[Glibc-bsd-commits] r4898 - branches/wheezy/kfreebsd-9/debian

Steven Chamberlain stevenc-guest at alioth.debian.org
Thu Aug 22 12:19:40 UTC 2013 

Author: stevenc-guest
Date: 2013-08-22 12:19:39 +0000 (Thu, 22 Aug 2013)
New Revision: 4898

Modified:
   branches/wheezy/kfreebsd-9/debian/NEWS
   branches/wheezy/kfreebsd-9/debian/changelog
   branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian
Log:
Revert this from wheezy/security branch for now so we can concentrate
on advisories 13:08, 13:09, 13:10


Modified: branches/wheezy/kfreebsd-9/debian/NEWS
===================================================================
--- branches/wheezy/kfreebsd-9/debian/NEWS	2013-08-20 09:36:25 UTC (rev 4897)
+++ branches/wheezy/kfreebsd-9/debian/NEWS	2013-08-22 12:19:39 UTC (rev 4898)
@@ -1,12 +0,0 @@
-kfreebsd-9 (9.0-13) wheezy-security; urgency=high
-
-  Debian GNU/kFreeBSD kernel images in their default configuration
-  are vulnerable to link-local Denial of Service attacks against
-  the IPv6 stack.  (CVE-2011-2393, CVE-2012-5363, CVE-2012-5365)
-
-  A fix is not available for ''wheezy'', but for more details and
-  potential workarounds please refer to the documentation at:
-
-  /usr/share/doc/kfreebsd-image-*/README.Debian
-
- -- Steven Chamberlain <steven at pyro.eu.org>  Tue, 30 Jul 2013 01:32:55 +0100

Modified: branches/wheezy/kfreebsd-9/debian/changelog
===================================================================
--- branches/wheezy/kfreebsd-9/debian/changelog	2013-08-20 09:36:25 UTC (rev 4897)
+++ branches/wheezy/kfreebsd-9/debian/changelog	2013-08-22 12:19:39 UTC (rev 4898)
@@ -1,25 +1,26 @@
-kfreebsd-9 (9.0-13) UNRELEASED; urgency=high
+kfreebsd-9 (9.0-10+deb70.3) UNRELEASED; urgency=high
 
-  [ Steven Chamberlain ]
+  * Team upload.
   * Pick SVN 253693 from FreeBSD 9-STABLE to fix SA-13:08 / CVE-2013-4851:
     Incorrect privilege validation in the NFS server (Closes: #717958)
-  * Document in README.Debian some known issues, with no upstream fix
-    available, affecting the IPv6 stack: CVE-2011-2393, CVE-2012-5363,
-    CVE-2012-5365 (Closes: #684072, #690986)
 
-  [ Robert Millan ]
-  * Upload for wheezy-security.
+ -- Steven Chamberlain <steven at pyro.eu.org>  Sun, 28 Jul 2013 18:15:26 +0100
 
- -- Robert Millan <rmh at debian.org>  Sun, 04 Aug 2013 14:41:01 +0200
+kfreebsd-9 (9.0-10+deb70.2) wheezy-security; urgency=high
 
-kfreebsd-9 (9.0-12) unstable; urgency=high
-
   * Team upload.
+  * Upload for wheezy-security
   * Pick SVN 251902 from FreeBSD 9-STABLE to fix SA-13:06 / CVE-2013-2171:
     Privilege escalation via mmap (Closes: #712664)
 
- -- Steven Chamberlain <steven at pyro.eu.org>  Tue, 18 Jun 2013 13:20:50 +0100
+ -- Steven Chamberlain <steven at pyro.eu.org>  Wed, 19 Jun 2013 20:36:54 +0100
 
+kfreebsd-9 (9.0-10+deb70.1) wheezy-security; urgency=high
+
+  * Upload for wheezy-security
+
+ -- Christoph Egger <christoph at debian.org>  Wed, 01 May 2013 14:24:30 +0200
+
 kfreebsd-9 (9.0-11) unstable; urgency=high
 
   * Team upload.

Modified: branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian
===================================================================
--- branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian	2013-08-20 09:36:25 UTC (rev 4897)
+++ branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian	2013-08-22 12:19:39 UTC (rev 4898)
@@ -13,64 +13,3 @@
 [1] http://www.gnu.org/licenses/license-list.html
 
  -- Aurelien Jarno <aurel32 at debian.org>  Mon, 10 Aug 2009 10:51:55 +0200
-
-
-Known issues in the IPv6 stack
-------------------------------
-
-Marc Heuse reported that some types of ICMPv6 packet cause excessive
-burden on the IPv6 networking stacks of several operating systems,
-including FreeBSD.  This can also break IPv6 networking on a host until
-it is rebooted.
-
-These packets are only valid in link-local scope, meaning they cannot
-be routed through an IPv6 router from the Internet or another network.
-But if you do not trust your local network, you may want to defend
-against potential Denial-of-Service attacks as explained below.
-
-- CVE-2011-2393
-    flood of ICMPv6 Router Advertisement packets
-
-- CVE-2012-5365
-    flood of ICMPv6 Router Advertisement packets containing multiple
-    routing entries
-
-Debian GNU/kFreeBSD ''wheezy'' accepts these packets by default, to
-allow IPv6 stateless address autoconfiguration (SLAAC) to work.  This is
-different from original FreeBSD, where it is not enabled by default.
-
-If you prefer to ignore these packets, you may clear the accept_rtadv
-flag on each vulnerable interface.  For example:
-
-# ifconfig $IFACE inet6 -accept_rtadv
-
-The same can also be added to an appropriate stanza of the
-/etc/network/interfaces file, to do this automatically on boot.  For
-example:
-
-auto fxp0
-iface fxp0 inet dhcp
- 	up ifconfig $IFACE inet6 -accept_rtadv
-
-- CVE-2012-5363
-    flood of ICMPv6 Neighbor Solicitation messages
-
-These packets announce an IPv6 host's presence on the local network.
-The source addresses of these packets are cached in a table
-of 'neighbour' hosts.  The table can be filled if a large number of
-source addresses are spoofed.  This incurs heavy CPU load and can break
-IPv6 networking on all interfaces.
-
-There is no mitigation available yet in upstream FreeBSD.  If desired,
-IPv6 networking can be disabled on specific interfaces where it is not
-needed:
-
-# ifconfig $IFACE inet6 ifdisabled
-
-This can also be set in an /etc/network/interfaces stanza:
-
-auto fxp0
-iface fxp0 inet dhcp
- 	up ifconfig $IFACE inet6 ifdisabled
-
- -- Steven Chamberlain <steven at pyro.eu.org>  Tue, 30 Jul 2013 01:32:55 +0100

More information about the Glibc-bsd-commits mailing list