NetBSD 5.0.1 released

NetBSD 5.0.1 is the first security/critical update of the NetBSD 5.0 release branch.

It represents a selected subset of fixes deemed critical in nature for security or stability reasons.

Security advisory fixes

  • NetBSD-SA2009-004, NetBSD OpenPAM passwd(1) changing weakness.
  • NetBSD-SA2009-005, Plaintext Recovery Attack Against SSH.
  • NetBSD-SA2009-006, Buffer overflows in ntp.
  • NetBSD-SA2009-007, Buffer overflows in hack(6).
  • NetBSD-SA2009-008, OpenSSL ASN1 parsing denial of service and CMS signature verification weakness.
  • NetBSD-SA2009-009, OpenSSL DTLS Memory Exhaustion and DSA signature verification vulnerabilities.
  • NetBSD-SA2009-010, ISC dhclient subnet-mask flag stack overflow.
  • NetBSD-SA2009-011, ISC DHCP server Denial of Service vulnerability.
  • NetBSD-SA2009-012, SHA2 implementation potential buffer overflow.
  • NetBSD-SA2009-013, BIND named dynamic update Denial of Service vulnerability.

Note: Advisories prior to NetBSD-SA2009-004 do not affect NetBSD 5.0.


  • Fix random “filesystem full” messages on large FFS file systems.
  • Fix a regression in the 4.4BSD scheduler, improving interactive performance under load.
  • Remove a race where physio_done() may use memory already freed. Fixes PR kern/39536.
  • Fix a crash observed when trying to load a corrupted ELF kernel module.
  • Fix PR kern/41566, where writes on the controlling tty were not being awoken from blocks.
  • Various fixes for POSIX message queues.
  • Fix a possible deadlock in the VFS subsystem.
  • Fixes for POSIX advisory locks.
  • A number of other stability fixes.


  • Follow exactly the recommendation of draft-ietf-tcpm-tcpsecure-11.txt: Don’t check gainst the last ack received, but the expected sequence number. This makes RST handling independent of delayed ACK.
  • Fix a panic when trying to disable IPFilter before enabling it. Fixes PR kern/41364.

NetBSD 5.0.1 is available for download here.

Don't miss