Re: [rt.debian.org #4573] Re: Bug#717958: kfreebsd-9: CVE-2013-4851: nfsserver
On 28/07/13 20:59, Moritz Muehlenhoff via RT wrote:
> There're also CVE-2012-5365, CVE-2012-5363 and CVE-2011-2393 open
> for kfreebsd-9. Any chance we can fix these along?
It still seems our best option for wheezy is to merely document those
issues, as suggested in http://bugs.debian.org/684072#22 - after which
I'm not sure if we should mark them as 'fixed' in the security tracker
and/or BTS?
A reasonably good mitigation is in OpenBSD and NetBSD but hasn't been
ported to FreeBSD yet. It looks risky to try doing that ourselves, and
in any case would take a while. It is still not a perfect solution and
some vendors call it an undefined problem of the IPv6 protocol.
Disabling accept_rtadv by default might help in some cases, but that
seems too instrusive for a stable/security update, in case hosts are
relying on it for their connectivity. It may be more viable for jessie
(after some changes to ifupdown) and we should pursue that goal. But
then we should still document the risks in case the user re-enables
accept_rtadv anyway.
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
Reply to: