[Glibc-bsd-commits] r4855 - branches/wheezy/kfreebsd-9/debian

Steven Chamberlain stevenc-guest at alioth.debian.org
Sun Aug 4 14:47:46 UTC 2013 

Author: stevenc-guest
Date: 2013-08-04 14:47:46 +0000 (Sun, 04 Aug 2013)
New Revision: 4855

Added:
   branches/wheezy/kfreebsd-9/debian/NEWS
Modified:
   branches/wheezy/kfreebsd-9/debian/changelog
   branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian
Log:
Document in README.Debian some known issues, with no upstream fix
available, affecting the IPv6 stack: CVE-2011-2393, CVE-2012-5363,
CVE-2012-5365 (Closes: #684072, #690986)


Added: branches/wheezy/kfreebsd-9/debian/NEWS
===================================================================
--- branches/wheezy/kfreebsd-9/debian/NEWS	                        (rev 0)
+++ branches/wheezy/kfreebsd-9/debian/NEWS	2013-08-04 14:47:46 UTC (rev 4855)
@@ -0,0 +1,12 @@
+kfreebsd-9 (9.0-13) wheezy-security; urgency=high
+
+  Debian GNU/kFreeBSD kernel images in their default configuration
+  are vulnerable to link-local Denial of Service attacks against
+  the IPv6 stack.  (CVE-2011-2393, CVE-2012-5363, CVE-2012-5365)
+
+  A fix is not available for ''wheezy'', but for more details and
+  potential workarounds please refer to the documentation at:
+
+  /usr/share/doc/kfreebsd-image-*/README.Debian
+
+ -- Steven Chamberlain <steven at pyro.eu.org>  Tue, 30 Jul 2013 01:32:55 +0100

Modified: branches/wheezy/kfreebsd-9/debian/changelog
===================================================================
--- branches/wheezy/kfreebsd-9/debian/changelog	2013-08-04 12:45:36 UTC (rev 4854)
+++ branches/wheezy/kfreebsd-9/debian/changelog	2013-08-04 14:47:46 UTC (rev 4855)
@@ -1,5 +1,13 @@
 kfreebsd-9 (9.0-13) UNRELEASED; urgency=high
 
+  [ Steven Chamberlain ]
+  * Pick SVN 253693 from FreeBSD 9-STABLE to fix SA-13:08 / CVE-2013-4851:
+    Incorrect privilege validation in the NFS server (Closes: #717958)
+  * Document in README.Debian some known issues, with no upstream fix
+    available, affecting the IPv6 stack: CVE-2011-2393, CVE-2012-5363,
+    CVE-2012-5365 (Closes: #684072, #690986)
+
+  [ Robert Millan ]
   * Upload for wheezy-security.
 
  -- Robert Millan <rmh at debian.org>  Sun, 04 Aug 2013 14:41:01 +0200

Modified: branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian
===================================================================
--- branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian	2013-08-04 12:45:36 UTC (rev 4854)
+++ branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian	2013-08-04 14:47:46 UTC (rev 4855)
@@ -13,3 +13,64 @@
 [1] http://www.gnu.org/licenses/license-list.html
 
  -- Aurelien Jarno <aurel32 at debian.org>  Mon, 10 Aug 2009 10:51:55 +0200
+
+
+Known issues in the IPv6 stack
+------------------------------
+
+Marc Heuse reported that some types of ICMPv6 packet cause excessive
+burden on the IPv6 networking stacks of several operating systems,
+including FreeBSD.  This can also break IPv6 networking on a host until
+it is rebooted.
+
+These packets are only valid in link-local scope, meaning they cannot
+be routed through an IPv6 router from the Internet or another network.
+But if you do not trust your local network, you may want to defend
+against potential Denial-of-Service attacks as explained below.
+
+- CVE-2011-2393
+    flood of ICMPv6 Router Advertisement packets
+
+- CVE-2012-5365
+    flood of ICMPv6 Router Advertisement packets containing multiple
+    routing entries
+
+Debian GNU/kFreeBSD ''wheezy'' accepts these packets by default, to
+allow IPv6 stateless address autoconfiguration (SLAAC) to work.  This is
+different from original FreeBSD, where it is not enabled by default.
+
+If you prefer to ignore these packets, you may clear the accept_rtadv
+flag on each vulnerable interface.  For example:
+
+# ifconfig $IFACE inet6 -accept_rtadv
+
+The same can also be added to an appropriate stanza of the
+/etc/network/interfaces file, to do this automatically on boot.  For
+example:
+
+auto fxp0
+iface fxp0 inet dhcp
+ 	up ifconfig $IFACE inet6 -accept_rtadv
+
+- CVE-2012-5363
+    flood of ICMPv6 Neighbor Solicitation messages
+
+These packets announce an IPv6 host's presence on the local network.
+The source addresses of these packets are cached in a table
+of 'neighbour' hosts.  The table can be filled if a large number of
+source addresses are spoofed.  This incurs heavy CPU load and can break
+IPv6 networking on all interfaces.
+
+There is no mitigation available yet in upstream FreeBSD.  If desired,
+IPv6 networking can be disabled on specific interfaces where it is not
+needed:
+
+# ifconfig $IFACE inet6 ifdisabled
+
+This can also be set in an /etc/network/interfaces stanza:
+
+auto fxp0
+iface fxp0 inet dhcp
+ 	up ifconfig $IFACE inet6 ifdisabled
+
+ -- Steven Chamberlain <steven at pyro.eu.org>  Tue, 30 Jul 2013 01:32:55 +0100

More information about the Glibc-bsd-commits mailing list