Thursday March 27, 2003 @02:33AM from the patches-for-everyone dept.

Dan writes "The NetBSD security team has issued Four NetBSD Security Advisories. (1) Format string vulnerability in zlib gzprintf(): a buffer overflow can result in arbitrary code execution. (2) RSA timing attack in OpenSSL code can enable remote recovery of private keys, from a host with low-latency access to the server - such as the local host, or a host on the LAN. (3) Encryption weakness in OpenSSL code enables an attacker to perform crypto operations using server's private keys. Finally (4), faulty length checks in xdrmem_getbytes (within libc) are susceptible to integer overflows that affect memory allocation in their local buffers."

2 of 18 comments (clear)

Min score:

Reason:

Sort:

why link to freebsdforums? by kenfrid · 2003-03-27 04:12 · Score: 3, Informative

Why link to freebsdforums when you can get the original announcement here?
1. Re:why link to freebsdforums? by jschauma · 2003-03-27 09:34 · Score: 3, Informative
  
  Hmm, while you _do_ have to get the source (as if that was a bad thing!), it's certainly very simple to update only the relevant parts. As the SA states, you do not need to update the entire system but can simply do:
  
  # cd src
  
  # cvs update -d -P -r netbsd-1-6 lib/libz/gzio.c
  
  # cd lib/libz
  
  # make USETOOLS=no cleandir dependall
  
  # make USETOOLS=no install
  
  (Similarly for the other advisories.)
  This is not really very difficult.
  
  --
  
  -- "Tradition is the illusion of permanence."