Contributed by jose on from the panic! dept.
This one affected a lot of BSD systems, including OS X. No sense in not patching. It's fixed in 3.3-stable and 3.2-stable. Patches (from errata ):
patches/3.3/common/008_arp.patch
patches/3.2/common/021_arp.patch
Update : The advisory is now out.
Date: Mon, 06 Oct 2003 16:45:36 -0600 From: Todd C. MillerTo: security-announce@OpenBSD.org Subject: ARP-based denial of service attack Under certain circumstances, an attacker may be able to mount a denial of service attack against a machine by flooding it with bogus ARP requests. This can lead to resource starvation, ultimately resulting in a kernel panic. The problem was reported by Apple Computer; for more info, see: http://www.securityfocus.com/bid/8689/discussion A fix has been committed to the OpenBSD 3.2 and 3.3 -stable branches. Patches are also available for OpenBSD 3.2 and 3.3. Patch for OpenBSD 3.2: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/021_arp.patch Patch for OpenBSD 3.3: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/008_arp.patch
(Comments are closed)
By Anonymous Coward () on
Then checking from the patch from 3.3 in errata page, the revision doesn't match. Do i still need to patch it? because I think it will get some errors.
Comments
By Anonymous Coward () on
Therefore, if you're tracking -stable through cvs
you're already patched.
By Nicolas Padilla () on
Not trying to be a troll, but as per the description:
"...an attacker capable of transmitted a large volume of spoofed ARP requests to a target system may be capable of triggering a system panic."
Doesn't that mean that a user within the same network could screw up a system? After all they're ARP requests.
Am I missing something?
l8r,
nicopa