NetBSD Releases a Batch of Security Advisories

With the release of NetBSD 1.6, the NetBSD project published a batch of Security Advisories (some of which are updates).

* 2002-006 buffer overrun in libc/libresolv DNS resolver
x 2002-007 Repeated TIOCSCTTY ioctl can corrupt session hold counts
*x 2002-009 Multiple vulnerabilities in OpenSSL code
*x 2002-010 symlink race in pppd
*x 2002-011 Sun RPC XDR decoder contains buffer overflow
x 2002-012 buffer overrun in setlocale
x 2002-013 Bug in NFS server code allows remote denial of service
x 2002-014 fd_set overrun in mbone tools and pppd
x 2002-017 shutdown(s, SHUT_RD) on TCP socket does not work as intended
x+ 2002-018 Multiple security isses with kfd daemon

(*) reissue
(x) affects 1.5.3
(+) affects 1.6

As noted by NetBSD Security Officer (

These advisories involve bugs in libc (affecting static binaries), as well as the kernel. A full system rebuild is recommended to collectively address all of these issues, but please make sure to read through all of the advisories in case specific issues affect your system.

Because of the extensive rebuild required, the NetBSD 1.6 release was delayed in order to include fixes for as many of these issues as possible, so as to provide binary release users with an easy upgrade path.

Readers will note that there are some gaps in the above numbering. These pending advisories involve third parties, and are awaiting disclosure co-ordination, so we cannot publish them at this time. However, they *are* fixed in NetBSD 1.6.

Unfortunately, the recent 1.5.3 release was affected by most of these issues. Unlike NetBSD 1.6, the 1.5 branch cannot be automatically cross-built to release, and so any updated binary release from the 1.5 tree will take considerable time and developer effort.


* The recommended cumulative fix for pre-1.6 systems is to upgrade to NetBSD 1.6.

* Users who cannot upgrade to 1.6 are recommended to update to the most recent sources on the NetBSD-1.5 branch, via anoncvs, and rebuild from there.

* Users of NetBSD-current should upgrade to source more recent than September 11, 2002, and rebuild the kernel and all userland.

Don't miss