Security Advisories Fixes
* NetBSD-SA2008-004, multiple issues (CVE-2008-1372 and CVE-2005-0953), has been fixed by upgrading to bzip2 to 1.0.5
* NetBSD-SA2008-005, OpenSSH Multiple issues (CVE-2008-1483 and CVE-2008-1657), has been fixed by applying patches from upstream.
* NetBSD-SA2008-006, integer overflow in strfmon(3) function (CVE-2008-1391), has been fixed.
* NetBSD-SA2008-008, OpenSSL Montgomery multiplication (CVE-2007-3108), has been fixed.
* NetBSD-SA2008-009, BIND cache poisoning (CVE-2008-1447 and CERT VU#800113), has been fixed by updating BIND to 9.4.2-P2. Note there are two related changes to this advisory:
The default behavior of ipfilter's Port Address Translation has been changed to using random port allocation rather than sequential mappings, to avoid decreasing the randomness of source ports used for DNS queries which affects the BIND cache poisoning problem.
A `query-source' statement, which could allow the BIND cache poisoning attack, has been commented out in the default named.conf(5) file.
* NetBSD-SA2008-010, malicious PPPoE discovery packet can overrun a kernel buffer (CVE-2008-3584), has been fixed.
* NetBSD-SA2008-011, ICMPv6 MLD query (CVE-2008-2464), has been fixed.
* NetBSD-SA2008-012, Denial of Service issues in racoon(8) (CVE-2008-3652), has been fixed by upgrading ipsec-tools to release 0.7.1. Note this also fixes CVE-2008-3651.
* upcoming NetBSD-SA2008-013, IPv6 Neighbor Discovery Protocol routing vulnerability (CVE-2008-2476), has been fixed.
* upcoming NetBSD-SA2008-014, remote cross-site request forgery attack issue in ftpd(8) (CVE-2008-4247), has been fixed.
* upcoming NetBSD-SA2008-015, remove kernel panics on IPv6 connections (CVE-2008-3530), has been fixed.
Note: NetBSD-SA2008-007 and advisories prior to NetBSD-SA2008-004 don't affect NetBSD 4.0.
Other Security Fixes
* Fix a buffer overrun which could crash a FAST_IPSEC kernel.
* tcpdump(8): fix CVE-2007-1218, CVE-2007-3798 and CAN-2005-1278 in base-tcpdump.
* Fix a buffer overflow of PCF font parser in X11 libXfont library (CVE-2008-0006).
* Fix a buffer overflow of Tektronix Hex Format support in binutils (CVE-2006-2362).
* machfb(4) and voodoofb(4): introduce two missing KAUTH_GENERIC_ISSUSER checks in the mmap(2) code.
* Update root.cache to 2008020400 version.
* Fix IP packet forwarding code to make sure to send a reasonable fragment size when IPsec is configured.
* Fix a bug in TCP SACK code which causes data corruption.
* Fix an rc.d(8) script for amd(8) not to shutdown gracefully since it seems to cause problems for more people than the old (also broken) behavior.
* ftpd(8): fix and reorganize PAM support.
* Pthread support of BIND has been disabled for future binary compatibility after removal of the scheduler activations.
* Fix coredump of gdtoa (conversion between binary floating-point and ASCII string) functions on out of memory conditions.
* fxp(4): fix random pool corruption and hangup problems.
* wd(4): handle more LBA48 bug quirks on some Hitachi's SATA/IDE drives.
* Disable a NULL pointer check in zlib for standalone programs. This fixes errors on loading a gzipped kernel (including installation kernels) on several ports (news68k etc.) whose kernels are loaded at address zero.
* awk(1): bring back an accidentally removed fix to allow escape of a newline in string literals.
* fix compilation of native sh3 gcc on 64-bit build machines
* fix an internal compiler error on compiling m68k softfloat or m68010 targets on 64-bit build machines.
* zgrep(1): make `-h' option (suppress filenames on output when multiple files are searched) actually work.
* Fix parallel build failure on building hpcarm, hpcmips and hpcsh releases.
* acorn32: fix a bootloader problem on some RiscPCs.
add a workaround to avoid panic on probing a multi function PCI device on Qube's PCI slot
fix a bug in the interrupt handler which causes network freeze if more than one interfaces are used.
* hp700: fix potential kernel / userland memory corruption in copyinstr(9) and copyoutstr(9).
* sparc64: fix a bug in locore.s which causes unexpected behavior.
* sun3: fix a bug which might cause an occasional panic during boot.
* vax: make syscall handler use proper copyin(9) function on parsing syscall args.