Contributed by jj on from the p-p-p-patch-my-kernel-over-ethernet dept.
Patches are now available for 5.5 and 5.6 which fix two kernel errata.
5.5 errata 16 and 5.6 errata 10: Several bugs were fixed that allowed a crash from remote when an active pipex session exists.
5.5 errata 17 and 5.6 errata 11: An incorrect memcpy call would result in corrupted MAC addresses when using PPPOE.
Users who don't use don't use PPPOE or PIPEX are not affected, but can still apply the patches.
Links:
http://www.openbsd.org/errata55.html http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/016_pipex.patch.sig http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/017_pppoe.patch.sig
and
http://www.openbsd.org/errata56.html http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/010_pipex.patch.sig http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/011_pppoe.patch.sig
(Comments are closed)
By Sebastian Rother (2a02:810d:700:5d8:e1f5:2543:5350:6acd) on
It would be nice if somebody who is more skilled then me (because I am an idiot and Moron and a Troll... related to Theo) might audit the USB Stack too (USB Fuzzing).
Kind regards,
Sebastian Rother
Comments
By Anonymous Coward (192.35.17.17) on
Just do it and send findings and patches to tech@. Until then, please stop trolling ;-)
Comments
By Sebastian Rother (91.66.45.132) https://www.mercenary-security.com on
>
> Just do it and send findings and patches to tech@. Until then, please stop trolling ;-)
I am deeply sorry for the late answer but to make a long storry short: NO
I once told Henning about a PF Bug and he simply Issued a fix. Sounds great but not so great if you know that other Vendors/Developers/Networks maybe use this code and maybe need time to evaluate the risk....
It was the only "Bug" wich was not "critical" where the notification was Issued via security@ (proof: http://marc.info/?l=openbsd-security-announce&m=123949585205081&w=2 , I was not honored for the finding... nor the notification nor anything.. and Theo and co risked other projects like NetBSD (NetBSD Issues a fix before 5.0, an emergency fix.. back then)... I was told PF "was not enabled by default" back then.... some weeks later it was.. I wonder why... *ahem..*)
I told Theo there are Issues in the IP Stack. judge me by the DATE at this forum (the Post you answered to!) .. afterwards they found some (Impressive, I am a magican... or somebody with too much time to read Code) things they "corrected"... (see CVS dates)
The USB Stack needs help too... (use fuzzers..... magic of the 21th century, yes USB fuzzers do exist!).
So I directed them at a specific part of the OS. I think it's fair enought for such clever guys to find the Bugs.. especialy for the way they communicate with me. :-)