Contributed by jose on from the dual-stack-networking dept.
'It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
and there is a listening tcp port.
quoting de raadt: "it is just a crash."
remote crash which screws the kernel.
unknown whether this may be exploited for code execution.'
More information on http://www.guninski.com/obsdmtu.html "
Note that this looks fixed in -current.
(Comments are closed)
By Anonymous Coward () on
[quote] You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre. [/quote]
Note that I am violating this too ;-)
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Personally I haven't used IPv6 much yet so I've either always removed it from kernel on my OpenBSD boxes and/or filter IPv6 traffic that I don't use - yet.
Comments
By dude@mung.net () dude-keyword-openbsd.4a3b1a@mung.net on mailto:dude-keyword-openbsd.4a3b1a@mung.net
By Kim () on
Comments
By leonYendor () on
More likely you don't know the diff between a root exploit and a crash.
By Anonymous Coward () on
By Anonymous Coward () on
By Ed White () on http://hacking.openbsd.it
OpenBSD comes with too many things enabled by default.
IPv6 is one of those.
I'll suggest to provide a GENERIC kernel with basic hardware support and other specific kernel like NetBSD does (LAPTOP, SMALL, ...)
OpenBSD: open-source, closed-minded.
Comments
By Anonymous Coward () on
By kokamomi () on
IPv6 is one of those. "
this attitude is probably the reason we don't have IPv6 everywhere.
how's that for being closed-minded?
Comments
By clvrmnky () on http://www.ipv6.org/
Well, if most of us *needed* IPv6, we'd be more inclined to use it.
Providers generally do not support IPv6, and there is little incentive for even largish intranets to use it. There's just no reason to have it "everywhere".
I mean, how many times have we looked at source a config file, or a man page and seen something that refers to IPv6, and just scanned over it looking for useful information?
While I agree with the sentiment that GENERIC should exclude IPv6, I certainly do not agree with the OP's assertion about close-minded OpenBSD.
Comments
By Ed White () on http://hacking.openbsd.it
closed-minded.
They keep dropping patches and ideas.
Most of the time without any explanation.
An example:
http://marc.theaimsgroup.com/?l=openbsd-pf&m=106667232319219&w=2
That's why I don't send diff, only ideas.
By Chad Loder () on
By asdfg () on
Comments
By Ed White () on http://hacking.openbsd.it
IPv6, every sound device, radio, crypto accelerators, joystick, compat_*, lkm, kmemstats.
Also ktrace and ptrace should be removed from a production system.
Every service off by default. Only SSH daemon if the user choosed that during installation. Also syslogd should be updated or replaced. It still bind on 514 UDP.
Comments
By krh () on
As far as syslogd goes, read the code:
i = recvfrom(pfd[PFD_INET].fd, line, MAXLINE, 0,
(struct sockaddr *)&frominet, &len);
if (SecureMode) {
/* silently drop it */
} else {
I think it was art who told me that the reason syslogd opens 514/udp is so that it doesn't have to worry about opening and closing it if the configuration file is changed. If you're really that concerned about 514 being open, even if everything is discarded, use pf or hack the source.
By Strog () on
By tedu () on
Comments
By Ed White () on Http://hacking.openbsd.it
This could be a good thing if everything would be disabled by default with a sysctl, like Compact_* on 3.4.
Comments
By tedu () on
Comments
By mirabile () on
addresses, only the IPv4 ones... ;-)
By LeonYendor () on
a security erratum
several security errata
Quidquid latine dictum sit, altum viditur.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Carima davilum pest!
OK, enough...