OpenBSD Journal

y Patch 006: PF Normalization

Contributed by jose on from the whoops dept.

An Anonymous Coward reminded me of a patch that has been issued for 3.3 but not listed as an advisory yet. Patch 006 (for 3.3) has been issued which fixes up fragment handling in the PF normalization code. This has also been applied to the 3.2 stable branch as patch 019 . Fix up your firewalls, folks. This appears to be a reliability fix, eliminating a DoS condition.

(Comments are closed)


Comments
  1. Comments
    1. By netchan () deadly@netchan.cotse.net on mailto:deadly@netchan.cotse.net

      It seems so:
      http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_norm.c?only_with_tag=HEAD

    2. By Anthony () on

      If they had to announce every change in current...

      Comments
      1. By bolo () on mailto:dasnyderx@NOSPAMyahoo(point)com

        If they had to announce every change in current... No, they shouldn't (and don't have to) announce every change in -current. But , I would point out that: 1) This is an "advisory" for 3.2 and 3.3. 2) There is no mention for -current (or the forthcoming 3.4). 3) The "advisory" was important enough that it rated a mention on deadly. Therefore -- it would follow from someone more inquiring than some people -- is this fix is applied to -current? "netchan", unlike some people, was kind enough to supply the answer above. Thank you, netchan.

        Comments
        1. By entity () on

          well, current is not a maintained released tree, so there is no advisory since the people using it should be a bit more "in to it" then the normal users, this is ofcourse not always the case, and there are both daily and weekly summarys of what changes are made in current. my 2 cents..

    3. By Anonymous Coward () on

      Yes. If it makes it into -stable, it will be in -current (or else it doesn't apply to -current)

  2. By Wouter () on

    Could someone explain why this patch didn't make it to the errata.html? And why hasn't a advisory been sent out?

    Comments
    1. By Martin Foster () martin@ethereal-realms.org on http://www.erealms.org

      Or why it's no longer on the FTP sites for either 3.2 or 3.3?

      Comments
      1. By Justin () on

        Sure, behold the power of the mailing list:

        http://marc.theaimsgroup.com/?l=openbsd-misc&m=106523413529618&w=2

        Comments
        1. By Anonymous Coward () on

          i'd still like to know if there's a problem with pf ... and if so, why they haevn't fixed it again...

          Comments
          1. By Anonymous Coward () on

            It was fixed long before you started whining, in all supported -stable branches, although the patch wasn't released yet, it was already in cvs -rOPENBSD_3_2 and -rOPENBSD_3_3.
            And let me remind you that not everything that goes to -stable makes errata (though this was not the case).

      2. By Anonymous Coward () on

        Apparently some rules weren't followed and the patch was pulled...

  3. By Anonymous Coward () on

    the patch 006 for pf there isn't in the ftp server..

    Comments
    1. By Anonymous Coward () on

      yeah... i dl'd the patch and applied it, and now this morning it's not there any more....

      Comments
      1. By Anonymous Coward () on

        This is why...

        -----------------------------------------------
        Date: Fri, 03 Oct 2003 20:17:03 -0600
        From: Theo de Raadt
        Subject: The new pf errata
        Sender: owner-misc@openbsd.org
        To: misc@cvs.openbsd.org

        The new pf errata have been deleted. Since no proper errata was
        written up about them, they are not allowed to be made available.

        If I find that to be the case for other patches, I will do the same.

        Making a patch available is a process that has to be followed.

        I will not put up with it being done in such a sloppy way anymore.

        I do not know who was so irresponsible, but I think it was Daniel.
        However, that is just not how it is done. We have a process that
        lets users become aware.

        I hate that the process is so complicated. I hate that some idiots
        out there whine when it is not followed for shit they thing matters,
        which does not. But when it is done incorrectly for stuff that DOES
        matter, I will take control.

        Those patches are now gone. When whoever did this wrong decides
        to stand up and do this right, new patches will show up.
        -----------------------------------------------

        Theo's been on fire on misc@ in the last 48 hours...

        Comments
        1. By Anonymous Coward () on

          That man has some serious anger management issues.

  4. By MechaDragon X () mdxNO@SPAMixai.org on mailto:mdxNO@SPAMixai.org

    For those of you that were wondering, it appears that the patches are back up, and the pacthes 008_arp.patch for 3.3 and 021_arp.patch for 3.2 are added as well.

  5. By Anonymous Coward () on

    The patch wasn't on errata yesterday but suddenly:
    006: SECURITY FIX: September 24, 2003

    The 1 of October there wasn't any patch 008 on the errata but today it says:
    008: RELIABILITY FIX: October 1, 2003

    Why not use the real date?
    Maybe it should appear that it was fixed and released before it actually was?

    Comments
    1. By Anonymous Coward () on

      It was fixed on those dates on cvs.
      The errada date it's not the date of it's release.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]