[Glibc-bsd-commits] r4898 - branches/wheezy/kfreebsd-9/debian
Steven Chamberlain
stevenc-guest at alioth.debian.org
Thu Aug 22 12:19:40 UTC 2013
Author: stevenc-guest
Date: 2013-08-22 12:19:39 +0000 (Thu, 22 Aug 2013)
New Revision: 4898
Modified:
branches/wheezy/kfreebsd-9/debian/NEWS
branches/wheezy/kfreebsd-9/debian/changelog
branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian
Log:
Revert this from wheezy/security branch for now so we can concentrate
on advisories 13:08, 13:09, 13:10
Modified: branches/wheezy/kfreebsd-9/debian/NEWS
===================================================================
--- branches/wheezy/kfreebsd-9/debian/NEWS 2013-08-20 09:36:25 UTC (rev 4897)
+++ branches/wheezy/kfreebsd-9/debian/NEWS 2013-08-22 12:19:39 UTC (rev 4898)
@@ -1,12 +0,0 @@
-kfreebsd-9 (9.0-13) wheezy-security; urgency=high
-
- Debian GNU/kFreeBSD kernel images in their default configuration
- are vulnerable to link-local Denial of Service attacks against
- the IPv6 stack. (CVE-2011-2393, CVE-2012-5363, CVE-2012-5365)
-
- A fix is not available for ''wheezy'', but for more details and
- potential workarounds please refer to the documentation at:
-
- /usr/share/doc/kfreebsd-image-*/README.Debian
-
- -- Steven Chamberlain <steven at pyro.eu.org> Tue, 30 Jul 2013 01:32:55 +0100
Modified: branches/wheezy/kfreebsd-9/debian/changelog
===================================================================
--- branches/wheezy/kfreebsd-9/debian/changelog 2013-08-20 09:36:25 UTC (rev 4897)
+++ branches/wheezy/kfreebsd-9/debian/changelog 2013-08-22 12:19:39 UTC (rev 4898)
@@ -1,25 +1,26 @@
-kfreebsd-9 (9.0-13) UNRELEASED; urgency=high
+kfreebsd-9 (9.0-10+deb70.3) UNRELEASED; urgency=high
- [ Steven Chamberlain ]
+ * Team upload.
* Pick SVN 253693 from FreeBSD 9-STABLE to fix SA-13:08 / CVE-2013-4851:
Incorrect privilege validation in the NFS server (Closes: #717958)
- * Document in README.Debian some known issues, with no upstream fix
- available, affecting the IPv6 stack: CVE-2011-2393, CVE-2012-5363,
- CVE-2012-5365 (Closes: #684072, #690986)
- [ Robert Millan ]
- * Upload for wheezy-security.
+ -- Steven Chamberlain <steven at pyro.eu.org> Sun, 28 Jul 2013 18:15:26 +0100
- -- Robert Millan <rmh at debian.org> Sun, 04 Aug 2013 14:41:01 +0200
+kfreebsd-9 (9.0-10+deb70.2) wheezy-security; urgency=high
-kfreebsd-9 (9.0-12) unstable; urgency=high
-
* Team upload.
+ * Upload for wheezy-security
* Pick SVN 251902 from FreeBSD 9-STABLE to fix SA-13:06 / CVE-2013-2171:
Privilege escalation via mmap (Closes: #712664)
- -- Steven Chamberlain <steven at pyro.eu.org> Tue, 18 Jun 2013 13:20:50 +0100
+ -- Steven Chamberlain <steven at pyro.eu.org> Wed, 19 Jun 2013 20:36:54 +0100
+kfreebsd-9 (9.0-10+deb70.1) wheezy-security; urgency=high
+
+ * Upload for wheezy-security
+
+ -- Christoph Egger <christoph at debian.org> Wed, 01 May 2013 14:24:30 +0200
+
kfreebsd-9 (9.0-11) unstable; urgency=high
* Team upload.
Modified: branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian
===================================================================
--- branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian 2013-08-20 09:36:25 UTC (rev 4897)
+++ branches/wheezy/kfreebsd-9/debian/kfreebsd-image.README.Debian 2013-08-22 12:19:39 UTC (rev 4898)
@@ -13,64 +13,3 @@
[1] http://www.gnu.org/licenses/license-list.html
-- Aurelien Jarno <aurel32 at debian.org> Mon, 10 Aug 2009 10:51:55 +0200
-
-
-Known issues in the IPv6 stack
-------------------------------
-
-Marc Heuse reported that some types of ICMPv6 packet cause excessive
-burden on the IPv6 networking stacks of several operating systems,
-including FreeBSD. This can also break IPv6 networking on a host until
-it is rebooted.
-
-These packets are only valid in link-local scope, meaning they cannot
-be routed through an IPv6 router from the Internet or another network.
-But if you do not trust your local network, you may want to defend
-against potential Denial-of-Service attacks as explained below.
-
-- CVE-2011-2393
- flood of ICMPv6 Router Advertisement packets
-
-- CVE-2012-5365
- flood of ICMPv6 Router Advertisement packets containing multiple
- routing entries
-
-Debian GNU/kFreeBSD ''wheezy'' accepts these packets by default, to
-allow IPv6 stateless address autoconfiguration (SLAAC) to work. This is
-different from original FreeBSD, where it is not enabled by default.
-
-If you prefer to ignore these packets, you may clear the accept_rtadv
-flag on each vulnerable interface. For example:
-
-# ifconfig $IFACE inet6 -accept_rtadv
-
-The same can also be added to an appropriate stanza of the
-/etc/network/interfaces file, to do this automatically on boot. For
-example:
-
-auto fxp0
-iface fxp0 inet dhcp
- up ifconfig $IFACE inet6 -accept_rtadv
-
-- CVE-2012-5363
- flood of ICMPv6 Neighbor Solicitation messages
-
-These packets announce an IPv6 host's presence on the local network.
-The source addresses of these packets are cached in a table
-of 'neighbour' hosts. The table can be filled if a large number of
-source addresses are spoofed. This incurs heavy CPU load and can break
-IPv6 networking on all interfaces.
-
-There is no mitigation available yet in upstream FreeBSD. If desired,
-IPv6 networking can be disabled on specific interfaces where it is not
-needed:
-
-# ifconfig $IFACE inet6 ifdisabled
-
-This can also be set in an /etc/network/interfaces stanza:
-
-auto fxp0
-iface fxp0 inet dhcp
- up ifconfig $IFACE inet6 ifdisabled
-
- -- Steven Chamberlain <steven at pyro.eu.org> Tue, 30 Jul 2013 01:32:55 +0100
More information about the Glibc-bsd-commits
mailing list