Article

Open Source BSD-Related CERT Announcements

Michael Lucas

Note: This list does not include all of the various CERT announces related to Sendmail versions shipped with any BSD. For those, you need to be tracking a recent Sendmail version.

The short answer to patching security holes is: upgrade to the latest stable or release version of your BSD.

In addition to the CERT advisories, each BSD issues its own security advisories. These security advisories include issues for which no CERT advisory is released. You can find project-specific advisories at:

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/
http://www.netbsd.org/Security/advisory.html
http://www.openbsd.org/security.html

CERT Advisories

CA-95:14.Telnetd_Environment_Vulnerability
FreeBSD: upgrade to 2.1.7-stable
NetBSD: upgrade to 1.1

CA-96.08.pcnfsd
FreeBSD: upgrade pcnfsd, or apply patch

ftp://ftp.FreeBSD.ORG/pub/FreeBSD/FreeBSD-current/ports/net/ \
  pcnfsd/patches/patch
-ad

CA-96.12.suidperl_vul
FreeBSD: see fixes available at:

ftp://freebsd.org/pub/CERT/patches/SA-96:12/

CA-96.14.rdist_vul
FreeBSD: upgrade to 2.1-stable or 2.2-stable

CA-97.04.talkd
FreeBSD: ftp://freebsd.org/pub/CERT/patches/SA-96:21

CA-97.06.rlogin-term
FreeBSD: upgrade to 2.1-stable, or apply patch given in CA-97.06.rlogin-term
NetBSD: upgrade to 1.2

CA-97.11.libXt
All: upgrade to X11R6.3 or better

CA-97.13.xlock
All: upgrade to xlockmore 4.02 or better

CA-97.14.metamail
All: upgrade to latest metamail

CA-97.16.ftpd
FreeBSD: upgrade to 2.2-stable or greater
NetBSD: versions earlier than June 1997 vulnerable, patch available at:

ftp://ftp.netbsd.org/pub/NetBSD/misc/security/19970123-ftpd

OpenBSD: version 2.0 vulnerable, upgrade to 2.1 or better

CA-97.19.bsdlp
FreeBSD: upgrade to 2.1-stable or 2.2.-stable

CA-97.23.rdist
FreeBSD: 2.1.0 is vulnerable, upgrade to 2.1-stable or better

CA-97.27.FTP_bounce
FreeBSD: upgrade to 2.2.0 or better NetBSD: no patches available for 1.2.1 or prior, but NetBSD ftpd at:

ftp.netbsd.org:/pub/NetBSD/NetBSD-current/src/libexec/ftp

should work on a vulnerable NetBSD machine

CA-98.01.smurf
All: set sysctl MIB net.inet.icmp.bmcastecho to 0.

CA-98.05.bind_problems
All: upgrade to latest BIND

CA-98.10.mime_buffer_overflows
All: upgrade to latest mutt or pine

CA-98.13.tcp-denial-of-service
FreeBSD: upgrade to 2.2.8 or better
OpenBSD: for 2.3, see: www.openbsd.org/errata23.html#tcpfix
for 2.4, see: www.openbsd.org/errata.html#tcpfix

About the Author

Michael Lucas is an independent networking, security, and FreeBSD consultant. He previously worked for Verio, AGIS, and Oakland University. He lives in Detroit, Michigan with his wife Liz, four gerbils, and assorted fish. He can be reached at mwlucas@exceptionet.com.