[Glibc-bsd-commits] r4855 - branches/wheezy/kfreebsd-9/debian
Steven Chamberlain
stevenc-guest at alioth.debian.org
Sun Aug 4 14:47:46 UTC 2013
Author: stevenc-guest
Date: 2013-08-04 14:47:46 +0000 (Sun, 04 Aug 2013)
New Revision: 4855
Added:
branches/wheezy/kfreebsd-9/debian/NEWS
Modified:
branches/wheezy/kfreebsd-9/debian/changelog
branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian
Log:
Document in README.Debian some known issues, with no upstream fix
available, affecting the IPv6 stack: CVE-2011-2393, CVE-2012-5363,
CVE-2012-5365 (Closes: #684072, #690986)
Added: branches/wheezy/kfreebsd-9/debian/NEWS
===================================================================
--- branches/wheezy/kfreebsd-9/debian/NEWS (rev 0)
+++ branches/wheezy/kfreebsd-9/debian/NEWS 2013-08-04 14:47:46 UTC (rev 4855)
@@ -0,0 +1,12 @@
+kfreebsd-9 (9.0-13) wheezy-security; urgency=high
+
+ Debian GNU/kFreeBSD kernel images in their default configuration
+ are vulnerable to link-local Denial of Service attacks against
+ the IPv6 stack. (CVE-2011-2393, CVE-2012-5363, CVE-2012-5365)
+
+ A fix is not available for ''wheezy'', but for more details and
+ potential workarounds please refer to the documentation at:
+
+ /usr/share/doc/kfreebsd-image-*/README.Debian
+
+ -- Steven Chamberlain <steven at pyro.eu.org> Tue, 30 Jul 2013 01:32:55 +0100
Modified: branches/wheezy/kfreebsd-9/debian/changelog
===================================================================
--- branches/wheezy/kfreebsd-9/debian/changelog 2013-08-04 12:45:36 UTC (rev 4854)
+++ branches/wheezy/kfreebsd-9/debian/changelog 2013-08-04 14:47:46 UTC (rev 4855)
@@ -1,5 +1,13 @@
kfreebsd-9 (9.0-13) UNRELEASED; urgency=high
+ [ Steven Chamberlain ]
+ * Pick SVN 253693 from FreeBSD 9-STABLE to fix SA-13:08 / CVE-2013-4851:
+ Incorrect privilege validation in the NFS server (Closes: #717958)
+ * Document in README.Debian some known issues, with no upstream fix
+ available, affecting the IPv6 stack: CVE-2011-2393, CVE-2012-5363,
+ CVE-2012-5365 (Closes: #684072, #690986)
+
+ [ Robert Millan ]
* Upload for wheezy-security.
-- Robert Millan <rmh at debian.org> Sun, 04 Aug 2013 14:41:01 +0200
Modified: branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian
===================================================================
--- branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian 2013-08-04 12:45:36 UTC (rev 4854)
+++ branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian 2013-08-04 14:47:46 UTC (rev 4855)
@@ -13,3 +13,64 @@
[1] http://www.gnu.org/licenses/license-list.html
-- Aurelien Jarno <aurel32 at debian.org> Mon, 10 Aug 2009 10:51:55 +0200
+
+
+Known issues in the IPv6 stack
+------------------------------
+
+Marc Heuse reported that some types of ICMPv6 packet cause excessive
+burden on the IPv6 networking stacks of several operating systems,
+including FreeBSD. This can also break IPv6 networking on a host until
+it is rebooted.
+
+These packets are only valid in link-local scope, meaning they cannot
+be routed through an IPv6 router from the Internet or another network.
+But if you do not trust your local network, you may want to defend
+against potential Denial-of-Service attacks as explained below.
+
+- CVE-2011-2393
+ flood of ICMPv6 Router Advertisement packets
+
+- CVE-2012-5365
+ flood of ICMPv6 Router Advertisement packets containing multiple
+ routing entries
+
+Debian GNU/kFreeBSD ''wheezy'' accepts these packets by default, to
+allow IPv6 stateless address autoconfiguration (SLAAC) to work. This is
+different from original FreeBSD, where it is not enabled by default.
+
+If you prefer to ignore these packets, you may clear the accept_rtadv
+flag on each vulnerable interface. For example:
+
+# ifconfig $IFACE inet6 -accept_rtadv
+
+The same can also be added to an appropriate stanza of the
+/etc/network/interfaces file, to do this automatically on boot. For
+example:
+
+auto fxp0
+iface fxp0 inet dhcp
+ up ifconfig $IFACE inet6 -accept_rtadv
+
+- CVE-2012-5363
+ flood of ICMPv6 Neighbor Solicitation messages
+
+These packets announce an IPv6 host's presence on the local network.
+The source addresses of these packets are cached in a table
+of 'neighbour' hosts. The table can be filled if a large number of
+source addresses are spoofed. This incurs heavy CPU load and can break
+IPv6 networking on all interfaces.
+
+There is no mitigation available yet in upstream FreeBSD. If desired,
+IPv6 networking can be disabled on specific interfaces where it is not
+needed:
+
+# ifconfig $IFACE inet6 ifdisabled
+
+This can also be set in an /etc/network/interfaces stanza:
+
+auto fxp0
+iface fxp0 inet dhcp
+ up ifconfig $IFACE inet6 ifdisabled
+
+ -- Steven Chamberlain <steven at pyro.eu.org> Tue, 30 Jul 2013 01:32:55 +0100
More information about the Glibc-bsd-commits
mailing list