Subject: Re: Update 1.5.2 -> 1.6
To: None <netbsd-help@netbsd.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: netbsd-help
Date: 09/16/2002 10:26:47
On Mon, 16 Sep 2002, Sam Carleton wrote:
> Just wondering, why do you HAVE to upgrade?
1.5.2 is a little old and several security issues have been fixed since it
came out:
- Remote buffer overflow vulnerability in BSD Line Printer Daemon
- gzip buffer overrun with long filename
- local and remote root exploit - Off-by-one error in openssh session
- potential buffer overflow in libc DNS resolver
- remotely exploitable buffer overruns in OpenSSL (and ANS1 issue)
- exploitable race condition in pppd
- possible remote root exploit with RPC services (XDR decoder buffer
overflow)
So that is one reason to upgrade.
Also, it is a good idea to stay reasonable recent (at least 1.5.3 with
security updates), because it often becomes harder and harder for further
updates.
Jeremy C. Reed
p.s. If anyone is still running 1.5.2/i386 and wants to try binary
updates, let me know off-list.